CISA Alert AA23-059A – CISA red team shares key findings to improve monitoring and hardening of networks.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Five Nine Alpha.

Original release date: February 28, 2023.

In 2022, CISA conducted a red team assessment at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems. Multifactor authentication prompts prevented the team from achieving access to one sensitive system, and the team was unable to complete its viable plan to compromise a second sensitive system within the assessment period.

Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.

CISA is releasing this advisory detailing the red team’s tactics, techniques, and procedures and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious actors. This advisory highlights the importance of collecting and monitoring logs for unusual activity, and continuous testing and exercises regardless of the maturity of your cyber posture.

The advisory documentation listed in the show notes includes additional technical details, TTPs, and a complete outline of the red team exercise with a MITRE ATT&CK mapping. CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this advisory to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.