1. INTRODUCTION
   1. Attack Path Analysis

INTRODUCTION

This report analyzes a sample attack path that a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in the FY20 RVAs.² The path comprises six successive tactics, or “steps”: Initial Access, Command and Control, Lateral Movement, Privilege Escalation, Collection, and Exfiltration. In addition to this analysis, the report includes the following observations:

• Most of the successful attacks proved to be methods commonly used by threat actors, e.g., phishing, use of default credentials.

• The list of tools and techniques used to conduct these common attacks is ever changing.

• Many of the organizations exhibited the same weaknesses.

Attack Path Analysis

CISA developed the following sample attack path based loosely on the ATT&CK methods used by the assessment teams and the varying success rates of each tactic and technique. Considering the most successful methods, it is reasonable to assume that a skilled threat actor may follow this path to successfully exploiting its target.

This path is not all-encompassing of the potential steps used by malicious actors and not all attack paths follow this model. However, these steps serve to highlight some of the more successful attack strategies used during RVAs and the impacts these strategies have had on a target network.

The attack path begins with a step required by many real-world attacks: gaining Initial Access [TA0001]. Next in the path is establishing Command and Control [TA0011]. Using the initial foothold within the network, Lateral Movement [TA0008] is conducted, followed by attempts at Privilege Escalation [TA0004]. Once entrenched in the network, the focus of our path switches to the Collection [TA0009] of sensitive data and concludes with Exfiltration [TA0010].

Note: This attack path does not directly align with the techniques and methods used by the RVA teams. See Figure 1 for tactic icons used in this report.

²See https://www.cisa.gov/publication/rva for the FY20 infographic:* RVAs Mapped to the MITRE ATT&CK Framework,* which breaks out the top three most successful techniques for each tactic documented by the FY20 RVAs.

Figure 1: Tactic Icons

A thorough analysis of vulnerability trends (i.e., prevalence over time, types of systems and agencies impacted, etc.) includes an examination of the impact the vulnerabilities have on affected systems. The below attack path analysis includes an Impact section for each tactic that details the possible results of successful exploitation.

Additionally–because awareness of critical vulnerabilities alone does not successfully improve security posture—the analysis includes a Mitigation/Remediation section for each tactic, which details mitigations/remediations for the vulnerabilities associated with each attack strategy.

Finally, to provide more context to the attack methods discussed and highlight how each tactic is enacted, the analysis includes known TTPs associated with Advanced Persistent Threat (APT) group APT39.³ An examination of real world, adversarial TTPs can aid vulnerability analysts in determining the actual effectiveness of current and future network protections and help prioritize mitigation activities.

Table of Contents

• INTRODUCTION
• INITIAL ACCESS
• COMMAND AND CONTROL (C2)
• LATERAL MOVEMENT
• PRIVILEGE ESCALATION
• COLLECTION
• EXFILTRATION
• CONCLUSION
• REFERENCES