CISA conducted a risk assessment of 37 attack techniques across multiple stakeholders in different sectors in FY 2020. These attack techniques were mapped to six successive infection stages in a simple attack pathway using the MITRE ATT&CK framework. The stages identified by CISA include initial access, command and control (C2), lateral movement, privilege escalation, collection, and exfiltration.
This path is not all-encompassing of the potential steps used by malicious actors and not all attack paths follow this model.But these steps serve to highlight some of the more successful attack strategies used during RVAs and the impacts these strategies have had on a target network.
The goal of the RVA analysis is to develop a better security posture for organizations across various sectors.With this assessment, CISA provides a better understanding of risks and helps organizations remediate weaknesses that threat actors might abuse to compromise network security controls.
- CISA revealed that phishing links were the most successful technique for initial access. It comprised 49% of all the attack techniques employed in the initial stage.
- Data was mainly collected from Local Systems (32.2%) and primarily exfiltrates over the C2 channel.
- Around 68.2% of the successful exfiltration attempts used C2 centers, with web protocols being deployed for the maximum time (42%).
- The pass the hash technique was used in roughly 30% of attacks for lateral movements followed by RDP in 25% of RVAs.
- Valid accounts were used to gain privilege escalation in 37.5% of RVAs, followed by exploitation for privilege escalation (21.9%) and impersonation tokens (15.6%).
- Among the 37 RVAs, methods such as phishing and the use of default credentials are still viable for attacks.
The list of assessed tools and techniques continues to evolve. As a result, threat actors, with capability and intent, may be successful at compromising many organizations across the globe.
CISA’s RVA report includes mitigation measures that organizations can implement to improve their security posture. This includes application whitelisting, disabling macros, educating users about anti-phishing techniques, monitoring network traffic, limiting admin access, setting password policies, disabling unused remote services, keeping software updated at all times, and preventing the storing of credentials in applications.