The US Cybersecurity and Infrastructure Security Agency (CISA) shared new guidelines to help security teams to improve their organizations’ cybersecurity posture.
The lengthy advisory describes CISA’s Red Team assessment of an unnamed large critical infrastructure organization with multiple geographically separated sites, and details key findings, as well as the tactics, techniques, and procedures (TTPs) used by the team.
As per advisory, CISA Red Team obtained persistent access to the organization’s network, moved laterally across multiple geographically separated sites, and gained access to systems adjacent to the organization’s sensitive business systems.
“Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response,” the agency noted.
The team gained initial access to two organization workstations at separate sites leveraging Active Directory (AD) data. It then gained persistent access to a third host via spear phishing emails.
Next, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used fake credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server. The team then used this root access to move laterally to SBS-connected workstations.
CISA’s advisory provides mitigations that organizations are recommended to implement to reduce a risk of similar attacks in the future.