Response to CISA Advisory (AA24-193A): CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth

On July 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) detailing the Tactics, Techniques and Procedures (TTPs), mitigation strategies, and detection methods associated with a red team assessment carried out by CISA against a Federal Civilian Executive Branch (FCEB) organization.

CISA conducted this assessment, named SILENTSHIELD, over an eight-month period in 2023, to simulate a long-term state-sponsored attack, mimicking the behavior of sophisticated threat actors and utilizing a diverse set of tools and tradecraft.

During the first phase, the SILENSHIELD team gained initial access to the Solaris enclave through an unpatched web server by exploiting a known vulnerability. Subsequently, they gained separate access to the Windows environment through phishing, which ultimately allowed them to obtain full domain access.

AttackIQ has released two new assessment templates which include the various Tactics, Techniques and Procedures (TTPs) employed during the SILENTSHIELD red team assessment carried out by CISA to help customers date their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors commonly exhibited by sophisticated threat actors during long-term operations.
  • Assess their security posture against activities focused on both Unix-based and Windows-based systems.
  • Continuously validate detection and prevention pipelines against a playbook similar to nation-state adversaries.

[CISA AA24-193A] CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth (Windows)

This assessment template emulates the assessment, the team gained access to the Windows portion of the network through phishing. The team was able to obtain unsecured administrative credentials and move freely within the Windows environment, as well as pivoting to an external organization.

The assessment template is divided into tactics, grouping the techniques and implementations used by the red team at each stage of their attacks.

1. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario attempts to create a new scheduled task for persistence using the schtasks utility.

Boot or Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario acquires persistence by setting the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key that Windows uses to identify what applications should be run at system startup.

Create or Modify System Process: Windows Service (T1543.003): This scenario leverages the native sc command line tool to create a new service and performs a query in order to verify if the service was correctly created.

2. Privilege Escalation

Consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

Access Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated by another process. This method is commonly used to escalate privileges.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Masquerading: Rename System Utilities (T1036.003): This scenario copies powershell.exe, renames it to notepad.exe to bypass detection and executes the whoami command.

4. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Service Discovery (T1007): This scenario executes sc, Get-Service, net start or tasklist /svc commands to query all running Windows services.

Process Discovery (T1057): This scenario enumerates processes running on the target asset through the tasklist Windows utility.

File and Directory Discovery (T1083): This scenario executes the dir command to discover files and directories.

5. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Use Alternate Authentication Material: Pass the Ticket (T1550.003): This scenario simulates a Pass the Ticket (PtT) attack by dumping Kerberos tickets using Mimikatz and injecting them into the current session to simulate a logon.

Use Alternate Authentication Material: Pass the Hash (T1550.002): This scenario simulates a Pass the Hash attack (PtH) using dumped credentials from Mimikatz.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

Remote Services: SSH (T1021.004): This scenario attempts to open a remote shell and execute commands on target computers using the Secure Shell (SSH) protocol.

6. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Remote Services: SSH (T1021.004): This scenario initiates an SSH connection to an external AttackIQ-hosted server.

[CISA AA24-193A] CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth (Linux)

This assessment template emulates the Tactics, Techniques and Procedures (TTPs) exhibited during the SILENTSHIELD red team assessment for Unix-based systems. During the assessment, the team was able to achieve persistence, make modifications to the file system, dump credentials, establish an outbound SSH connection, and move laterally within the network.

The assessment template is divided into tactics, grouping the techniques and implementations used by the red team at each stage of their attacks.

1. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Cron (T1053.003): This scenario used the cron utility to schedule commands for initial or recurring execution.

2. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Indicator Removal: Timestomp (T1070.006): This scenario simulates the timestomp technique by creating a temporary file and modifying the file’s timestamp with a Bash script

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002): This scenario executes the chmod command to change permissions on a specified file or directory.

3. Credential Access

Consists of techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: Proc Filesystem (T1003.007): This scenario aims to extract passwords stored in the memory of running processes on a Linux system through the /proc file system.

4. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

File and Directory Discovery (T1083): This scenario executes the ls command to discover files and directories.

5. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Remote Services: SSH (T1021.004): This scenario attempts to open a remote shell and execute commands on target computers using the Secure Shell (SSH) protocol.

6. Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Remote Services: SSH (T1021.004): This scenario initiates an SSH connection to an external AttackIQ-hosted server.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment templates, AttackIQ recommends the following scenarios to extend the emulation of the capabilities exhibited in this advisory.

  • Password Brute Force: This scenario simulates a password brute-force attack on a specified machine to test the effectiveness of security controls against multiple failed login attempts.
  • DCSync Attack: The DCSync Attack scenario utilizes Mimikatz to simulate an advanced attack where an attacker impersonates a Domain Controller to request password data from a legitimate DC. This scenario must be run with a privileged domain user account (Administrators, Domain Admins, Enterprise Admins, or Domain Controller computer accounts).
  • Modify System Firewall: Enable Remote Desktop via Netsh: This scenario uses the netsh to create a new rule in the Windows System Firewall to allow Remote Desktop (port 3389/tcp) traffic into the targeted asset.
  • Kerberoasting: This scenario simulates a Kerberoasting attack to discover Service Principal Names (SPNs) assigned to user accounts and request their Ticket Granting Service (TGS) tickets.

Detection and Mitigation Opportunities

Given the vast number of techniques used during this red team assessment, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1546.001):

Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.

2a. Detection

Using a Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.

Process Name = reg.exe
Command Line CONTAINS (“ADD” AND “CurrentVersionRun”)

2b. Mitigation

MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.

Wrap-up

In summary, these assessment templates will evaluate security and incident response processes and support the improvement of your security control posture against sophisticated threats.  With data generated from continuous testing and the use of these two assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against sophisticated nation-state actors.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.

The post Response to CISA Advisory (AA24-193A): CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth appeared first on AttackIQ.