CISA: Valid Accounts A Prevailing Technique for Attacks in 2022

Category: Critical Infrastructure Security | Industries: Critical infrastructure, Government | Sources: CISA & The Record

A risk and vulnerability assessment (RVA) conducted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed the most observed attack techniques mapped to MITRE ATT&CK against government agencies and critical infrastructure organizations. Amongst 121 assessments, the MITRE technique "Valid Accounts" stood out significantly, being commonly utilized to gain initial access, evade defenses, establish persistence, and exploit for privilege escalation. Specifically, the "Valid Accounts" technique accounted for 51.5% of initial access attacks, 25% for defense evasion, 72% for persistence, and 47.4% for privilege escalation. For the remaining tactics, the top techniques were:

• Execution: PowerShell at 12.7%
• Credential Access: LLMNR/NBT-NS Poisoning & SMB Relay at 19.9%
• Discovery: Account Discovery at 8.9%
• Lateral Movement: Pass the Hash at 27.3%
• Collection: Data from Network Shared Drive at 33.1%
• Command & Control: Non-Standard Port at 15.3%
• Exfiltration: Exfiltration Over C2 Channel at 65.6%

While analyzing the attacks, Gabriel Davis, CISA's risk operations lead, observed a recurring pattern in threat actor activities leading to the emergence of the "same issues." In a statement to Recorded Future News, Davis emphasizes that threat actors are "modifying their TTPs (Tactics, Techniques, and Procedures)," yet there is no significant "deviation from the activity they’ve done in the past." Davis advocates if organizations can make even small adjustments to their technology controls, it can go a long way in improving their security posture.