Dive Brief:

• The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure providers to harden their defenses and enable phishing resistant multifactor authentication, after conducting a red team assessment of a large organization over a three-month period in 2022.
• During the voluntary assessment, a CISA red team was able to gain access to workstations at separate geographic locations using spearphishing emails. The red team leveraged that access to move laterally around the network, gaining root access to multiple workstations adjacent to specialized servers. 
• The organization largely failed to detect multiple actions by the red team, including lateral movement, persistence and command and control activity. However, the use of strong service account passwords and MFA prevented the red team from accessing a sensitive business system.

Dive Insight:

The CISA assessment raises questions about the preparedness of critical infrastructure providers at a time of heightened concerns linked to the Ukraine war and the tide of criminal ransomware activity. 

For more than a year, CISA has urged critical infrastructure providers to be aware of threat activity targeting key sectors like energy, water, public utilities and other key segments. CISA did not disclose what type of critical infrastructure provider this was or why the organization requested the assessment. 

The report highlights concerns about network defenses, particularly when a red team can gain persistent access to an organization that has what CISA calls a mature security program. 

Jori VanAntwerp, co-founder and CEO at SynSaber, noted the CISA report made no explicit mention of how this simulated attack might have impacted operational technology. 

“While the IT system discussed could adversely affect the day-to-day business operations of an organization, there isn’t any explicit mention or evidence of manipulation or interruption to process control or operation,” VanAntwerp said via email.