The United States Cybersecurity and Infrastructure Security Agency (CISA) has published the results of the Risk and Vulnerability Assessments (RVAs) it conducted in fiscal year 2020, revealing some of the security weaknesses that impact government and critical infrastructure organizations.
Designed to assess the effectiveness of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders in identifying and resolving network vulnerabilities, the RVAs revealed that phishing links were the most successful technique for initial access.
CISA conducted a total of 37 RVAs, leveraging the MITRE ATT&CK framework to provide a better understanding of risks and help organizations remediate weaknesses that threat actors might abuse in live attacks to compromise network security controls.
In a report published last week, CISA details an attack path comprising six successive steps, namely initial access, command and control (C&C), lateral movement, privilege escalation, collection, and exfiltration. These steps are based loosely on the ATT&CK methods used by threat actors.
“This path is not all-encompassing of the potential steps used by malicious actors and not all attack paths follow this model. However, these steps serve to highlight some of the more successful attack strategies used during RVAs and the impacts these strategies have had on a target network,” CISA says.
In its assessments, CISA successfully used phishing links for initial access in 49% of the attacks, web protocols were employed for command and control in 42% of RVAs, while pass the hash was used for lateral movement in roughly 30% of attacks (followed by RDP in 25% of incidents). In 37.5% of “attacks,” valid accounts were used for privilege escalation.
Data was mainly collected from the local system (in 32% of attacks), and was exfiltrated using the C&C channel (in 68% of cases). Other attack techniques that were successful in many cases included phishing attachments, exploitation of web-facing applications, credential dumping, account discovery, WMI, Mshta, and the use of archives for data exfiltration.
CISA’s FY20 RVA report also includes recommendations that organizations can use to improve their overall security posture, such as application whitelisting, disabling macros, identifying and addressing vulnerabilities in public-facing and internal applications, implementing strong email security, reviewing user and application privilege levels, using proxies, monitoring network traffic, disabling unused remote services, keeping software updated at all times, and preventing the storing of credentials in applications.
“After conducting trend analysis on the 37 RVA reports executed by CISA, several high-level observations were identified. Methods such as phishing and the use of default credentials were still viable attacks. This shows that the methodologies used to compromise much of our infrastructure have not changed drastically over time. As a result, network defenders must refocus their efforts at deploying the myriad of mitigation steps already known to be effective,” CISA notes.
Organizations can contact CISA for a Risk and Vulnerability Assessment.