New guidelines to help network defenders improve their systems’ monitoring and hardening efforts have been published by the US Cybersecurity and Infrastructure Security Agency (CISA).
The recommendations stem from a red team assessment (RTA) CISA conducted in 2022 at the request of an unnamed, large critical infrastructure firm with several geographically separated buildings.
“The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs),” CISA wrote in a Tuesday advisory.
The Agency also explained that despite its robust cyber defenses, the organization did not detect the intrusion attempt at any point during the drill.
To aid firms in detecting similar attacks in the future, CISA is now releasing tactics, techniques, and procedures (TTPs) used by its red team during the assessment.
“This CSA [Cybersecurity Advisory] highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture,” reads the document.
According to it, CISA gained initial access to two organization workstations at separate sites leveraging Active Directory (AD) data. It then gained persistent access to a third host via spear phishing emails.
“From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC),” reads the CSA.
“They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server.”
CISA said its red team used the root access to move laterally to SBS-connected workstations.
“However, a multi-factor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.”
More information about the TTPs used in this attack is included in the advisory’s original text. Its publication comes weeks after Pepsi Bottling Ventures disclosed a breach of one of its networks that resulted in the theft of employees’ data.