Understanding the Latest Analysis of FY23 Risk and Vulnerability Assessments from the CISA

The Cybersecurity and Infrastructure Security Agency (CISA) conducts Risk and Vulnerability Assessments (RVAs) for federal agencies, critical infrastructure operators, and select local stakeholders. In Fiscal Year 2023 (FY23), CISA performed a total of 143 RVAs across various critical infrastructure sectors. These assessments evaluate an entity’s network capabilities and defenses against known threats, mapping results to the MITRE ATT&CK® framework, which identifies tactics and techniques used by cyber threat actors.

The RVA process involves both remote and onsite data collection, combined with national threat information, to provide organizations with actionable recommendations based on the risk of compromise. Key findings from FY23 include that successful attacks often relied on common methods such as phishing, the use of valid accounts, and default credentials. The assessments highlighted widespread vulnerabilities across different sectors, often stemming from inadequate security designs and misconfigurations.

Understanding the Attack Path

The report illustrates an 11-step attack that malicious actors could follow to gain access to any organization’s systems, including cloud and SaaS environments. While not exhaustive, it illustrates a potential route that skilled attackers could follow to compromise an organization. The steps in the attack path include:

• Initial Access: Obtaining access into the target environment.
• Execution: Running code to establish a foothold.
• Persistence: Maintaining presence on the network.
• Privilege Escalation: Obtaining administrative rights.
• Defense Evasion: Avoiding detection by security measures.
• Credential Access: Stealing user credentials.
• Discovery: Understanding your network and systems better.
• Lateral Movement: Navigating through the network to access data.
• Collection: Gathering sensitive information.
• Exfiltration: Transferring collected data out of the network.
• Command and Control: Maintaining communication for ongoing control.

Why is this Attack Path Dangerous?

The attack path described is dangerous because it outlines a systematic approach that skilled threat actors can use to compromise an organization’s network. Each step builds on the previous one, allowing attackers to escalate their access, and ultimately exfiltrate sensitive data without being detected. The ability to move laterally within the network means that once an attacker gains initial access, they can explore the entire environment and identify valuable targets.

Misconfigurations significantly contribute to the success of such attacks by creating vulnerabilities that attackers can exploit. For example:

• Weak Access Controls: Misconfigured permissions can allow unauthorized users to gain initial access to systems or services that should be restricted.
• Anonymous Authentication: Environments that allow anonymous access to critical resources can be easily exploited, enabling attackers to execute malicious code without needing valid credentials.
• Default Credentials: Failure to change default usernames and passwords can provide attackers with easy entry points into systems.
• Inadequate Security Policies: Poorly defined or enforced security policies can leave gaps that attackers can exploit for privilege escalation and lateral movement.
• Lack of Monitoring: Insufficient monitoring can prevent organizations from detecting suspicious activities, allowing attackers to maintain their foothold and execute their plans undetected.

Key Techniques and Tactics from the CISA Report

The CISA report highlights essential techniques and tactics employed by cyber threat actors. Understanding these strategies is crucial for organizations to enhance their defenses and mitigate potential risks.

1. Valid Accounts

One of the key techniques identified in the CISA report is the exploitation of valid accounts, which can significantly enhance a threat actor’s ability to navigate and manipulate a network. By leveraging legitimate credentials, attackers can bypass many security measures designed to detect unauthorized access. This approach often involves phishing campaigns or credential theft, where users unknowingly provide their login information. Once the attackers gain access to a valid account, they can perform actions that appear legitimate, making it more challenging for security teams to identify malicious activity.

The use of valid accounts also facilitates lateral movement within the network, allowing attackers to access sensitive data and systems that would typically be off-limits. This tactic not only increases the potential impact of the breach but also prolongs the attack’s duration, as organizations may struggle to detect the intrusion amid the noise of normal user activity.

2. Account Manipulation

Account manipulation is a tactic used by cyber threat actors to exploit vulnerabilities within an organization’s user management processes. This often involves altering user privileges or creating new accounts to gain unauthorized access to sensitive systems. Misconfigurations, such as overly permissive access controls or inadequate oversight of user accounts, can provide attackers with the opportunity to manipulate accounts without detection. For instance, if an organization fails to regularly review and adjust user permissions, a compromised account could be escalated to administrative levels, granting attackers significant control over critical resources.

Misconfigurations can also lead to the creation of dormant or unused accounts that attackers can exploit. These accounts may have weak or unchanged passwords, making them prime targets for unauthorized access. Furthermore, lack of effective monitoring can prevent organizations from recognizing suspicious changes to account settings or privilege levels.

3. Exploitation for Credential Access

Exploitation for credential access is a critical tactic employed by cyber threat actors to gain unauthorized entry into networks and systems. Attackers often use methods such as phishing, keylogging, and social engineering to capture user credentials. Misconfigurations within an organization’s security posture can exacerbate this risk, particularly when password policies are weak or when multi-factor authentication is not enforced. For example, if users are allowed to create easily guessable passwords or if default credentials remain unchanged, attackers can quickly gain access to valuable accounts, facilitating further exploitation of the network.

Additionally, misconfigured systems can leave sensitive data exposed, making it easier for attackers to obtain credentials through techniques like credential dumping. If security measures such as logging and monitoring are insufficient, organizations may fail to detect unauthorized access attempts or credential theft in a timely manner.

Wrapping Up

These are just some of the tactics used by threat actors, who continuously evolve their strategies to exploit vulnerabilities and gain unauthorized access to systems. By understanding these tactics, organizations can better prepare their defenses and implement targeted security measures to mitigate potential risks.

A complete cloud protection platform like CheckRed is vital for organizations aiming to defend against evolving cyber threats. By integrating solutions like CNAPP, SSPM, and more, CheckRed provides comprehensive visibility and control over SaaS and cloud environments. It helps identify vulnerabilities, enforce strong access controls, and monitor for suspicious activities in real time.

Additionally, it streamlines compliance efforts by automating security assessments and reporting, making it easier to meet regulatory requirements. By investing in a holistic cloud protection strategy, organizations can enhance their security posture and confidently safeguard their critical assets against potential breaches.

See CheckRed in Action

Dive into the future with our interactive demo
and explore the possibilities.

Get a Demo