The U.S. Cybersecurity and Infrastructure Security Agency said U.S. government organizations are falling short on their cybersecurity practices.
In a report issued this week, CISA outlined a 2023 red-teaming exercise in which its technicians attempted to break into the network of an unnamed civilian executive branch agency.
The pentest saw CISA agents use tactics similar to those of nation-state threat actors with the aim being a total compromise of the network and access to sensitive data. In short, the hackers were fully successful and CISA came away with some concerns about the fundamental security practices in use at the agency.
Among the more eye-opening findings of the test was the ease with which the attackers were able to gain their initial access into the agency’s network. By first exploiting a known vulnerability in Solaris, the hackers gained a foothold which could then be used in tandem with phished Windows credentials to gain full network access.
“The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization,” CISA noted in the report.
“The red team remained undetected by network defenders throughout the first phase.”
It gets even worse for the network defenders from there, as CISA said that its red team was also able to eavesdrop on the blue team’s communications and stay one step ahead of the countermeasures that were being used.
“While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server,” the report read.
“Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.”
While the findings will no doubt prove embarrassing for the agency on the receiving end of the operation, CISA said it came away with a number of key lessons learned and findings that could be applied to make other government agencies and their private sector partners better secured against nation-state attacks.
Among the recommendations from the report were to streamline the process of incident response and investigation to circumvent bureaucratic hang-ups. Administrators were also advised to avoid relying on methods such as known indicators of compromise and C2 frameworks and domains.
Additionally, CISA recommended that agencies keep a closer eye on their network logs and make sure they have systems in place to efficiently collect and analyst log information in order to better understand the scope and extent of an attack.
