Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
Threat Landscape
Vulnerabilities

CISA report detects risk and vulnerability assessments plotted to MITRE ATT&CK framework

May 23, 2022
CISA report detects risk and vulnerability assessments plotted to MITRE ATT&CK framework

The Cybersecurity and Infrastructure Security Agency (CISA) released the latest version of its Risk and Vulnerability Assessments (RVAs) conducted in the Fiscal Year 2021. The analysis and infographic detailing the findings from the 112 assessments carried out across the federal civilian executive branch (FCEB), critical infrastructure (CI), and state, local, tribal, and territorial (SLTT) stakeholders. Both the analysis and the infographic map hacker behavior to the MITRE ATT&CK framework.

The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber hacker could take to compromise an organization with weaknesses that are representative of those CISA observed in the RVAs observed in 2021. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. 

As part of each RVA, the results are mapped to the MITRE ATT&CK framework. The goal of RVA analysis is to develop effective strategies that positively impact the security posture of the FCEB, CI, and SLTT stakeholders. The RVA is intended to assess the entity’s network capabilities and network defenses against potential threats. During each RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information to provide organizations with actionable remediation recommendations, prioritized by risk. 

The security agency provides these reports and infographics to the cybersecurity community with technical details and recommended mitigations to help organizations of all sizes strengthen their cybersecurity posture.

CISA designed RVAs to identify vulnerabilities that adversaries could exploit to compromise network security controls. There are various methodologies that the RVAs may incorporate, including scenario-based network penetration testing, web application testing, social engineering testing, wireless testing, configuration reviews of servers and databases, and detection and response capability evaluation. After completing an RVA, CISA provides the assessed entity with a final report that includes business executive recommendations, specific findings, potential mitigations, and technical attack path details.

The CISA assessments identified that gaining initial access to an organization’s network is one of the primary goals of an adversary in determining the success of their campaign. “If initial access is established undetected, adversaries may have ample time to steal sensitive information, pacing themselves to avoid triggering network detections and alarms. Preventing initial access should be one of the main goals of organizations to protect their network assets and organizational data,” it added. 

“Threat actors leverage malicious code to execute on systems and networks, further compromising victims,” the CISA analysis said. “Malicious code can be executed for a variety of reasons, such as establishing backdoors, modifying account privileges, or infecting multiple devices on a network. Threat actors rely on techniques such as executing malicious code to maintain access and control in systems and networks,” it added.

The CISA assessments also found that hackers steal credentials to gain access to internal resources, bypass security measures, and steal critical data. “Using legitimate credentials can give adversaries access to systems, can make their movements and activities harder to detect, and can allow them to create more accounts to help achieve their goals,” it added.

During the initial access phase, many organizations fell victim to common access methods, such as phishing and the use of default credentials, the CISA document said. “This demonstrates that initial attack vectors have not changed over time and that organizations should continue to implement enhanced password protection practices. Since attack vectors have not changed and remain successful, all sectors should focus on enhancing password requirements, implementing user training to identify phishing, and requiring password changes after a set period,” it added. 

Furthermore, network defenders should remain vigilant to threat actors’ evolving tactics and techniques, CISA said in its analysis. To help quickly identify abnormal activity, network defenders should continuously review intrusion detection systems and logs to identify adversary activity. 

During its RVAs, CISA was able to escalate privilege and laterally move throughout entities’ networks, gaining access to sensitive information. If entities can quickly identify malicious activity, they can reduce the impact of compromise, the document said. 

CISA also observed that many organizations across multiple sectors exhibited similar weaknesses, such as a prevalence of default passwords, open ports, and outdated software. 

The security agency recommends all industries practice strong password management to reduce the risk of compromise, patch outdated software, and close inactive ports, the document said. In addition to the recommendations and mitigations provided after each section, CISA recommends individual organizations create additional tailored guidance to fit their specific network architectures while dealing with their specific resource constraints. CISA encourages system owners and administrators to convey its guidance to their leadership and apply changes relevant to the nuances of their specific environments, it added. 

CISA concludes that analysis of this nature may effectively prioritize the identification and mitigation of high-level vulnerabilities across multiple sectors and agencies. 

Last week, global cybersecurity agencies warned of malicious cyber hackers often exploiting common weak security controls, poor configurations, and poor security practices, which can be used to breach initial access techniques. The joint cybersecurity advisory identified on Tuesday that malicious hackers exploit public-facing applications, external remote services, phishing, trusted relationships, and valid accounts to gain initial access to victim networks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base