Phishing is used to completely compromise the victim’s environment after other repeated methods failed.
On July 11th, the Cybersecurity Infrastructure Security Agency (CISA) released a report entitled
“CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth”
It revealed that a CISA red team (i.e., authorized ethical hackers) performed a long-term attack simulation against a government agency mimicking the tactics commonly used by nation states and other cyber attackers. It’s a really good read with lots of good lessons and recommendations for any organization hoping to keep cyber attackers out of their environment.
The report shares how the red team first gained access to the “victim’s” secure Solaris environment using an unpatched vulnerability. That in itself is not unusual. Unpatched software and firmware are involved in 33% of successful attacks. The worst part was that after reporting the unpatched vulnerability directly to the victim, the victim organization didn’t patch it for two weeks and didn’t notice that the red team had gained access to the environment. The victim was not appropriately monitoring the environment or getting alerts they could respond to.
But the red team was eventually stymied and could not move beyond the compromised Solaris environment to the victim’s broader, more important, Microsoft Windows environment, even though they had gained control of a privileged account and nearly complete control of the Solaris environment.
Eventually, the attackers resorted, successfully, to using an email spear phishing attack. The attackers first used open source intelligence (OSInt) information gathering to come up with various employee names, email addresses and positions. They then used that learned information to craft new phishing emails that they sent to various employees.
One employee opened the spear phishing email, clicked on the link and unknowingly installed an in-memory only remote access backdoor trojan. The red team was able to enumerate the environment, discover what anti-malware software was being used, and even figure out what directories were excepted from monitoring. They then used those same directories to install more sophisticated hacking tools.
They identified several weak service accounts, which led to the compromise of the current Windows domain, and then later, other connected Windows domains. They compromised a Microsoft Systems Center Configurations Manager (SCCM) server which had several logged in (but inactive) administrator-level accounts. From there, they were able to move to the organization’s administrative “jump servers,” used for performing administrative tasks.
All-in-all, the red team was able to maintain undetected persistence for months, compromise administrative accounts, compromise passwords, bypass anti-malware detection tools, and exfiltrate GBs of data, all while not being detected.
And all this access was accomplished by using OSInt and phishing. This is no surprise. 70-90% of all cyber compromises involve social engineering and phishing. Spear phishing, which often involves OSInt, is responsible for 66% of all breaches by itself.
One attacker method is responsible for two-thirds of all successful attacks!
And we know that 79% of SUCCESSFUL credential thefts came through phishing. So, none of the methods used by the red team, based on real-world attacks, is surprising.
Sadly, less than 5% of most organization’s IT/IT security budgets are aligned with fighting human-based risk. That needs to change.
Unfortunately, even CISA’s own report on the red teaming exercise, even after detailing how phishing was used to completely compromise the environment after other attack methods failed, does not recommend stronger security awareness training.
Note: CISA’s report doesn’t even recommend (phishing-resistant) multi-factor authentication (MFA), which can be useful in preventing many social engineering attacks.
Sadly, this is not unusual. The same report where phishing is noted as the top successful method used by attackers, fails to suggest better educating end-users to reduce risk. The lack of consistently recommending stronger education is one of the key reasons why social engineering and phishing is used so successfully by hackers (and red teams) for decades. Phishing keeps being used to break into places and defenders don’t defend well enough against it.
Break the cycle, make sure your users are receiving best-in-class security awareness training and simulated phishing testing. Both should be done at least monthly, if not more frequently. We have the data to show that the more frequently organizations train and simulate phishing, the lower the human risk.
Phishing is the number one way attackers break into environments. Make sure your defense reflects that reality.
Here's how it works:
