Connect with us

Hi, what are you looking for?



CISA Releases Analysis of 2020 Risk and Vulnerability Assessments

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published the results of the Risk and Vulnerability Assessments (RVAs) it conducted in fiscal year 2020, revealing some of the security weaknesses that impact government and critical infrastructure organizations.

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published the results of the Risk and Vulnerability Assessments (RVAs) it conducted in fiscal year 2020, revealing some of the security weaknesses that impact government and critical infrastructure organizations.

Designed to assess the effectiveness of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders in identifying and resolving network vulnerabilities, the RVAs revealed that phishing links were the most successful technique for initial access.

CISA conducted a total of 37 RVAs, leveraging the MITRE ATT&CK framework to provide a better understanding of risks and help organizations remediate weaknesses that threat actors might abuse in live attacks to compromise network security controls.

In a report published last week, CISA details an attack path comprising six successive steps, namely initial access, command and control (C&C), lateral movement, privilege escalation, collection, and exfiltration. These steps are based loosely on the ATT&CK methods used by threat actors.

“This path is not all-encompassing of the potential steps used by malicious actors and not all attack paths follow this model. However, these steps serve to highlight some of the more successful attack strategies used during RVAs and the impacts these strategies have had on a target network,” CISA says.

In its assessments, CISA successfully used phishing links for initial access in 49% of the attacks, web protocols were employed for command and control in 42% of RVAs, while pass the hash was used for lateral movement in roughly 30% of attacks (followed by RDP in 25% of incidents). In 37.5% of “attacks,” valid accounts were used for privilege escalation.

Data was mainly collected from the local system (in 32% of attacks), and was exfiltrated using the C&C channel (in 68% of cases). Other attack techniques that were successful in many cases included phishing attachments, exploitation of web-facing applications, credential dumping, account discovery, WMI, Mshta, and the use of archives for data exfiltration.

CISA’s FY20 RVA report also includes recommendations that organizations can use to improve their overall security posture, such as application whitelisting, disabling macros, identifying and addressing vulnerabilities in public-facing and internal applications, implementing strong email security, reviewing user and application privilege levels, using proxies, monitoring network traffic, disabling unused remote services, keeping software updated at all times, and preventing the storing of credentials in applications.

Advertisement. Scroll to continue reading.

“After conducting trend analysis on the 37 RVA reports executed by CISA, several high-level observations were identified. Methods such as phishing and the use of default credentials were still viable attacks. This shows that the methodologies used to compromise much of our infrastructure have not changed drastically over time. As a result, network defenders must refocus their efforts at deploying the myriad of mitigation steps already known to be effective,” CISA notes.

Organizations can contact CISA for a Risk and Vulnerability Assessment.

Related: CISA Adds Ransomware Module to Cyber Security Evaluation Tool

Related: CISA Issues MITRE ATT&CK Mapping Guide for Threat Intelligence Analysts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem