Enhancing Cyber Resilience: In... Note

Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization

The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment for a critical infrastructure organization in the United States. The assessment involved simulating real-world malicious cyber operations to evaluate the organization's cybersecurity detection and response capabilities. The red team used a web shell left from a previous security assessment to gain initial access to the network. They escalated privileges on the host, discovered credential material on a misconfigured Network File System (NFS) share, and moved from the DMZ to the internal network. The team exploited a certificate for client authentication to compromise a system configured for Unconstrained Delegation, allowing them to acquire a ticket granting ticket (TGT) for a domain controller. This led to the compromise of the domain and several sensitive business systems (SBSs). The organization detected much of the red team's activity in their Linux infrastructure after being alerted by CISA. Network defenders mitigated the vulnerability and initiated threat hunting activities, detecting some of the red team's activity. However, they failed to act promptly on the malicious network traffic through their DMZ or challenge much of the red team's presence in the organization's Windows environment. The red team was able to compromise the domain and SBSs due to insufficient controls to detect and respond to their activities.