[QueryCorner][October2023] Reviewing NSA and CISA Top 10 Misconfigurations

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


On October 5th, 2023, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (JSA) under the alert code AA23-278A to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Alert Code AA23-278A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

In this post, we will review the list and share feedback, including relevant resources and knowledge base articles, to support securing your organizations footprint in line with the advisory. Some of the details are direct from the advisory. It is important to note that Sophos cannot advise on 3rd-party configurations. If you are curious for any custom query for your Sophos Central XDR licensing, please post within our Live Discover and Response forum.

1) Default Configurations of Software and Applications

  • Default Credentials
    • Predefined credentials for administration of commercial off-the-shelf (COTS) technology
    • Includes hardware and software deployment
1072 Software Deployment Tools
1078.001 Valid Accounts: Default Accounts
1078.002 Valid Accounts: Domain Accounts
1098 Account Manipulation
1133 External Remote Services
1589.001 Gather Victim Identity Information: Credentials
  • Default Service Permissions and Configuration Settings 
    • Out-of-box (OOB) has overly permissive controls or vulnerable configurations
    • Adversaries may abuse if user/admin enables them 
1021.001 Remote Services: SMB/Windows Admin Share
1110.002 Valid Accounts: Default Accounts
1557 Adversary-in-the-Middle
1557.001  Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
1588.001 Steal or Forge Kerberos Tickets: Golden Ticket
1649 Steal or Forge Authentication Certificates

2) Improper Segmentation of User/Administrator Privilege

  • Excessive Account Privileges
  • Elevated Service Account Permissions
  • Non-Essential Use of Elevated Accounts

An over simplified way to ask this: do any of your email accessible accounts have administrative privileges, and if so, why?

1024 User Execution
1078 Valid Accounts
1087 Account Discovery
1528  Steal Application Access Token
1550.001 Use Alternate Authentication Material: Application Access Token
1558.003 Steal or Forge Kerberos Tickets: 
1566 Phishing

3) Insufficient Internal Network Monitoring

  • Suboptimal configuration on host and network traffic collection and end-host logging
  • Undetected Adversarial Compromise
  • Improper Sensor Configuration
  • The techniques are broad under MITRE

This area of the market has grown quickly and is known as "Network Detection and Response" at Sophos, and many others. If curious of the full breakdown, we can see it explained here: What is Network Detection and Response?

  • Relevant Sophos Technologies within NDR
    • Deep Detection Engine - engine that uses deep learning to analyze encrypted traffic and patterns across the network
    • Deep Packet Inspection - uses known IoCs to identify threat actors and malicious TTPs to identify across the network
    • Encrypted Payload Analytics - detects 0-day C2 servers and malware variants 
    • Domain Generation Algorithm - engine identifies dynamic domain generation technology used by malware to avoid detection
    • Session Risk Analytics - utilizes Sophos defined rules that send alerts on session-based risk factors
  • Relevant Sophos MDR Note:
    • If you are licensed for this, you are receiving this data stream

4)  Lack of Network Segmentation

  • Separating portions of the network with security boundaries 
  • Without boundaries between the user, production and critical systems, any adversary can more easily move laterally
  • Leave organizations exposed to become more vulnerable and prone to ransomware attacks and post-exploitation techniques
  • IT and IoT/OT are a growing risk as everything continually gets IP-connected

In addition to segmentation, understanding what services need to speak between the segmentation is another opportunity to minimize the attack surface.

5) Poor Patch Management

  • Lack of Regular Patching
  • Use of unsupported operating systems and outdated firmware

This area is particularly dangerous for any public-facing applications or services. Once exposed, it becomes easy for a skilled adversary to find and take advantage of these risks.

1190 Exploit Public-Facing Application
1210  Exploitation of Remote Services
1592 Gather Victim Host Information
1595.002 Active Scanning: Vulnerability Scanning
  • Relevant Sophos KBAs
    • The Endpoint Schema and Data Lake Schema has data collection for this in Win/Linux/Mac
    • In addition, you can query the reg entries and other components to gauge assessments
  • Relevant Sophos MDR Note:
    • Rules, detections, and workbooks are in place to monitor for this type of activity

6) Bypass of System Access Controls

  • Compromise alternative authentication methods
    • Pass-the-hash
    • Kerberoasting
    • etc
  • Relevant Sophos KBAs:
  • Relevant Sophos MDR Note:
    • Rules, detections, and workbooks are in place to monitor for this type of activity

7) Weak or Misconfigured MFA Methods

  • Misconfigured Smart Cards or Tokens
  • Lack of Phishing-Resistant MFA
1111 Multi-Factor Authentication Interception
1598  Phishing for Information
1621 Muti-Factor Authentication Request Generation

8) Insufficient ACLs on Network Shares and Services

  • Data shares and repositories are primary targets
  • Improper ACLs for unauthorized users to access sensitive or administrative data on shared drives

Adversaries will use open source tools, commercial software, or living off the land methods. This makes it increasingly difficult to detect and respond.

1018 Remote System Discovery
1039 Data from Network Shared Drive
1046  Network Service Discovery
1083 File and Directory Discovery
1135 Network Share Discovery
1552 Unsecured Credentials
  • Relevant Sophos KBAs:
  • Relevant Sophos MDR Note:
    • Rules, detections, and workbooks are in place to monitor for this type of activity

9) Poor Credential Hygiene

  • Easily crackable
  • Cleartext password disclosure

NIST has a Special Publication (SP) 800-132 for Recommendations for storing passwords or pass phrases. As of 05/11/2023, NIST will be revising this publication and can read the announcement here.

As always, use a Password Manager or similar for secure storage of these words, phrases, tokens, etc.

1110.002 Brute Force: Password Cracking
1552.001 Unsecured Credentials in Files
1555 Credentials from Password Stores

10) Unrestricted Code Execution

  • Unverified programs executing on hosts
  • I.e. no legitimate purpose or business reason for running on the network
1027.010 Obfuscated Files or Information: Command Obfuscation
1059 Command and Scripting Interpreter
1059.005  Command and Scripting Interpreter: Visual Basic
1068 Exploitation for Privilege Escalation

This can occur in waves -- including after successful techniques. The Intercept X agent has coverage on the attack surface, before an object runs, active detections, and remediation features. You can view them all Intercept X // XDR // MDR Tech Specs

  • Relevant Sophos MDR Note:
    • Rules, detections, and workbooks are in place to monitor for this type of activity


As a best practice, be sure maximize your ability to communicate with us:

  • Receive email digests, subscriptions, and notifications from the Sophos Community
  • Subscribe to the Sophos Notification alerts for products and services
  • Complete the Sophos Certification Program (FREE) to obtain access to a senior support agent
  • Consider using a Technical Account Manager or TAM to maximize support and minimize risk
  • Subscribe to Sophos News for the latest in Threat Research and security news
  • If an MDR customer, take advantage of the Monthly Threat Cast, Broadcast Announcements, and resources
    • If you are not, consider our offerings to provide cyber resiliency with your staff.
  • Most importantly, find out who supports your account and introduce yourself for guided best practice, feature updates, and more!


Added outline
[edited by: JeramyKopacko at 2:17 PM (GMT -7) on 30 Oct 2023]