Today, CISA released an advisory detailing the results of a red team assessment (RTA) conducted at the request of an unnamed critical infrastructure organization. The assessment and resulting advisory include the red team’s activity, tactics, techniques, and procedures (TTPs), and network defense activity, as well as lessons learned and key findings.

In the assessment, the red team was able to gain initial access through a web shell of a third party’s previous security assessment. This allowed the team to move laterally into the network to fully compromise the organization’s domain and several sensitive business system (SBS) targets.

CISA’s Lessons Learned from the Assessment:

• The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.
• The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.
• The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified and, in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.

CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of the advisory to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity. Access the full report at CISA.