CONCLUSION
After conducting trend analysis on the 37 RVA reports executed by CISA, several high-level observations were identified. Methods such as phishing and the use of default credentials were still viable attacks. This shows that the methodologies used to compromise much of our infrastructure have not changed drastically over time. As a result, network defenders must refocus their efforts at deploying the myriad of mitigation steps already known to be effective.
Unfortunately, the list of tools and techniques used to conduct well-known attacks is constantly evolving. For this reason, network defenders much remain vigilant in understanding and observing the signatures of new TTPs. An additional observation is that for several MITRE categories, many organizations exhibited the same weaknesses. Threat actors, with capability and intent, may be successful at compromising many agencies across multiple sectors. Conversely, the benefit of this trend is that the high-level mitigation recommendations made by CISA may apply to many organizations. However, individual organizations will need to tailor fix guidance to fit their specific network architectures while dealing with their specific resource constraints. CISA strongly recommends system owners and administrators convey this guidance to their leadership and apply changes relevant to the nuances of their specific environments.
Finally, CISA concludes that analysis of this nature may help network defenders—across multiple sectors and organizations—effectively prioritize the identification and mitigation of high-level vulnerabilities. CISA intends for future iterations of this effort to incorporate the specific TTPs used by the assessment teams, which should facilitate a more thorough analysis and potentially improve mitigation recommendations.
Table of Contents
- INTRODUCTION
- INITIAL ACCESS
- COMMAND AND CONTROL (C2)
- LATERAL MOVEMENT
- PRIVILEGE ESCALATION
- COLLECTION
- EXFILTRATION
- CONCLUSION
- REFERENCES