The results of the Risk and Vulnerability Assessments (RVAs) done by the US Cybersecurity and Infrastructure Security Agency (CISA) in fiscal year 2020 have been released, highlighting some of the security flaws that affect government and critical infrastructure businesses.
The RVAs revealed that phishing links were the most successful technique for initial access. They were designed to assess the effectiveness of Federal Civilian Executive Branch (FCEB), Critical Infrastructure (CI), and State, Local, Tribal, and Territorial (SLTT) stakeholders in identifying and resolving network vulnerabilities.
CISA conducted 37 RVAs, using the MITRE ATT&CK architecture to better identify risks and assist enterprises in addressing vulnerabilities that threat actors could use in live attacks to breach network security controls.
CISA specifies a six-step attack method in a paper released last week, including initial access, command and control (C&C), lateral movement, privilege escalation, collection, and exfiltration. These procedures are loosely based on threat actors’ ATT&CK tactics.
“Not all attack vectors follow this model, and this approach does not cover all possible steps taken by malevolent actors. These phases, on the other hand, serve to highlight some of the more successful attack techniques utilised during RVAs, as well as the effects these strategies have had on a target network,” according to CISA.
In its analysis, CISA found that phishing links were utilised successfully for initial access in 49 percent of attacks, web protocols were used for command and control in 42 percent of RVAs, and pass the hash was used for lateral movement in around 30% of attacks (followed by RDP in 25 percent of incidents). Valid accounts were utilised for privilege escalation in 37.5 percent of “attacks.”
Data was mostly gathered from local systems (32% of attacks) and exfiltrated via the C&C channel (in 68 percent of cases). Phishing attachments, exploitation of web-facing programmes, credential dumping, account discovery, WMI, Mshta, and the usage of archives for data exfiltration were all successful in numerous cases.
The FY20 RVA report from CISA also includes recommendations for improving overall security posture, such as application whitelisting, disabling macros, identifying and addressing vulnerabilities in public-facing and internal applications, implementing strong email security, reviewing user and application privilege levels, using proxies, monitoring network traffic, and disabling phishing attacks.
“Several high-level findings were identified after conducting trend analysis on the 37 RVA reports completed by CISA. Phishing and the use of default credentials were still feasible methods of attack. This demonstrates that the methods used to breach much of our infrastructure have remained mostly same over time. As a result, network defenders must target their efforts on deploying the plethora of known-to-be-effective mitigation measures,” according to CISA.