CISA Cybersecurity Advisory – Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth

CISA released a Cybersecurity Advisory (CSA) today, “CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth.” This CSA details key findings and lessons learned from a 2023 assessment – which was performed as a no-notice, long-term simulation of nation-state cyber operations – along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity. The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.

The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.

Lessons Learned:

• The assessed organization had insufficient controls to prevent and detect malicious activity.
• The organization did not effectively or efficiently collect, retain, and analyze logs.
• Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
• A “known-bad” detection approach hampered detection of alternate TTPs.

Some recommendations from the CSA include:

• Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
• Use robust network segmentation to impede lateral movement across the network.
• Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allow list” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

WaterISAC joins CISA in encouraging organizations to review the advisory in its entirety and apply the recommendations and mitigations with a risk-based approach, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication. Access the full CSA at CISA.gov.