2024-07-12
CISA Red Team SILENTSHIELD Assessment Report
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a report detailing a cybersecurity assessment of an unnamed US Federal Civilian Executive Branch (FCEB) agency. The SILENTSHIELD red-team assessment was conducted over an eight-month period, starting with a no-notice, long-term simulation of nation-state cyber operations, and culminating three months of collaboration with agency staff and technical personnel to address their cybersecurity posture.
Editor's Note
CISA is emulating the behavior of a nation-state attacker, to include attempting to exploit trust relationships with third parties. In this case, they not only compromised an unpatched Solaris web server, they also used phishing to obtain Windows credentials, elevated to an unsecured administrator account, obtained domain admin, and pivot into their partner networks, while remaining undetected in the first phase. Lessons learned here include having sufficient monitoring and alerting to detect malicious activity, not having sufficient centralized logging and having better cohesion/communication between the defender teams. Read the report to identify areas where you could have similar risks.
Lee Neely
I haven't mentioned the Critical Security Controls in quite a while but the one line summary of this 29 page report is 'Focus on the Basic Hygiene levels of the Critical Security Controls first Ð without that foundation you can never stop even rudimentary attacks, let alone sophisticated ones.'
John Pescatore
Red Team exercises have been used for several decades, starting with the Defense Department. Most red team exercises are successful. They typically exploit missing patches or weak credential management. One takeaway is that while bugs listed in the known exploit vulnerability catalog help focus attention, federal agencies often have weeks to months too patch. That's well within the attack cycle of cyber criminals. Organizations must shorten their patch cycle.
Curtis Dukes
Zero days can be impactful. But given how many CVEs there are a year (are we over 40,000 yet?) N-Days are the real danger. Most companies do not realistically patch in any normal window of time. Why 'burn' a 0 Day when an N-Day is 'good enough?' The write-up is 'good enough' to understand how to run through a long-term engagement.