CISA red team shares key findings to improve network monitoring and hardening, provides mitigation actions

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Tuesday a cybersecurity advisory detailing the tactics, techniques, and procedures (TTPs) of the red team, along with key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. The red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems.

The advisory highlights the importance of early detection and continual monitoring of cyber assets while focusing on the importance of collecting and monitoring logs for unusual activity. It also looks into the significance of carrying out continuous testing and exercises to ensure that the organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture. 

“In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites,” the advisory disclosed. “The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs).”

It added that MFA (multi-factor authentication) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period. “Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response,” the advisory added. 

During RTAs, a CISA red team emulates cyber hackers to assess an organization’s cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, or technology.

CISA’s red team gained access to two organization workstations through spear-phishing emails, then moved laterally to a misconfigured server and gained root access to all workstations connected to the organization’s mobile device management (MDM) server. However, an MFA prompt prevented them from accessing a second SBS.

Most of the red team’s Phase II actions failed to provoke a response from the people, processes, and technology defending the organization’s network, the CISA advisory identifies. “The organization failed to detect lateral movement, persistence, and C2 activity via their intrusion detection or prevention systems, endpoint protection platform, web proxy logs, and Windows event logs. Additionally, throughout Phase I, the team received no deconflictions or confirmation that the organization caught their activity.”

Some of the strengths noted by the red team include technical controls or defensive measures that prevented or hampered offensive actions. It found that the organization conducts regular, proactive penetration tests and adversarial assessments and invests in hardening its network based on findings. The team was unable to discover any easily exploitable services, ports, or web interfaces from more than three million external in-scope IPs, forcing the team to resort to phishing to gain initial access to the environment.

The CISA red team also found that service account passwords were strong. The team was unable to crack any of the hashes obtained from the 610 service accounts pulled. This is a critical strength because it slowed the team from moving around the network in the initial parts of Phase I. Moreover, the team did not discover any user credentials on open file shares or file servers. This slowed the progress of the team moving around the network.

MFA was used for some SBSs. The team was blocked from moving to SBS 2 by an MFA prompt. Additionally, there were strong security controls and segmentation for SBS systems. Direct access to SBS was located in separate networks, and admins of SBS used workstations protected by local firewalls.

The advisory also revealed that the red team lacks monitoring on endpoint management systems thereby providing elevated access to thousands of hosts and should be treated as high-value assets (HVAs) with additional restrictions and monitoring. It also identified excessive permissions to standard users, detected hosts with ‘Unconstrained Delegation’ enabled unnecessarily, and the use of non-secure default configurations. 

The organization used default configurations for hosts with Windows Server 2012 R2. The default configuration allows unprivileged users to query group membership of local administrator groups. The red team used and identified several standard users accounts with administrative access from a Windows Server 2012 R2SharePoint server.

Some of the additional issues noted in the CISA advisory include the ineffective separation of privileged accounts, while certain workstations allowed unprivileged accounts to have local administrator access. If a user with administrative access is compromised, an actor can access servers without needing to elevate privileges. Administrative and user accounts should be separated, and designated admin accounts should be exclusively used for admin purposes.

It also identified a lack of server egress control, as most servers, including domain controllers, allowed unrestricted egress traffic to the internet. It further covered inconsistent host configuration on servers and workstations within the domain, including inconsistent membership in the local administrator group among different servers or workstations. It also detected potentially unwanted programs, including music software, installed on both workstations and servers. These extraneous software installations indicate inconsistent host configuration, increasing the attack surfaces for malicious actors to gain initial access or escalate privileges once in the network.

The CISA red team advisory also revealed that mandatory password changes were enabled. During the assessment, the team keylogged a user during a mandatory password change and noticed that only the final character of their password was modified. This is potentially due to domain passwords being required to be changed every 60 days. 

Furthermore, smart card use was inconsistent across the domain. While the technology was deployed, it was not applied uniformly, and there was a significant portion of users without smartcard protection enabled. The team used these unprotected accounts throughout their assessment to move laterally through the domain and gain persistence. 

Commenting on the CISA red team advisory, Jori VanAntwerp, CEO and co-founder at SynSaber wrote in an emailed statement that upon reading the report his initial reaction is that OT networks and systems are not mentioned. “While the IT system discussed could adversely affect the day-to-day business operations of an organization, there isn’t any explicit mention or evidence of manipulation or interruption to process control or operation. While the simulated breach in this red team is concerning, and defenses should be bolstered, I’m not entirely sure that this would have affected the operations of a critical infrastructure environment.”

“Critical infrastructure providers are more aware than ever of what needs to be done to secure their environments,” VanAntwerp said. “The challenge now shifts to the implementation of best practices to mitigate risk, such as segmentation, visibility, detection, and monitoring. Exercises such as this provide defenders with the point of proof necessary to ensure that budget and resources are properly implemented to improve posture and overall defense of operations. These findings highlight some of the challenges OT is facing in terms of implementing cybersecurity best practices such as proper segmentation, network visibility, detection, access privileges, and more.”

Paul Scott, R&D, Solutions Engineer at Cado Security, also wrote in an emailed statement that his view is that for critical infrastructure, “I don’t think their security posture or the advice that they should be following has changed. Threat actors continue to do what works which at the moment still tends to be phishing of staff or abusing publicly known exploits in unpatched web-facing infrastructure.” 

“For critical infrastructure, their key difference between corporations is their industrial control systems which are often never patched or not able to be patched and are accessible remotely by support vendors with limited or no network segmentation or controls in place,” Scott said.

He added that the key things he has seen fail in industrial settings are little or no network segmentation between industrial control devices, little or no segmentation of domains and domain trusts, little or no implementation of strict firewall rules between applications, no logging or detections on access from third party support providers, no ability to detect anomalies on industrial systems, and overly permissive user account access allowing lateral movement after initial compromise.

The agency calls upon critical infrastructure organizations to harden their local environment by establishing a security baseline of normal network activity, conducting regular assessments, and enforcing phishing-resistant MFA to the greatest extent possible. It also recommends organizations provide users with regular training and exercises, enforce phishing-resistant MFA to the greatest extent possible, reduce the risk of credential compromise, and upgrade to Windows Server 2019 or greater and Windows 10 or greater. As a long-term effort, CISA recommends organizations prioritize implementing a more modern, zero trust network architecture.

The advisory comes as CISA director Jen Easterly said in a speech at Carnegie Mellon University on Monday that Chinese hackers are too frequently going ‘unidentified and undeterred,’ and software companies aren’t doing enough to secure their products from cyber-attacks that ‘can do real damage’ to US interests through the loss of trade secrets. 

Easterly was referring to a suspected Chinese surveillance balloon that flew over multiple US states before the US military shot it down on February 4. She added that the bigger problem is that too many major software makers are not designing their products more securely and making it easy for the user to maintain that security.

“[T]he burden of safety should never fall solely upon the customer,” Easterly said. “Technology manufacturers must take ownership of the security outcomes of their customers.”

She called on technology manufacturers to ‘embrace radical transparency’ by sharing more of their software design plans publicly so they can be scrutinized by experts.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.