The Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday that it recently conducted a red team assessment (RTA) at the request of an unnamed critical infrastructure organization, with mixed results.
The bad news: CISA was able to compromise the target’s business systems; the good news: everyone learned some security lessons that the agency is publicly sharing to help others minimize cyber risk.
During an RTA, CISA said its red team simulates real-world malicious cyber operations in order to assess an organization’s cybersecurity detection and response capabilities.
In this assessment, CISA said its red team was able to gain initial access through a web shell left by a third party’s previous security assessment.
“The red team proceeded to move through the demilitarized zone (DMZ) and into the network to fully compromise the organization’s domain and several sensitive business system (SBS) targets,” CISA said in a Nov. 21 report detailing the assessment.
“The assessed organization discovered evidence of the red team’s initial activity but failed to act promptly regarding the malicious network traffic through its DMZ or challenge much of the red team’s presence in the organization’s Windows environment,” it added.
The red team was able to compromise the domain and SBSs of the organization, as it lacked sufficient controls to be able to detect and respond to malicious cyber activity. CISA said the exercise helped to reveal valuable lessons for network defenders and software manufacturers to improve their cybersecurity posture.
Some of the lessons learned include:
- “Lesson Learned: The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.
- Lesson Learned: The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.
- Lesson Learned: The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.”
CISA said these lessons learned are relevant to all organizations, and it encouraged them to apply the lessons to their own networks. While the 36-page report offers many recommendations for organizations to improve their cyber posture, CISA specifically encouraged software manufacturers to embrace Secure by Design principles.
This includes embedding security into product architecture throughout the entire software development lifecycle, mandating multi-factor authentication, and eliminating default passwords.
