In the fiscal year 2020, a risk evaluation of 37 attack strategies has been performed by the Cybersecurity and Infrastructure Security Agency (CISA) in several sectors. Six sequential infection stages were mapped to these tactics using the MITRE ATT&CK frame in a basic assault path. Initial access, control and control (C2), lateral motion, increased privilege, collection, and ex-filtration are all stages recognized by CISA.
“This path does not cover all the potential steps that malicious actors utilize, and not every path of the assault follows this paradigm. These procedures are, however, used to underline some of the more successful assault techniques used in RVAs and their effects on the target network,” states the CISA.
The objective –
- The objective of the RVA (Risk and Vulnerability assessment) assessment is to provide enterprises across different sectors with a better security posture.
- This evaluation enables CISA to better evaluate risk and helps enterprises to correct weaknesses that could be abused by attackers to undermine network security controls.
What were the findings by CISA?
- CISA revealed in its RVA assessment that phishing connections are the most successful initial access strategy. The total number of attack strategies used at the initial stage was 49%.
- Data were obtained largely from local systems (32.2%) and exfiltrated mainly via C2.
- Roughly 68.2% of successful exfiltration efforts were made through C2 centers with the largest utilization of web protocols (42 percent).
- The hash approach was employed in around 30% of lateral movement assaults followed by RDP in 25% of RVAs.
- Valid accounts are used to increase privileges by 37.5% of the RVAs, followed by privileges (21.9%) and personal tokens (15.6 percent).
- Methods like phishing and default credentials for attacks are still viable among the 37 RVAs.
What is the significance of these findings?
- The list of tools and strategies evaluated is, unfortunately, continuing to evolve.
- As a result, capable and purposeful threat actors can successfully compromise many organizations worldwide.
The RVA report from the CISA contains mitigating recommendations to improve the security posture of companies. This includes whitelisting applications, deactivating macros, educating users on anti-phishing technologies, network traffic monitoring, restricting administrative access, setting password policies, disabling unused remote services, updating software at all times, and preventing credentials from being stored in applications.
To read more, please check eScan Blog
