Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment to evaluate the cybersecurity capabilities of a critical infrastructure organization. The assessment revealed significant vulnerabilities, including insufficient technical controls and inadequate staff training. Recommendations for improvement were provided to enhance the organization’s cybersecurity posture and mitigate risks.
#CISA #RedTeamAssessment #CyberDefense
Keypoints:
- CISA conducted a red team assessment to simulate real-world cyber threats.
- The red team gained initial access through a web shell left by a previous assessment.
- Insufficient technical controls allowed the red team to compromise the organization’s domain and sensitive business systems.
- Lessons learned emphasized the need for continuous staff training and better risk management by leadership.
- Recommendations included implementing network layer protections and secure software configurations.
MITRE Techniques:
- Initial Access (TA0001): Gained access via a web shell left from a previous security assessment.
- Reconnaissance (T1590): Conducted open-source research on the organization’s network.
- Execution (T1204): Used user execution to run malicious payloads.
- Credential Access (T1552.001): Discovered credential material on a misconfigured Network File System (NFS) share.
- Persistence (TA0003): Established persistence through various techniques on compromised systems.
- Lateral Movement (T1021.004): Moved laterally using valid accounts and SSH private keys.
- Command and Control (T1071): Established command and control over HTTPS connections.
- Exfiltration Over Alternative Protocol (T1048): Exfiltrated data using alternative protocols.
IoC:
- [domain] example.com
- [url] http://example.com/path/to/webshell
- [ip address] 192[.]0[.]2[.]1
- [file name] malicious_payload.exe
- [file hash] 123456abcdef7890
- [tool name] Sliver
Full Research: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a