Response to CISA Advisory (AA23-349A): Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment

In response to the recently published CISA Advisory (AA23-349A) that disseminates Tactics, Techniques and Procedures (TTPs), mitigation and detection methods associated with a Risk and Vulnerability Assessment (RVA) carried out by CISA as requested by a Healthcare and Public Health (HPH) sector organization, AttackIQ recommends that customers take the following testing actions in alignment with the RVA. Read More

On December 15, 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) providing Tactics, Techniques and Procedures (TTPs), mitigation and detection methods associated with a Risk and Vulnerability Assessment (RVA) carried out by CISA as requested by a Healthcare and Public Health (HPH) sector organization. CISA carried out the RVA, which included a full penetration test over a two-week period in January 2023. During the first week, the external assessment did not uncover any significant or exploitable attack vectors that would allow malicious actors to obtain initial access. During the second week, which included the internal testing phase, the team was able to exploit misconfigurations, weak passwords and other issues identified through multiple attack paths which led to successfully compromising the organization’s domain.

In response to CISA’s RVA, AttackIQ recommends the following actions described in this blog post. It is important to note that due to the sensitivity of the engagement and reporting by CISA, some technical procedural level details are excluded from the CSA. As a result, the AttackIQ scenario recommendations offer a starting point for further testing, depending on your specific environment, risk profile, and individual circumstances. The Appendix contained in the CSA should be referenced to guide additional testing using scenarios within the Scenario Library of the AttackIQ platform.

Attack Path 1:

Steal of Forge Kerberos Tickets: Kerberoasting (T1558.003): Kerberoasting allows an attacker to attempt to extract password hashes for account using their Service Principal Name (SPN) ticket.

The PCAP Replay – Kerberoasting Attack using Impacket’s GetUsersSPNs.py Script AttackIQ scenario can be used to test and validate network security controls, by replaying packets between two assets to emulate a Kerberoasting attack using GetUsersSPNs.

Attack Path 2:

Active Scanning: Scanning IP Blocks (T1595.001): Although no procedural level details were included regarding how CISA mapped the network to identify open ports, the Open Ports Checker AttackIQ scenario is a good starting point to use for emulating scanning for open ports using the popular network scanning tool nmap. This scenario offers several diverse ways to scan for open ports internally as well as externally via an AttackIQ hosted agent.

Attack Path 3:

Steal or Forge Kerberos Tickets (T1558): The PetitPotam NTLM Relay to ADCS Attack (ESC8) AttackIQ scenario can be used to emulate CVE-2021-36942 which abuses a method in the authentication process of the Microsoft Encrypting File System Remote Protocol (EFSRPC).

OS Credential Dumping: DCSync (006): The DCSync Attack AttackIQ scenario emulates the DCSync attack to obtain password data of targeted accounts by impersonating and then requesting data from a legitimate Domain Controller.

Attack Path 5:

Exploitation of Remote Services (T1210): The Lateral Movement Through Exploitation AttackIQ scenario can be used to emulate the well-known EternalBlue exploit (CVE-2017-0144).

Detection and Mitigation Opportunities

Given the number of different techniques being utilized during the RVA, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a considerable number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. OS Credential Dumping: LSASS Memory (T1003):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

2a. Detection

Search for executions of Mimikatz that attempt to access the LSASS process.

Process Name == (mimikatz)
Command Line CONTAINS (‘lsass’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, the recommended steps as described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes, and controls against this threat. With data generated from continuous testing and use of these AttackIQ scenarios, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known and dangerous threats.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.