All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at
Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the
incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment
used for the activity; the name of the submitting company or organization; and a designated point of contact.
This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information
carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public
release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For
more information on the Traffic Light Protocol, see cisa.gov/tlp.
CISA Red Team’s Operations Against a
Federal Civilian Executive Branch Organization
Highlights the Necessity of Defense-in-Depth
EXECUTIVE SUMMARY
In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a
SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB)
organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term
simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and
behaviors of sophisticated threat actors and measures the potential dwell time actors have on a
network, providing a realistic assessment of the organization’s security posture. Then, the team works
directly with the organization’s network defenders, system administrators, and other technical staff to
address strengths and weaknesses found during the assessment. The team’s goal is to assist the
organization with refining their detection, response, and hunt capabilities—particularly hunting
unknown threats.
In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA)
detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network
defense activity; and lessons learned to provide network defenders with recommendations for
improving their organization’s detection capabilities and cyber posture.
During the first phase, the SILENTSHIELD team gained initial access by exploiting a known
vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully
compromised the enclave, they were unable to move into the Windows portion of the network due to
a lack of credentials. In a parallel effort, the team gained access to the Windows network through
phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely
throughout the Windows environment, which resulted in full domain compromise and access to tier
zero assets. The team then identified that the organization had trust relationships with multiple
external partner organizations and was able to exploit and pivot to an external organization. The red
team remained undetected by network defenders throughout the first phase.
