Summary:
The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment to evaluate the cybersecurity capabilities of a critical infrastructure organization. The assessment revealed significant vulnerabilities, including insufficient technical controls and inadequate staff training. Recommendations for improvement were provided to enhance the organization’s cybersecurity posture and mitigate risks.
#CISA #RedTeamAssessment #CyberDefense
Keypoints:
CISA conducted a red team assessment to simulate real-world cyber threats.
The red team gained initial access through a web shell left by a previous assessment.
Insufficient technical controls allowed the red team to compromise the organization’s domain and sensitive business systems.
Lessons learned emphasized the need for continuous staff training and better risk management by leadership.
Recommendations included implementing network layer protections and secure software configurations.
MITRE Techniques:
Initial Access (TA0001): Gained access via a web shell left from a previous security assessment.
Reconnaissance (T1590): Conducted open-source research on the organization’s network.
Execution (T1204): Used user execution to run malicious payloads.
Credential Access (T1552.001): Discovered credential material on a misconfigured Network File System (NFS) share.
Persistence (TA0003): Established persistence through various techniques on compromised systems.
Lateral Movement (T1021.004): Moved laterally using valid accounts and SSH private keys.
Command and Control (T1071): Established command and control over HTTPS connections.
Exfiltration Over Alternative Protocol (T1048): Exfiltrated data using alternative protocols.
IoC:
[domain] example.com
[url] http://example.com/path/to/webshell
[ip address] 192[.]0[.]2[.]1
[file name] malicious_payload.exe
[file hash] 123456abcdef7890
[tool name] Sliver
Full Research: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a