The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released its Analysis of FY21 Risk and Vulnerability Assessments along with an infographic mapping to the MITRE ATT&CK® Framework of 112 Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year 2021. The report identifies routinely exploited and consistently successful attack paths that CISA observed during RVAs across multiple sectors, including nearly 40 percent conducted for entities in the water and wastewater sector – members have access to the water/wastewater sector-specific report at WaterISAC. The infographic provides a quick-look at the three most successful techniques for each tactic along with the top 10 mitigations that the RVAs documented.
According to the report, phishing links and attachments continue to be top techniques used to gain initial access into target environments. However, 2021 saw a significant increase in threat actors using valid accounts which were responsible for 51 percent of successful attempts to gain initial access. Valid accounts used for exploitation are often from previous employee accounts that have not been removed from the active directory or default administrator accounts and allow for insecure software to be installed on or executed on a system or network. Network administrators and IT professionals are encouraged to review and apply the recommended defensive strategies to protect against the observed tactics and techniques. Access the FY21 RVA report and infographic at CISA.
About CISA's Risk and Vulnerability Assessments (RVAs): During an RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. After completing the RVA, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details.
An RVA is just one of the many services offered by CISA to its critical infrastructure partners. WaterISAC encourages members to consider these services to proactively identify potential system vulnerabilities and generally improve the cybersecurity postures of their utilities. Read more about these services at CISA’s Cyber Resource Hub.