CISA FY23 Risk and Vulnerability Assessments

Written By Matt Shafner

CISA recently released their FY 2023 Risk and Vulnerability Assessment (RVAs) findings. In this blog we will unpack the results and see what actionable steps you can take from the insights provided.

Introduction

Every year, the federal Cybersecurity and Infrastructure Agency (CISA) conducts Risk and Vulnerability Assessments (RVAs) for the executive branch, high priority critical infrastructure operators and select state/local stakeholders. In FY2023, CISA and the United States Coast Guard conducted 143 RVAs across multiple sectors. The RVA is intended to assess an entity’s network defenses against known threats and map results of the assessment to MITRE’s ATT&CK framework.

In September, CISA released a publication of the aggregate findings from their engagements over the time period. Within the findings, CISA mapped the most successful tactic in 11 of the 14 MITRE categories to help inform public and private companies of how to prioritize security controls in their environment. While CISA does spell out mitigation techniques using their Cybersecurity Performance Goals, like a typical government operation, they did a great job identifying the issues but didn’t show a clear plan to fix it [Just kidding, we love you CISA].

In this blog, we will walk through findings from each tactic and provide real-world recommendations for how to mitigate risk in your organization.

Initial Access

Initial Access is the technique category which covers how an attacker gains a foothold within your environment. Based on the FY23 RVAs performed by CISA, it is clear that identities are under attack with Valid Accounts, Spearphishing, and Password Cracking making up the top 77% of successful tactics. Luckily since these issues all involve protecting identities and credentials, a lot can be mitigated by the same types of controls. Phishing resistant MFA is clearly the best control to implement across the board to mitigate the chances of compromised identities. While OTP MFA can be a good first step, it really isn’t enough to secure your user accounts (see why here). Implementing hardware passkeys like FIDO2 tokens can really go a long way in mitigating the top threats we are seeing from attackers to gain initial access.

Aside from passkey-based MFA, ensuring you are keeping proper identity hygiene is paramount to avoiding some major Initial Access pitfalls. Quick tips:

  • Ensure all default vendor passwords are changed across your environment. While not a silver bullet, a vulnerability scanner can help you identify these forgotten and easily guessable accounts (let Helios help).

  • Monitor your accounts in 3rd party breach data. If your users are using the same password for Netflix as they do your corporate infrastructure, you are gonna have a bad time.

  • Ensure you are leveraging least privilege for your identities to attempt to reduce the level of permission an attacker may obtain through initial access. Where possible, reduce the amount of users who have local admin on their workstations.

  • Ensure password length is sufficient based on your risk posture. This makes password cracking much more difficult. You can use fine grained password policies to make the requirements for your privileged users higher (e.g. 15+ characters) than you would for your custodial staff.

Bcrypt password crack times based on complexity - www.hivesystems.com/password

Execution

Execution consists of a technique which allows an attacker to run their malicious code on one of your systems. As you can see, there isn’t really one predominant technique that is standing out because there are so many ways an attacker can execute code on your system once they have initial access. I am going to be frank, you are going to be relying on your tools a lot to prevent attacker execution. Make sure you are keeping up with industry-leading endpoint detection and response (EDR) software and make sure it is widely deployed in your infrastructure. Apart from that, a few tips:

  • Make sure that you disable macros in your Microsoft Office configurations. Execution of office document macros is a technique as old as time but still works.

  • Restrict the use of Powershell and WinRM. You can restrict remote WinRM use to only specific IT management system IPs to reduce the risk. With Powershell, make sure you are enforcing code signing through group policy and configure GPO to restrict use to only administrators.

Persistence

Persistence consists of any technique in which an attacker may use to keep access through system reboots, credential changes, partial malware removal or any other interruptions that may cut off their access. The CISA assessments team are saying that Valid Accounts was the most successful technique by far. However, we don’t think that properly illustrates the mechanisms for persistence. While valid accounts may be part of a persistence mechanism, it is really is only one piece of the puzzle. Some of the most notorious persistence mechanisms are things like scheduled tasks, startup scripts or services, or even creation of accounts so the attacker can pick up right where they left off.

When it comes to detection and prevention, your EDR should be doing a lot of the heavy lifting but attackers can (and will) find a way around this control. Maintaining a sufficient logging infrastructure with a SIEM will help you identify these persistence mechanisms during your investigation so you can ensure that you completely eliminate the threat actor’s presence. Persistence mechanisms can be difficult to identify because they are often using the built-in functionality of the operating system to continuously reestablish the attacker’s control in your network. If you think that one of your systems has executed attacker code, strongly consider network isolating the system and restoring from backup.

Privilege Escalation

Privilege Escalation consists of any technique in which an attacker increases the level of permission they have on the target resource. This generally means the attacker has compromised a general user account and uses a technique to gain admin or other privileged user permissions. While the assessment team heavily relied on Valid Accounts again, two new techniques are prominently making up 26% of their success, Process Injection and Exploitation for Privilege Escalation.

The technical details of Process Injection can get a little messy, however, most commonly this involves an attacker directly writing their code into the running memory location of a privileged process. This can often be done using Microsoft Windows built in APIs. Again, your endpoint protection software is going to be your best defense against this type of attack.

Exploitation for Privilege Escalation involves leveraging a vulnerability in a software (usually the operating system) to increase the attacker’s level of permission on the system. The best defense for this technique is to have a robust patching and vulnerability management program. Contact us to see how our Vulnerability Assessment+ engagement can help you identify issues in a prioritized and digestible format.

Defense Evasion

Defense Evasion consists of any technique in which an attacker attempts to bypass security controls whether they be preventative or detective. This may be as overt as attempting to uninstall or disable the system anti-virus or as exotic as injecting malicious DLLs into typically good processes. MITRE currently classifies 43 different defense evasion techniques and numerous more sub-techniques making this a very difficult category to action from a blue team perspective. This wide scope of techniques is echoed in the CISA data as no one technique type was dominant in their engagements.

That being said, unfortunately your effectiveness of deterring defense evasion is going to heavily rely on your EDR and other detection tools. Our advice would be that you are investing in one of the top EDR platforms and making sure you are configuring it with Tamper Protection. Depending on your endpoint protection vendor, this will ensure that your EDR agent cannot be uninstalled or disabled even by local administrators unless specific conditions are met (e.g. Uninstall token).

Credential Access

Credential Access is a technique defined by MITRE as stealing credentials like passwords or account names. In CISAs analysis, the most successful technique in this category was use of LLMNR and NBT-NS poisoning and Relaying. LLMNR (Link-local multicast name resolution) and NBT-NS (NetBIOS name service) are name resolution mechanisms which allow endpoints to resolve hosts on the local network. LLMNR and NBT-NS broadcast hostname queries on the local network in hopes that the host they are trying to identify responds letting them know their IP. If an attacker is on the same local network, they can respond to any hostname request masquerading as the target. This usually results in the source host sending traffic intended for another host to the attacker’s host, establishing a man-in-the-middle (MITM) condition. Depending on the authentication protocol in use, this can allow the attacker to intercept credentials or otherwise forward the credential data to another host to authenticate. Typically, LLMNR and NBT-NS are not required in most environments that have proper DNS configurations, however they are enabled by default for out of the box functionality. Since these protocols are enabled by default, it is a go-to for attackers to exploit and there are many different tools that make this easy for the attacker (e.g. Responder).

What confounds the issue is that most vulnerability scanners will not identify this as a problem since the services may be needed in some cases. For instance, Tenable only marks LLMNR detection as an ‘INFO’ severity plugin. This is one example that underscores the need for experienced practitioners to run and analyze the output from your scans (contact us).

Lateral Movement

Lateral Movement is defined by techniques that adversaries use to pivot to new hosts within your network after gaining a foothold. The top successful technique used in CISA’s engagements is Pass the Hash. This is a great segue after talking about the LLMNR poisoning in the last section to gain MITM. Often, after an attacker gains MITM, they may be in a position to intercept a NTLM password hash which they can then forward on to another host to successfully authenticate (without ever determining the cleartext password). Some zealous security folks may say that you need to stop using NTLM hashes all together and only use Kerberos only which is more secure. However, we live in the real world and frankly it is very very difficult (borderline infeasible) to disable NTLM authentication all together. We would suggest that you make effort to disable legacy versions of NTLM and only allow NTLMv2. In the end, preventing the MITM condition is likely your best return on investment. However, consider that there are many techniques at multiple layers of the OSI model which can be leveraged to achieve MITM.

A more wholistic approach to mitigating lateral movement is to segment your network with proper VLANs and firewalling. Make sure that you only allow business justified traffic between VLANs especially from low trust to sensitive networks. Your user network segments should be firewalled away from your server assets except for the specific IP/port combinations that are required for your business to run. Even within your data center there should be internal firewalls which protect sensitive networks like database or IT management servers. Flat networks with no segmentation significantly increase the likelihood that a simple errant email click can turn into an organization wide ransomware incident.

Collection

Collection refers to the technique which an attacker employs to harvest sensitive internal data. Approximately ~70% of the successful techniques leveraged by the CISA assessments group were simply accessing data on a network drive or the local system. Not shockingly, after an attacker compromises a credential or local system, they will use that permission to access any data within its scope. You want to think about impact reduction and limiting the amount of data the attacker can access. Here are a few tips to help limit the impact of data collection:

  • Ensure users are not storing sensitive information on their local drive. Leverage policy, user education and periodic audits to enforce.

  • Ensure that you are enforcing data retention policies on your shared drives. You can lower your data liability simply by purging old data.

  • Implement least privilege to sensitive resources. This will reduce the amount of sensitive data an attacker may be able to access.

  • Ensure data access is being logged to your SIEM so that it can be used for investigation or detection. A large amount of data access requests could be a tip off that collection is in progress.

  • Consider user behavior analytic (UBA) and data loss prevention (DLP) tools. However, be careful as these types of tools require a lot of maintenance and in our experience may only be suitable for organizations who are well staffed.

Command and Control

Command and Control (C2) techniques are classified by an attacker being able to send further instruction to a compromised host. C2 can be used to install ransomware, perform network enumeration, or really any activity that will further the adversary’s impact on your environment. There are dozens of ways an attacker can setup and persist a command and control channel. What makes C2 channels so difficult to detect is that they often can blend into your organization’s normal web traffic. In that vein, CISA’s assessment team leveraged Commonly Used Ports on ~20% of their successful C2 techniques. Your best bet to detect a C2 channel again relies on your endpoint protection tool where you can actually see payloads being executed. Aside from endpoint, you can also leverage web filtering tools to attempt to block known bad domains through continuous threat intelligence. Furthermore, if the web filtering tool can also block ‘Newly Seen’ domains that have been recently registered, that may give you a leg up. However, there will be no silver bullet when it comes to detecting and preventing C2 channels and attackers can easily pivot if their first C2 tactic is unsuccessful. Unless you have a very mature security program, we would suggest you focus more on the other tactics where you can get better ROI.

Exfiltration

And finally, Exfiltration is often one of the final steps in an attack. This is the point where an attacker finds a way to get your sensitive data out of your network and safely to attacker infrastructure. We covered data exfiltration extensively in our recent blog, Data Exfiltration in Modern Enterprise. We would suggest checking that out if you want to go deep on the many ways attackers can exfil your data and what you can (or can’t) do to stop it.

Conclusion

CISA’s release of the FY23 Risk and Vulnerability assessment results reinforces something we all have learned to live with - Cybersecurity is hard. As an organization, you have to be right every time and the attacker only has to be right one time. That being said, we shouldn’t take a defeatist attitude when it comes to security. Within the blog we outlined many actionable recommendations that can significantly reduce the impact and likelihood of a potential cyber attack against your company. While we must rely on tools such as EDR as a last line of defense, it really does take a wholistic approach of process and expertise. Helios Security strives to help businesses bridge the security talent gap and deliver results for your business. If you would like to discuss how we can help, please reach out.

References

https://www.cisa.gov/sites/default/files/2024-09/InfographicFY23RVA508.pdf

https://attack.mitre.org/

Unless otherwise specified, all images are property of the Cybersecurity and Infrastructure Security Agency (CISA)

Matt Shafner
Previous

A Primer on Threat Modeling
Next

CrowdStrike fal.con 2024