July 12, 2024 at 10:33AM
In early 2023, a CISA red team exercise exposed significant cybersecurity gaps in a federal civilian executive branch organization. The SILENTSHIELD assessment revealed the organization’s failure to prevent and identify malicious activity, insufficient network segmentation, deficient log collection, and use of a ‘known-bad’ detection approach. Additionally, bureaucratic communication and decentralized teams affected the network defenders.
The meeting notes describe the results of a CISA red team exercise conducted in early 2023, which revealed significant gaps in the cybersecurity posture of a federal civilian executive branch organization. The SILENTSHIELD assessment, simulating a long-term state-sponsored attack, identified various weaknesses including failure to prevent and identify malicious activity, insufficient network segmentation, lack of proper log collection, and application of a ‘known-bad’ detection approach. The CISA team also encountered obstacles such as bureaucratic communication and decentralized teams during the exercise. The assessment started with initial access to the organization’s Solaris enclave by exploiting an unpatched vulnerability in Oracle Web Applications Desktop Integrator, ultimately leading to extensive access and compromise of sensitive information. The exercise also involved phishing attacks and compromise of the Windows environment, resulting in access to Active Directory data and compromise of the entire domain. Despite these findings, the organization had not identified the compromise by the time CISA officially notified its security operations center. Following the assessment, CISA worked with the organization to improve its security stance, specifically focusing on detection capabilities, log collection and analysis, forensic analysis, and monitoring and investigation management.