The Cybersecurity and Infrastructure Security Agency (CISA) executed a red team assessment on a critical infrastructure organization, simulating real-world cyber attacks to test the organization’s cybersecurity detection and response. On Thursday, in partnership with the critical infrastructure organization, the CISA Red Team released a cybersecurity advisory detailing the Red Team’s tactics, techniques, and procedures (TTPs), along with network defense strategies. The advisory also provides key findings and lessons to help network defenders and software manufacturers strengthen cybersecurity.
During the assessment, the CISA Red Team exploited a web shell from a previous third-party security test to gain initial access. They infiltrated the demilitarized zone (DMZ) and penetrated the network, compromising the organization’s domain and several sensitive business systems (SBS). Although the organization detected initial red team activity, it failed to promptly address the malicious traffic in the DMZ or effectively counter the red team’s presence in the Windows environment. The red team successfully compromised the domain and SBSs due to inadequate detection and response controls.
The assessment revealed that the organization lacked adequate technical controls to prevent and detect malicious activities, overly relying on host-based endpoint detection and response (EDR) solutions without implementing sufficient network layer protections. Additionally, the organization’s staff requires ongoing training, support, and resources to effectively implement secure software configurations and identify malicious activities. It is essential for staff to continually enhance their technical skills, deepen their understanding of their systems, and receive adequate resources from management to protect their networks.
Furthermore, the organization’s leadership underestimated the business risk associated with known attack vectors. They deprioritized addressing a vulnerability identified by their cybersecurity team and, in their risk-based decision-making, misjudged the potential impact and likelihood of its exploitation.
The CISA Red Team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open-source research on the target organization to gain information about its network, defensive tools, and employees. The red team designed spearphishing campaigns tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads, but their execution did not result in the red team gaining access to the network.
After the failed spearphishing campaigns, the CISA Red Team continued external reconnaissance of the network and discovered a web shell left from a previous Vulnerability Disclosure Program (VDP), CISA revealed. “The red team used this for initial access and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges on the host, discover credential material on a misconfigured Network File System (NFS) share, and move from a DMZ to the internal network.”
With access to the internal network, the CISA Red Team gained further access to several SBSs. The red team leveraged a certificate for client authentication they discovered on the NFS share to compromise a system configured for ‘Unconstrained Delegation.’ This allowed the red team to acquire a ticket-granting ticket (TGT) for a domain controller, used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs.
Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server discovered through reconnaissance of the organization’s external internet protocol (IP) space. The red team first conducted open-source research to identify information about the organization’s network, including the tools used to protect the network and potential targets for spearphishing.
The CISA Red Team looked for email addresses and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following this action, the red team sent tailored spearphishing emails to 13 targets. Of these 13 targets, one user responded and executed two malicious payloads. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, preventing the red team’s first attempt to gain initial access.
To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet.
Approximately two weeks after gaining initial access, the CISA Red Team compromised a Windows domain controller. “This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization. To first gain situational awareness about the organization’s environment, the red team exfiltrated Active Directory (AD) information from a compromised Linux host that had network access to a Domain Controller (DC).”
The team queried Lightweight Directory Access Protocol (Over SSL)—(LDAPS)—to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). Unfortunately, the organization did not have detections to monitor for anomalous LDAP traffic. A non-privileged user querying LDAP from the organization’s Linux domain should have alerted network defenders.
The CISA Red Team initially established C2 on a workstation over HTTPS before connecting to servers over SMB in the organization’s Windows environment. To connect to certain SBSs later in its activity, the team again relied on HTTPS for C2.
After the red team gained persistent access to Linux and Windows systems across the organization’s networks, the CISA red team began post-exploitation activities and attempted to access SBSs. The TAs provided a scope of the organization’s Classless Inter-Domain Routing (CIDR) ranges that contained SBSs. The team gained root access to multiple Linux servers in these ranges. The TAs then instructed the red team to exploit its list of primary targets: admin workstations and network ranges that included OT (operational technology) networks. The team only achieved access to the first two targets and did not find a path to the OT networks. While the team was able to affect the integrity of data derived from OT devices and applications, it was unable to find and access the organization’s internal network where the OT devices resided.
The cybersecurity agency noted in the CISA Red Team assessment advisory that the assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based EDR solutions and did not implement sufficient network layer protections. Its perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks. A properly configured network should block access to a path from the DMZ to other internal networks.
Also, the organization was too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS). The organization’s EDR solutions also failed to catch all the red team’s payloads. Some of the higher risk activities conducted by the team that were opportunities for detection include phishing; kerberoasting; generation and use of golden tickets; S4U2self abuse; anomalous LDAP traffic; anomalous NFS enumeration; unconstrained Delegation server compromise; DCSync; anomalous account usage during lateral movement; anomalous outbound network traffic; anomalous outbound SSH connections to the team’s cloud servers from workstations; and use of proxy servers from hosts intended to be restricted from internet access.
The findings also include that the organization had insufficient host monitoring in a legacy environment. The organization had hosts with a legacy operating system without a local EDR solution, which allowed the red team to persist for several months on the hosts undetected. Also, the organization had multiple systems configured insecurely. This allowed the red team to compromise, maintain persistence, and further exploit those systems (i.e., access credentials, elevate privileges, and move laterally).
Additionally, the red team’s activities generated security alerts that network defenders did not review. The organization lacked proper identity management. The organization used known insecure and outdated software. The red team discovered software on one of the organization’s web servers that was outdated.
The advisory acknowledged the effectiveness of technical controls and defensive measures in thwarting or impeding offensive actions within the critical infrastructure organization. Network defenders successfully detected the initial compromise and some red team movements. Host-based EDR solutions blocked initial access attempts via phishing. Additionally, a strong domain password policy and effective separation of privileges contributed to the defense.
CISA recommends organizations implement appropriate mitigations that align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
The agency also recommends that organizations provide users with regular training and exercises, specifically related to phishing emails; enforce phishing-resistant MFA to the greatest extent possible; and work to reduce the risk of credential compromise.
As a long-term effort, CISA recommends organizations prioritize implementing a more modern, zero trust network architecture that leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, and policy enforcement). It also suggests upgrading applications and infrastructure to leverage modern identity management and network access practices; centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investing in technology and personnel to achieve these goals.