In the fiscal year 2020, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a risk assessment of 37 attack techniques across multiple stakeholders in different sectors. These attack techniques were mapped to six successive infection stages in a simple attack pathway using the MITRE ATT&CK framework. The stages identified by CISA include initial access, command and control (C2), lateral movement, privilege escalation, collection, and exfiltration.
“This path is not all-encompassing of the potential steps used by malicious actors and not all attack paths follow this model. However, these steps serve to highlight some of the more successful attack strategies used during RVAs and the impacts these strategies have had on a target network,” CISA says.
What’s the objective?
The goal of the RVA analysis is to develop a better security posture for organizations across various sectors.
With this assessment, CISA provides a better understanding of risks and helps organizations remediate weaknesses that threat actors might abuse to compromise network security controls.
What did CISA find?
In its RVA assessment, CISA revealed that phishing links were the most successful technique for initial access. It comprised 49% of all the attack techniques employed in the initial stage.
Data was mainly collected from Local Systems (32.2%) and primarily exfiltrated over the C2 channel.
Around 68.2% of the successful exfiltration attempts used C2 centers, with web protocols being deployed for the maximum time (42%).
The pass the hash technique was used in roughly 30% of attacks for lateral movements followed by RDP in 25% of RVAs.
Valid accounts were used to gain privilege escalation in 37.5% of RVAs, followed by exploitation for privilege escalation (21.9%) and impersonation tokens (15.6%).
Among the 37 RVAs, methods such as phishing and the use of default credentials are still viable for attacks.
What does this indicate?
Unfortunately, the list of assessed tools and techniques continues to evolve.
As a result, threat actors, with capability and intent, may be successful at compromising many organizations across the globe.
Conclusion
CISA’s RVA report includes mitigation measures that organizations can implement to improve their security posture. This includes application whitelisting, disabling macros, educating users about anti-phishing techniques, monitoring network traffic, limiting admin access, setting password policies, disabling unused remote services, keeping software updated at all times, and preventing the storing of credentials in applications.