The Cybersecurity and Infrastructure Security Agency (CISA) has published an extensive report detailing findings from a Red Team Assessment (RTA) conducted for an unnamed U.S. critical infrastructure organization. The assessment aimed to evaluate the organization’s ability to detect and respond to sophisticated cyber threats. The findings underline vulnerabilities in technical controls, staff training, and risk prioritization, offering lessons and mitigations applicable across industries.
The CISA Red Team simulated real-world cyberattacks, ultimately gaining unauthorized access to sensitive systems due to insufficient controls, outdated configurations, and unaddressed vulnerabilities. The report highlights key lessons, including the need for continuous staff training, improved technical safeguards, and leadership accountability in prioritizing cybersecurity risks.
Significant findings include:
- Insufficient Technical Controls: Over-reliance on endpoint detection solutions and lack of robust network segmentation allowed unauthorized lateral movement within the organization.
- Training and Resources Deficiencies: Gaps in staff knowledge and lack of secure system configurations heightened vulnerabilities.
- Inadequate Risk Management: Organizational leadership deprioritized critical security vulnerabilities, amplifying risks.
The report emphasizes the importance of adhering to Secure by Design principles and applying robust identity and access management systems. The Red Team also noted strengths in host-based protections and password policies, which mitigated some attack avenues.
CISA encourages critical infrastructure organizations to adopt the report’s detailed recommendations to improve their cybersecurity posture. The findings also stress the role of software manufacturers in embedding security throughout the software development lifecycle.
Read the complete assessment here.