The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA) detailing tactics, techniques, procedures (TTPs) and key findings from a 2022 assessment to provide proactive steps to reduce the threat from malicious cyber actors.  

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, highlights the importance for all organizations to collect and monitor logs for unusual activity as well as continuous testing and exercises to ensure their environment is not vulnerable to compromise, regardless of its cybersecurity maturity level. 

During the assessment, CISA’s red team emulated cyber threat actors to assess the cyber detection and response capabilities of a large critical infrastructure organization with multiple geographically separated sites.   

The CSA includes key findings the team found that contributed to persistent, undetected access across the organization’s sites: 

• Insufficient host and network monitoring. Some of the higher risk activities conducted by the team that could have been detected include phishing, lateral movement reuse, and anomalous Lightweight Directory Access Protocol (LDAP).  
• Lack of monitoring on endpoint management systems. Endpoint management systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.  
• Excessive permissions to standard users. This misconfiguration allowed the team to use the low-level access of a phished user to move laterally to an Unconstrained Delegation host and compromise a domain controller.  

Some of the recommended actions in this CSA that can help all organizations harden their environment and protect against real-world malicious activity by cyber threat actors include: 

• Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.  
• Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.  
• Enforce phishing-resistant MFA to the greatest extent possible. 

The CSA provides other recommended actions and mitigations as well as more technical details that organizations should review.