AdvisoriesCISAAA24-193AJuly 11, 2024
July 11, 2024
In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment on a Federal Civilian Executive Branch (FCEB) organization. This exercise aimed to simulate nation-state cyber operations to evaluate the organization's security posture. The red team performed a no-notice, long-term simulation and worked with the organization's network defenders to improve their detection, response, and hunting capabilities.During the first phase, the red team gained initial access by exploiting an unpatched web server in the organization's Solaris enclave. Although they couldn't move into the Windows network initially due to a lack of credentials, they succeeded through phishing. They found unsecured administrator credentials, compromised the entire domain, and pivoted to an external organization using trust relationships. The team remained undetected throughout this phase.The assessment highlighted the need for defense-in-depth and diversified protection layers. The organization only understood the extent of the compromise by analyzing host-based, internal network, external network, and authentication logs. The findings also stressed the importance of behavior-based indicators of compromise (IOCs) over tool-specific ones.
Exploiting Public-Facing Applications:
The red team exploited an unpatched web server vulnerability (CVE-2022-21587) in the Solaris enclave for initial access. Organizations must prioritize timely patching and continuous monitoring of public-facing applications.
Spear Phishing:
They used phishing to gain access to the Windows environment. Robust email filtering, user training, and multi-factor authentication (MFA) are crucial to reducing the risk of phishing attacks.
Masquerading:
The red team used masquerading to evade detection, blending their activity with legitimate user activity. Advanced endpoint detection and response (EDR) solutions are necessary to identify suspicious behavior and anomalies.
Timestomping:
They employed timestomping to manipulate file timestamps and avoid detection. This technique requires vigilant monitoring of file attributes and changes.
Binary Path Hijacking:
The team utilized binary path hijacking to blend their actions with legitimate processes. This technique underscores the need for comprehensive application allowlisting and monitoring of execution paths.
Token Creation and Credential Stuffing:
They created tokens and used credential stuffing for lateral movement. Strong password policies, regular credential audits, and monitoring for unusual authentication patterns are essential to mitigate these risks.
Task Creation for Persistence:
The red team used scheduled tasks for persistence. Organizations should enforce strict access controls, regularly review scheduled tasks, and employ monitoring solutions to detect unauthorized task creation.
Comprehensive Logging and Monitoring:
The assessment highlighted the need for comprehensive logging and monitoring across all network segments, including host-based logs, network traffic analysis, and authentication logs, to provide a complete view of potential threats.
Behavior-Based Detections:
Behavior-based detections proved more effective than tool-specific IOCs. Organizations should focus on identifying abnormal behaviors and patterns that indicate malicious activity, regardless of the specific tools used by attackers.
Incomplete Log Data Capture:
The team's activities were further obscured due to incomplete log data capture, which missed indicators of attack (IoAs). Ensuring complete and thorough logging practices can help analysts detect subtle artifacts of malicious tradecraft.In summary, the SILENTSHIELD assessment emphasizes the necessity of a multi-layered defense strategy. This includes advanced detection capabilities, proactive threat hunting, and continuous improvement of security measures to effectively counter sophisticated cyber threats.
Be immediately notified of new advisories and associated security tests
