July 11, 2024

CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth

July 11, 2024

What we know so far

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment on a Federal Civilian Executive Branch (FCEB) organization. This exercise aimed to simulate nation-state cyber operations to evaluate the organization's security posture. The red team performed a no-notice, long-term simulation and worked with the organization's network defenders to improve their detection, response, and hunting capabilities.During the first phase, the red team gained initial access by exploiting an unpatched web server in the organization's Solaris enclave. Although they couldn't move into the Windows network initially due to a lack of credentials, they succeeded through phishing. They found unsecured administrator credentials, compromised the entire domain, and pivoted to an external organization using trust relationships. The team remained undetected throughout this phase.The assessment highlighted the need for defense-in-depth and diversified protection layers. The organization only understood the extent of the compromise by analyzing host-based, internal network, external network, and authentication logs. The findings also stressed the importance of behavior-based indicators of compromise (IOCs) over tool-specific ones.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories