Critical Infrastructure Security
Red Team Finds Vulnerabilities in Critical Infrastructure Org’s Security Framework
The U.S., cyber defense agency is urging critical infrastructure operators to learn from the experience of a volunteer read teaming test and not rely too heavily on host-based endpoint detection and response solutions at the expense of network layer protections.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
An unnamed critical infrastructure organization that sought an red teaming assessment from the Cybersecurity and Infrastructure Security Agency lacked an adequate security framework to detect or prevent malicious activity from the outset, the agency said Thursday.
Top officials at the critical infrastructure organization “deprioritized the treatment of a vulnerability their own cybersecurity team identified” while committing significant miscalculations in their risk-based decision making process, CISA said. The red team compromised the organization’s domain and several sensitive business systems after gaining initial access through a web shell left by a third party’s previous security assessment.
CISA declined to comment on this story and did not disclose which critical infrastructure sector the organization belongs to. The agency’s red team initially carried out unsuccessful phishing attempts before discovering the web shell left from a previous vulnerability disclosure program.
The report advises critical infrastructure owners and operators to embed security into product architecture throughout the entire software development lifecycle, to eliminate default passwords and to mandate multifactor authentication. CISA said the organization’s staff could benefit from continuous enhancements to their technical competency, as well as “sufficient resources” to ensure they can adequately protect their networks.
Critical infrastructure operators should also validate their security controls, test their full inventories and design products so that a single security control flaw “does result in compromise of the entire system.”
The organization that received the assessment lacked proper identity management, CISA said, adding that its network defenders failed to implement and centralized identity management system in their Linux network and were forced to manually query every Linux host for artifacts to track the red team’s lateral movement. A properly configured network may also have been able to block the red team from breaching the organization’s perimeter, the report said.