Cybersecurity agency shares the lessons learned from a red team assessment of a critical infrastructure organization.
The US Cybersecurity and Infrastructure Security Agency (CISA) has detailed how, during a cybersecurity red team assessment, it was able to gain access to the network a large critical infrastructure organization — and how the lessons learned can help others to toughen up their network security
The red team exercise against the network of the unnamed “large critical infrastructure organization” came after the organization requested it from CISA to test its cybersecurity posture.
A red team is a group of cybersecurity experts who are tasked with thinking like malicious cyber attackers, using offensive hacking techniques to probe network defenses and test how the defenders — the blue team — will react, then report back on what happened so that the client who requested the red team exercise can improve their cybersecurity.
According to CISA’s analysis of the test, there were 13 occasions where the red team acted in a way which was designed to provoke a response from the people, processes, and technology defending the organization’s network.
But many of these potentially malicious actions weren’t detected.
“The CISA red team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems,” said CISA.
Like many cyber-attacks, this red team exercise started with phishing attacks, sending specifically targeted email lures to employees across several of the organization’s geographical locations.
The red team achieved this by using open-source research to find potential targets for spear-phishing attacks, along with their email addresses, then using accounts set up on commercially available email platforms to send tailored spear-phishing emails to seven potential targets.
But these phishing emails didn’t just start with sending a malicious link out of the blue — the CISA red teamers managed to build up rapport and trust with some of the targets over several emails before asking them to accept an invite to a virtual meeting.
This invite took the victims to a domain controlled by the red team, executing a malicious payload which provided the red team attackers with access. Two victims fell for the phishing attacks, providing the red team with access to workstations at two different sites.
Leveraging this access, the red team examined SharePoint files to identify which users had administrative access. Then they used this information to launch a second phishing campaign against these users. One of them fell victim to it, providing the red team with access to their workstation and their administrator privileges.
Using this additional access, the attackers moved around the network, gathering more usernames and passwords and greater persistence on the network, compromising additional workstations with administration access, including servers.
Now the red team had what CISA describes as “persistent, deep access established across the organization’s networks and subnetworks” which allowed them to access a password manager used by employees, gather plaintext credentials in databases, access backup servers and even gain access to what’s detailed as “systems adjacent to the organization’s sensitive business systems.”
While the red team test exposed several security weaknesses in the network, according to CISA, there are also positives to take away from the exercise — including the fact that the organization ordered a red test exercise and is investing hardening their network based on findings.
Other positives include how the red team had to revert to phishing emails because they were unable to discover any easily exploitable services, ports, or web interfaces from more than three million external in-scope IPs. Also, passwords were strong, preventing the red teamers from being able to crack any with brute-force attacks.
The organization also had multi-factor authentication (MFA) in place to prevent access to sensitive business systems, blocking the red team from using stolen credentials to access them.
CISA has made several recommendations to the organization over improving cybersecurity — and these recommendations are also useful for others who want to strengthen their network defenses.
Among these recommendations are:
- Establish a security baseline of what’s normal network activity, so potentially anomalous or malicious behavior can be detected before an intruder gains additional access to the network.
- Conduct regular assessments of the network to ensure the security procedures are working and can easily be followed by both information security staff and end users.
- Use phishing-resistant multi-factor authentication to the greatest extent possible in order to prevent attackers from being automatically accessing accounts for which they’ve stolen passwords.