On July 31, 2025, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cyber Security Advisory (CSA) which include a joint effort to present findings from a recent proactive hunt engagement led by CISA against the U.S Coast Guard (USCG). The purpose of a hunt engagement is to search for evidence of malicious activity or the presence of cyber threat actors on customer networks. The USCG invited CISA to conduct a hunt to determine if an actor had been present in their environment.
The hunt engagement was successful as CISA did not identify evidence of cyber activity or actor presence within the environment, however, did identify cybersecurity risks which include:
- Insufficient logging
- Insecurely stored credentials
- Shared local administrator credentials across multiple workstations
- Unrestricted remote access for local admin accounts
- Insufficient network segmentation configuration between IT and OT assets
- Several device misconfigurations
Although specific techniques were limited in the CISA advisory, AttackIQ customers can emulate the referenced techniques mentioned as part of the hunt engagement by running the following scenarios in their environment:
- Create Account
- Lateral Movement Through SSH
- Lateral Movement Through Remote Desktop Protocol
- Open Ports Checker
AttackIQ customers can additionally reference the MITRE table 1 to 9 found in the Appendix section of the CSA. Although the specific implementation of these techniques was not explicitly referenced in the report, AttackIQ customers can find many existing scenarios to test the various speculative tactics and techniques referenced in these tables.
Detection and Mitigation Opportunities
Given the limited number of techniques referenced as part of this hunt engagement, AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Mitigations Recommendations:
CISA has provided a significant number of Mitigation recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.
Wrap-up
In summary, the recommendations described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes, and security controls against these and similar threats. With data generated from continuous testing and the use of these existing scenarios, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known adversaries.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
