[CDP-development] CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

Masse, Theresa theresa.masse at cisa.dhs.gov
Tue Feb 28 07:17:39 PST 2023 

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA) detailing tactics, techniques, procedures (TTPs) and key findings from a 2022 Red Team assessment to provide network defenders of critical infrastructure organizations proactive steps they can take to reduce the threat of similar activity from malicious cyber actors.



The advisory titled, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a>, highlights the importance for all organizations to collect and monitor logs for unusual activity as well as continuous testing and exercises to ensure their environment is not vulnerable to compromise, regardless of its cybersecurity maturity level. During the assessment, CISA’s red team emulated cyber threat actors to assess the cyber detection and response capabilities of a large critical infrastructure organization with multiple geographically separated sites.



The CSA includes key findings the team found that contributed to persistent, undetected access across the organization’s sites:

  *   Insufficient host and network monitoring. Some of the higher risk activities conducted by the team that could have been detected include phishing, lateral movement reuse, and anomalous Lightweight Directory Access Protocol (LDAP).
  *   Lack of monitoring on endpoint management systems. Endpoint management systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
  *   Excessive permissions to standard users. This misconfiguration allowed the team to use the low-level access of a phished user to move laterally to an Unconstrained Delegation host and compromise a domain controller.
Some of the recommended actions in this CSA that can help all organizations harden their environment and protect against real-world malicious activity by cyber threat actors include:

  *   Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
  *   Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
  *   Enforce phishing-resistant MFA to the greatest extent possible.
The CSA provides other recommended actions and mitigations as well as more technical details that organizations should review.


Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D94B44.AF21AF60]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230228/aeefe487/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230228/aeefe487/attachment-0001.png>

More information about the CDP-development mailing list