The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis and an infographic summarizing the findings from 143 risk and vulnerability assessments (RVAs) conducted across various critical infrastructure sectors in fiscal year 2023 (FY23). These RVAs map 11 of the 14 tactics cyber threat actors use to obtain and maintain unauthorized access to a network or system. It also provided a couple of high-level observations that would improve the ability of critical infrastructure organizations to secure and protect their networks.
CISA conducts RVAs for the federal civilian executive branch (FCEB), high-priority private and public sector critical infrastructure operators, and select state, local, tribal, and territorial (SLTT) stakeholders. Concurrently, the U.S. Coast Guard (USCG) conducts RVAs on maritime critical infrastructure operated by SLTT and private-sector organizations.
The analysis outlines a sample attack path, detailing the tactics and steps a cyber threat actor might use to exploit an organization with vulnerabilities similar to those identified in the FY23 RVAs. The infographic showcases the most effective techniques for each tactic documented in the RVAs. The analysis and the infographic align threat actor behaviors with the MITRE ATT&CK framework.
During each RVA, CISA and the USCG collect data through remote and onsite actions. This data is combined with national threat and vulnerability information to provide organizations with actionable remediation recommendations prioritized by the risk of compromise. CISA designed RVAs to identify vulnerabilities threat actors could exploit to compromise network security controls. After completing an RVA, CISA and the USCG provide the assessed entity’s final report including recommendations, specific findings, potential mitigations, and technical attack path details.
CISA identified a couple of general observations including assessors completing their most successful attacks via common methods, such as phishing, valid accounts, and default credentials; and assessors used various tools and techniques CISA has captured in previous RVA analysis to conduct common attacks. Also, many organizations across varying critical infrastructure sectors exhibited the same vulnerabilities. CISA assessment personnel used common vulnerabilities facilitated by shortcomings in ‘secure by design’ and default principles and other misconfigurations to compromise systems.
The attack path begins with a step required by many real-world attacks: gaining ‘initial access.’ Next, the attacker ‘executes’ code in the network to help establish a foothold and maintain ‘persistence’ on the network. Using the initial foothold on the network, the attacker uses ‘privilege escalation’ to gain administrative rights. Using ‘defense evasion’ to avoid detection, the attacker could attempt to steal credentials with ‘credential access.’
Once the attacker has credential access, they ‘discover’ the systems and networks. By analyzing these systems and networks, the attacker gains an understanding of the infrastructure and identifies sensitive data that they deem worth compromising. The attacker then uses ‘lateral movement’ throughout the network to access this sensitive data. Once entrenched in the network, the attacker switches their focus to ‘collection’ of the sensitive data. Attackers use ‘Command and Control (C2)’ to keep communication channels open to support ‘data exfiltration’ and potential control after the attack.
After conducting trend analysis on the networks and network defenses of the entities in the 143 RVAs, CISA and the USCG made high-level observations that would improve the ability of critical infrastructure organizations to secure and protect their networks. Throughout the assessment lifecycle, ‘Valid Accounts’ was the most prominent technique used across multiple tactics. Although CISA and the USCG teams do not directly emulate an adversary, they locate any conditions present in the environment or use opportunistic techniques. In previous years, assessors primarily used Valid Accounts to gain initial access to the network.
However, CISA revealed that in FY23, they found opportunities to use Valid Accounts to move laterally through the network, evade defenses, and escalate privileges, although in many cases, the same accounts can be used in several stages of the ATT&CK framework. Therefore, a threat actor can do a lot with a small number of credentials accessed early on, especially when the Microsoft Active Directory database is extracted using a domain account.
To guard against the successful abuse of Valid Accounts, critical infrastructure entities should implement strong password policies and phishing-resistant MFA, implement Identity Access Management (IAM) solutions and granular access control to lock down privileged accounts, protect user credentials, and facilitate assigning users to groups with specific permissions. They must also monitor access logs and network communication logs to detect abnormal access; and swiftly identify and respond to detected abnormalities to reduce potential damage.
To deter a cyber threat actor’s ability to compromise systems or networks, the CISA document identified that critical infrastructure entities should implement mitigations-centered intrusion prevention, such as deploying a centralized cyber threat intelligence platform to monitor and log critical data and using the platform to detect and remediate abnormal behavior promptly; and implementing a secure network security architecture with multiple layers of protection—using next-generation firewalls, granular access controls, network segmentation, SIEM/SOAR, robust encryption, and secure communication.
Furthermore, organizations must implement enhanced protection mechanisms alongside strong credential policies, CISA calls upon system owners and administrators to share this guidance with leadership and apply relevant changes tailored to their specific environments. Analysis of this nature can effectively prioritize the identification and mitigation of high-level vulnerabilities across multiple sectors and entities.
In July, CISA rolled out an Infrastructure Resilience Planning Framework (IRPF) designed to guide localities, regions, and the private sector in collaboratively planning for the security and resilience of critical infrastructure services amidst various threats and changes. While primarily aimed at SLTT governments and their regional organizations, the IRPF framework is versatile enough for use by any organization looking to improve its resilience planning.