CISA Red Team Finds Alarming Critical Infrastructure Risks

Red Team Finds Vulnerabilities in Critical Infrastructure Org’s Security Framework
CISA Red Team Finds Alarming Critical Infrastructure Risks
A critical infrastructure operator miscalculated in its response and left itself open to further exploitation, said the U.S. Cybersecurity and Infrastructure Security Agency.

The U.S. cyber defense agency is urging critical infrastructure operators to learn from the experience of a volunteer red teaming test and not rely too heavily on host-based endpoint detection and response solutions at the expense of network layer protections.

See Also: SBOM and Connected Device Security

An unnamed critical infrastructure organization that sought a red teaming assessment from the Cybersecurity and Infrastructure Security Agency lacked an adequate security framework to detect or prevent malicious activity from the outset, the agency said Thursday.

Top officials at the critical infrastructure organization "deprioritized the treatment of a vulnerability their own cybersecurity team identified" while committing significant miscalculations in their risk-based decision-making process, CISA said. The red team compromised the organization's domain and several sensitive business systems after gaining initial access through a web shell left by a third party's previous security assessment.

CISA declined to comment on this story and did not disclose which critical infrastructure sector the organization belongs to. The agency's red team initially carried out unsuccessful phishing attempts before discovering the web shell left from a previous vulnerability disclosure program.

The report advises critical infrastructure owners and operators to embed security into product architecture throughout the entire software development life cycle, to eliminate default passwords and to mandate multifactor authentication. CISA said the organization's staff could benefit from continuous enhancements to their technical competency, as well as "sufficient resources" to ensure they can adequately protect their networks.

Critical infrastructure operators should also validate their security controls, test their full inventories and design products so that a single security control flaw "does not result in compromise of the entire system."

The organization that received the assessment lacked proper identity management, CISA said, adding that its network defenders failed to implement a centralized identity management system in their Linux network and were forced to manually query every Linux host for artifacts to track the red team's lateral movement. A properly configured network may also have been able to block the red team from breaching the organization's perimeter, the report said.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.