CISA and USCG’s FY2023 Risk and Vulnerability Assessment

The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard (USCG) conducted comprehensive Risk and Vulnerability Assessments (RVAs) for 2023, targeting various federal, private, and public infrastructure sectors. The findings from these assessments not only reveal the most common attack vectors but also highlight critical vulnerabilities in network security. This analysis sheds light on recurring security gaps across multiple industries and provides actionable strategies for improving cybersecurity postures.

The FY2023 RVAs revealed that the most successful attacks used typical weaknesses such as phishing, valid accounts, and default credentials. These attack tactics, which were popular in previous years, continue to be the most effective ways for bad actors to enter networks. The tests revealed that many firms, regardless of sector, experience similar cybersecurity difficulties, owing to a lack of strong secure-by-design processes and widespread misconfigurations. The frequency of these vulnerabilities implies that, while cybersecurity awareness is growing, basic defensive measures remain inadequately applied across industries.

The RVA assessments gave a detailed map of how attackers exploit known vulnerabilities in a stepwise manner, often modeled after the MITRE ATT&CK® paradigm. The framework describes the numerous approaches and techniques employed by threat actors to infiltrate and compromise network systems. In FY2023, assaults mostly targeted 11 of the 14 techniques, with the essential phases of an attack being Initial Access, Persistence, Privilege Escalation, and Credential Access. These stages allow attackers to establish a foothold, spread their influence within the network, and gain access to critical information while going undiscovered for extended periods of time.

A particularly important section of the paper emphasizes how legitimate accounts remain a strong danger. Valid accounts, whether stolen or created using default credentials, enabled attackers to easily bypass standard safeguards. In fact, 41% of successful attacks required genuine account access. This highlights the crucial need of enterprises to implement stricter password restrictions, enforcing multi-factor authentication (MFA), and auditing account access controls on a regular basis.

The report also looks at real-world attack vectors that correspond to the techniques of cyber threat actors. These attackers, such as APT15 and Volt Typhoon, frequently exploit legitimate accounts and employ clever strategies to avoid detection. Their activities demonstrate how network security flaws can be exploited for long-term espionage operations, especially in vital infrastructure sectors. These threat actors frequently exploit misconfigurations in systems and software to go undiscovered for months or even years, emphasizing the importance of enterprises implementing advanced detection and monitoring measures.

Privilege Escalation is another critical stage in an assault, in which attackers gain administrative access of systems, allowing them to cause considerable disruption or steal important information. According to the RVA investigation, 94.4% of the entities analyzed had default administrator accounts, making it extremely easy for attackers to escalate privileges once inside the network. Privilege escalation is one of the most dangerous strategies since it allows attackers to influence important systems, obtain deeper network access, and compromise an organization's most sensitive information.

The evaluations also identified defense evasion strategies, including as process injection and the use of genuine accounts, which allow attackers to remain undetected on compromised computers. Attackers, particularly those from state-sponsored groups such as Volt Typhoon, are well-known for their ability to blend malicious activities with routine system operations, frequently employing native tools that are already installed on the system. This strategy, known as Living-Off-The-Land (LOTL), is difficult to detect since it avoids deploying malware and instead exploits system vulnerabilities.

The report's suggested mitigations are closely aligned with CISA and NIST's Cross-Sector Cybersecurity Performance Goals (CPGs). These suggestions recommend adopting strong password rules, enforcing phishing-resistant multi-factor authentication, and routinely updating software to address known vulnerabilities. Organizations are encouraged to rigorously monitor their systems, notably through log collecting and analysis, to detect and respond to anomalies before they become a full-fledged attack.

The FY2023 RVA analysis emphasizes the importance of a tiered security approach that includes network segmentation, centralized log collection, and constant monitoring for suspicious activities. Segmenting networks limit an attacker's capacity to move laterally once inside, lowering the danger of extensive damage. Centralized logging systems can assist track unwanted access and give critical data for incident response teams to use in the case of a security breach.

Ultimately, the findings from this analysis highlight that while significant progress has been made in cybersecurity, many organizations still face critical gaps that leave them vulnerable. Addressing these gaps through the adoption of best practices and rigorous security protocols will be essential for reducing the risk of future cyberattacks.

Previous
Previous

Navigating the Complexities of Controlled Unclassified Information (CUI) Markings in Federal Documents: Training Summarized

Next
Next

A Summary of GAO Reports for the week of September 9, 2024