CISA Red Team Cybersecurity Advisory: Improve Monitoring and Hardening of Networks to Strengthen Data Resilience

MARCH 1ST, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) released a lengthy cybersecurity advisory on February 28, 2023; if you have time, it’s a compelling read. The advisory takes you through the step-by-step process the CISA Red Team used to emulate cyber threat actors so it can assess an organization’s cyber detection and response capabilities.

The reasons for doing so are written in the daily headlines and validated by studies by companies like Check Point Research, which found that cyberattacks were up 38 percent year over year in 2022, and the top five most attacked industries—including communications companies, ISPs, and MSPs—saw about 1380 attacks per week.

Initial Access Relies on the Human Element

For its assessment, the Red Team’s “victim” was a large organization with multiple geographically separated sites throughout the U.S. The team aimed to gain access to sensitive business systems (SBSs).

As we’ve written frequently, the human element is behind many breaches—82 percent— and includes social attacks, errors, and misuse, according to the 2022 Verizon Data Breach Investigations Report. The Red Team’s experience was no different, gaining initial access to two of the organization’s workstations at separate sites via spear phishing emails that attempt to acquire sensitive information or access a computer system by sending counterfeit messages that appear to be legitimate.

The way the Red Team gained initial access is particularly illuminating, as “the team sent tailored spear-phishing emails to seven targets using commercially available platforms. The team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering defenses and confirm the emails had reached the target’s inbox.”

The attack is a perfect example of social engineering as “the team built a rapport with some targeted individuals through emails, eventually leading these individuals to accept a meeting invite. The meeting invite took them to a red-team-controlled domain with a button, which, when clicked, downloaded a 'malicious' ISO file. After the download, another button appears, which, when clicked, executes the file.”

Two of the seven targets responded to the phishing attempt, giving the Red Team all the access it needed to exploit the organization further.

Lateral Movement, Compromised Credentials, and Persistence Pay Off

The advisory continues with an in-depth look at how the Red Team leveraged that initial access to traverse the network and access a SharePoint server. It also explains how the team gained persistent, deep access across the organization’s networks and subnetworks.

The advisory notes that “the Red Team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network,” ranging from data exfiltration to ransomware.

In its findings, the advisory lists these key issues relevant to the security of the organization’s network. It’s a long list:

  • Insufficient host and network monitoring
  • Lack of monitoring of endpoint management systems
  • The original krbtgt account password had not been changed in over a decade
  • Excessive permissions to standard users
  • Hosts with Unconstrained Delegation enabled unnecessarily
  • Use of non-secure default configurations
  • Ineffective separation of privileged accounts
  • Lack of server egress control
  • Inconsistent host configuration
  • Potentially unwanted programs
  • Mandatory password changes enabled
  • Smart card use was inconsistent across the domain


Mitigations That Worked, But More Are Needed, Including Zero Trust

The team did note that the organization has some technical controls or defensive measures that did work. These included that the organization conducts regular, proactive penetration tests and adversarial assessments. And there were strong security controls and segmentation for SBSs. Also, a multi-factor authentication (MFA) prompt blocked the team from a second SBS.

The advisory, which includes mitigations for each key issue listed above—from improved network monitoring to mandatory password changes—also lists these recommended mitigations to improve your cybersecurity posture:

  • Train and test users regularly so they can recognize phishing and other social engineering attacks
  • Enforce phishing-resistant MFA to the greatest extent possible
  • Reduce credential compromise opportunities

The list goes on but concludes that “as a long-term effort, CISA recommends organizations prioritize implementing a more modern, zero trust network architecture.”

Immutability Is Your Last Line of Defense

While not included in the CISA advisory, Arcserve recommends adding immutable backups to your list of mitigations. Immutable backups are saved in a write-once-read-many-times format that can’t be altered or deleted—even by admins.

Whether you need on-premises immutable network-attached storage like Arcserve OneXafe or support for Amazon S3 Object Lock immutability in the cloud that Arcserve Unified Data Protection (UDP) provides, Arcserve can ensure your data is resilient, and you can recover no matter what.

For expert help improving your cybersecurity posture and data resilience, talk to an Arcserve technology partner. To learn more about Arcserve products, check out our demos on demand.

You’ll find the complete CISA advisory here.

You May Also Like