A comprehensive Red Team Assessment (RTA) was conducted recently by the Cybersecurity and Infrastructure Security Agency (CISA) on a critical infrastructure organization in the United States.
This assessment, which spanned approximately three months, aimed to evaluate the organization’s cybersecurity detection and response capabilities by simulating real-world threat actors.
The CISA red team operated without prior knowledge of the organization’s technology assets and began by conducting open-source research on the target organization.
Besides this, cybersecurity researchers discovered that their initial attempts at spearphishing were unsuccessful, but they eventually gained access through a web shell left from a previous Vulnerability Disclosure Program (VDP).
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Technical Analysis
Phase I: Red Team Cyber Threat Activity
Initial Access
The red team exploited an internet-facing Linux web server after unsuccessful spearphishing attempts. They discovered a preexisting web shell on the organization’s Linux web server, allowing them to run arbitrary commands.
Linux Infrastructure Compromise
The team escalated privileges on the web server and discovered an NFS share with no_root_squash enabled, giving them access to sensitive data across all user files.
Windows Domain Controller Compromise
Approximately two weeks after initial access, the red team compromised a Windows domain controller, allowing lateral movement to all domain-joined Windows hosts.
Post-Exploitation Activity
The team gained access to various Sensitive But Unclassified (SBS) systems, including admin workstations and critical infrastructure administrator workstations.
Command and Control
The red team used third-party owned and operated infrastructure and services throughout the assessment, including Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks.
Defense Evasion and Victim Network Defense Activities
The red team employed various techniques to evade detection, such as reordering process identifiers and modifying processes. Network defenders identified some of the team’s presence in their Linux environment but largely failed to detect activity in the Windows environment.
Phase II: Measurable Events
The red team executed 13 measurable events designed to provoke a response from the organization’s defenses. These events included internal port scans, Active Directory enumeration, data exfiltration attempts, and malicious traffic generation.
This assessment shows the importance of continuous improvement in cybersecurity practices for critical infrastructure organizations.
By addressing the vulnerabilities and gaps identified in this red team exercise, organizations can better protect themselves against real-world cyber threats.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.