The Cybersecurity and Infrastructure Security Agency’s (CISA) Red Team recently conducted a simulated cyberattack against a large, unidentified critical infrastructure organization to identify vulnerabilities and test the organization’s response capabilities. The Red Team was able to breach the organization’s defenses within hours and gain access to sensitive information, demonstrating the need for increased cybersecurity measures and preparedness in critical infrastructure organizations.
“Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response,” CISA said in a new report—the first of its kind for the agency’s Red Team assessment of a critical infrastructure organization.
During the simulation, the Red Team used a variety of tactics, including spear-phishing emails, password spraying, and social engineering, to gain access to the organization’s network. Once inside, they were able to move laterally through the network and access critical systems, demonstrating the potential for a devastating cyberattack.
The Red Team also tested the organization’s incident response capabilities, finding that communication and coordination were key areas for improvement. The organization’s response team struggled to coordinate effectively, leading to delays in response times and a slower recovery process.
“The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs),” CISA said.
CISA’s report details all of the team’s tactics, techniques and procedures (TTPs).
Overall, the simulation highlights the need for critical infrastructure organizations to prioritize cybersecurity and take proactive measures to prevent cyberattacks. This includes implementing strong security protocols, regularly testing and updating defenses, and investing in training and preparedness efforts.
The CISA Red Team regularly conducts these types of simulations to help organizations identify vulnerabilities and improve their cybersecurity posture. By working with organizations to test their defenses and response capabilities, the Red Team can help prevent devastating cyberattacks and protect critical infrastructure from harm.
Reaction to CISA Red Team Assessment from Industry
Despite the alarming report of CISA’s Red Team, many in the cybersecurity industry are stressing that while concerning, the simulated attack doesn’t require a need to panic.
Chris Grove, Cyber Security Strategist, Director at Nozomi Networks, observed that hardening critical infrastructure remains the priority in a statement provided to CyberWire:
“The recent findings of the CISA Red Team assessment are unfortunately, not surprising….but fortunately, not as scary as they could be.
“Although the words ‘critical infrastructure’ are used, the attacks didn’t necessarily touch that infrastructure, nor pose any risk to the operations of that entity. In large IT enterprises, they are in a constant state of recovery, every single day there are multiple incidents being handled. This assessment simply provided a glimpse into the day-to-day operations of a typical SOC.”
Jori VanAntwerp, CEO & Co-Founder at SynSaber via CyberWire:
“Upon reading the report, my initial reaction is that OT networks and systems are not mentioned. While the IT system discussed could adversely affect the day-to-day business operations of an organization, there isn’t any explicit mention or evidence of manipulation or interruption to process control or operation. While the simulated breach in this red team is concerning, and defenses should be bolstered, I’m not entirely sure that this would have affected the operations of a critical infrastructure environment.”
