In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team operation against an FCEB (Federal Civilian Executive Branch) organization. In July 2024, CISA released a new CSA that detailed the findings of this assessment along with key findings relevant to the security of the organization’s network.
One of the interesting findings of this SILENTSHIELD assessment was the renewed importance placed on defense-in-depth strategies. This was determined after the FCEB organization failed to respond effectively to the network breach and lacked sufficient controls to log the simulated attack.
What took place during CISA’s SILENTSHIELD red team assessment?
Early last year, CISA’s red team conducted a SILENTSHIELD assessment of an FCEB organization, simulating a cyberattack to identify exploitable vulnerabilities. CISA summarized its assessment into two phases: adversary emulation and collaboration.
During the assessment, the red team successfully gained access to the organization’s connected networks and systems by exploiting a known vulnerability in an unpatched server. The team was then able to move laterally through the network and gain access to protected information.
Below is a summary of how the red team was able to achieve its goals.
Credential access, command and control and privilege escalation
The red team gained access through an exploit in the Solaris enclave, which allowed them to obtain the necessary credentials to access a privileged server account. This allowed them to progress further through the network.
The red team also used successful phishing schemes to gain access to the organization’s Windows operating system, allowing them to carry out additional cyber breach tasks.
Lateral movement and persistence
After gaining initial access, CISA’s red team moved laterally through the FCEB organization’s network by exploiting various trust relationships. They successfully created backdoors to the network to gain persistent access. Using reverse SSH tunnels, the team moved deeper into the company’s systems and used a SOCKS proxy to progress.
Explore offensive security services
Pivoting to external trusted partners
The red team was able to pivot their simulated breach into external trusted partner organizations, allowing them to gain access to protected assets again. To facilitate this, the red team inspected the organization’s trust relationships through lightweight directory access protocol (LDAP) and successfully identified relevant partnership connections, one of which gave them the access they needed to continue their breach.
Defense evasion techniques
During the assessment, CISA’s red team deployed several defense evasion techniques to avoid detection using the FCEB organization’s security tools. This included posing as legitimate software access while modifying file access timestamps and permissions, in addition to using backdoors and C2 channels.
Approximately five months into the assessment, CISA notified the organization’s security operations center (SOC) of the simulated breach and worked directly with SOC leadership to address the issues found.
Four key findings of the simulated security breach
During the collaboration phase, CISA shared the following findings with the FCEB organization that highlighted the various elements that led to a successful breach of their systems:
1. Insufficient controls to prevent and detect malicious network activity
CISA discovered that the FCEB organization’s perimeter network wasn’t properly firewalled and was not utilizing network segmentation to better isolate the attack. This allowed the red team to successfully move in and out of the Solaris and Windows network domains. This was where the bulk of the information breach happened, with internal servers being able to reach almost all other domain hosts.
The organization also had poorly configured network address translation (NAT) protocols that obfuscated data streams and reduced the ability for optimal incident response.
2. Failure to effectively collect, retain and analyze network logs
Upon further review, the FCEB organization’s SOC did not have the necessary information obtained to detect the red team’s presence in their network due to an issue with collecting, storing and processing network system logs.
In some cases, critical data was captured, but it still wasn’t analyzed properly since it moved to cold storage. The organization’s network defenders were able to identify certain network issues when looking for new forensic data. However, their affected servers were still unable to be taken offline for further review since it would have impacted critical operational elements of the organization.
3. Poor internal communication between network defenders due to decentralized structure
Another challenge for the FCEB organization was that its technical staff was spread across decentralized teams. This led to a lack of communication and coordination when mediating security issues.
The SOC team could not rapidly update or deploy countermeasures with fractured IT teams and unclear lines of accountability.
4. Failed breach detection using new threat actors
While the FCEB organization successfully detected known threats, they weren’t prepared to face new tactics, techniques and procedures (TTPs) used by the red team.
Using a collection of modern breach tactics, the red team was able to avoid detection and used a new threat actor to completely sidestep all system countermeasures.
What are CISA’s recommended risk mitigation strategies for businesses based on this assessment?
Based on CISA’s findings from this recent threat assessment, it is clear that organizations need to make sure they’re implementing a defense-in-depth approach to their cybersecurity initiatives. This includes:
-
Using defense-in-depth principles: All companies should adopt a more holistic strategy for cybersecurity, including firewalls, intrusion detection and prevention systems and the use of antivirus and antimalware tools.
-
Applying robust network segmentation: Network segmentation is a proven safeguard to help organizations isolate breaches in progress while significantly hindering an attacker’s ability to move laterally across connected networks and systems.
-
Establish baselines of network traffic, application execution and account authentication: IT administrators must proactively plan for malicious activity on their business networks. Benchmarking current network traffic patterns allows for easier recognition of anomalies that could point to malicious activities. It gives response teams the notice they need to address threats before they become a significant issue.
Make sure your business is prepared for a cyber breach
CISA’s recent SILENTSHIELD assessment is an example of how proactive planning can significantly benefit IT teams when it comes to ensuring their security protocols are hardened and ready to face modern cyber threats.
Business solutions like IBM X-Force Cyber Range can help organizations better prepare their defenses by providing immersive simulations designed to guide security teams in responding and recovering from major cyber-related incidents. This helps businesses accurately assess their security posture while providing the tools and techniques they need to keep their organization secure.