NSA and CISA: 10 Most Common Network Misconfigurations

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory to highlight the most common cybersecurity misconfigurations in large organizations, as well as the tactics, techniques, and procedures (TTPs) threat actors use to exploit these misconfigurations. NSA and CISA uncovered these misconfigurations while assessing the security posture of network enclaves across government and private sector organizations.

According to the advisory, “these misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders.”

Top 10 Most Common Network Misconfigurations

NSA and CISA teams have evaluated thousands of environments over the years using a variety of methods, including adversary emulation and vulnerability assessments. During these evaluations, NSA and CISA identified the top ten most common network misconfigurations. Since Microsoft Windows and Active Directory environments are very common, many of the assessments dealt with these environments, and the joint advisory focuses primarily on them.

However, the identified misconfigurations are systemic weaknesses and similar misconfigurations may be found in other environments. Network security engineers should keep an eye out for the issues below, regardless of the software in their environment. The list below is not ranked by priority. For a detailed breakdown of each misconfiguration, read the full advisory.

Default Configurations of Software and Applications

Many systems, services, and applications have default configurations to enable easy set up. For example, devices like network routers, printers, and IoT devices often have default credentials that can easily be found on the internet. Malicious actors frequently abuse default credentials to gain initial access, move laterally, and execute code.

Furthermore, some services may have overly permissive access controls or vulnerable configurations by default, including misconfigurations like insecure Active Directory certificate services, insecure legacy protocols or services, and insecure Server Message Block (SMB) service. Malicious actors can exploit these vulnerabilities to issue fraudulent certificates, gain persistent access to systems, obtain domain hashes, carry out machine-in-the-middle attacks, and more. RevealX detects insecure legacy protocols and services that use weak encryption, or don’t use encryption at all, like SMBv1, deprecated versions of SSL/TLS, Windows New Technology LAN Manager (NTLM) versions 1 and 2, link-local muticast name resolution (LLMNR), and more.

Improper Separation of User/Administrator Privilege

The principle of least privilege is the notion that a user account should have the permissions and privileges necessary to carry out a specified role, and no more. However, CISA and NSA assessment teams found that administrators often assign multiple roles to the same account. These highly-privileged accounts have access to a wider range of devices and services than a single account should, allowing threat actors to move quickly through a network without compromising multiple accounts.

Similarly, many applications use user accounts, known as service accounts, to access resources. These accounts are frequently granted elevated privileges and may be accessed by any valid domain user, making them enticing targets for threat actors.

Domain or system administrator accounts are also favored targets, and their use by IT personnel for non-essential purposes increases the exposure of these accounts to malicious actors. Administrator accounts inherently have elevated privileges; by targeting these accounts, threat actors greatly increase their ability to escalate privileges and move laterally across the network.

Insufficient Internal Network Monitoring

Improperly configured host and network sensors for traffic collection and end-host logging can lead to many problems. Chief among those is the inability to detect adversarial compromise. Improper sensor configuration also makes it difficult to understand baseline network traffic, and therefore, to detect anomalous activity in a timely manner.

The advisory includes two notable examples. In one, an organization with host-based monitoring (i.e., EDR) but no network monitoring could identify infected hosts, but had no information about activities traversing the hosts. This prevented the organization from identifying the source of the infection and from stopping lateral movement and further infections. In another, a large organization with a mature cyber posture couldn’t detect an assessment team’s lateral movement, persistence, and command and control (C2) activity, even when the team purposefully attempted to trigger a security response through noisy activity.

Lack of Network Segmentation

Network segmentation is the placement of security boundaries between portions of a network. Without segmentation, threat actors who have compromised a resource on the network can move laterally across systems unopposed. A lack of segmentation also leaves organizations more vulnerable to ransomware and puts operational technology environments at risk.

Poor Patch Management

CISA and the NSA describe poor patch management primarily as a lack of regular patching combined with the use of unsupported operating systems (OSs) and outdated firmware. Both of these practices leave organizations vulnerable to known attack vectors and exploits.

Vulnerability scanning and open source research regularly uncover new weaknesses in applications. Failure to apply the latest patches for these applications significantly increases an organization’s attack surface. The trouble with continued use of outdated OSs and firmware is that their vendors no longer patch new and existing vulnerabilities. Threat actors are free to exploit these vulnerabilities, leaving organizations using deprecated technology significantly exposed to risk. RevealX detects many of the most commonly exploited vulnerabilities, including Log4Shell, several vulnerabilities used in the ProxyShell family of attacks, and more.

Bypass of System Access Controls

Compromising alternate authentication methods can allow threat actors to bypass system access controls. For example, a malicious actor might collect hashes in a network to enable a pass-the-hash attack, thus expanding their foothold in the network without detection. Similarly, Kerberoasting is a popular and efficient method for malicious actors to elevate their privileges and move laterally through the network. The unmatched decryption capabilities offered by RevealX enable defenders to detect Kerberoasting and similar attacks so they can stop bad actors in their network tracks.

Weak or Misconfigured Multifactor Authentication Methods

Multifactor authentication (MFA) requires multiple forms of authentication before access to network resources is provided. Malicious actors may take advantage of vulnerabilities associated with certain implementations. For instance, government networks often require smart cards or tokens for MFA, eliminating the use of passwords. Though the password is never used, a password hash for the account still exists and can be used as an alternative credential for authentication. If MFA requirements are misconfigured, this password hash never changes. Once a malicious actor has this hash, they can continue to use it for as long as that account exists.

Other forms of MFA are vulnerable to phishing, “push bombing,” protocol exploitation, or SIM swapping techniques. Assessment teams have successfully bypassed MFA by impersonating IT staff and convincing users to provide MFA information over the phone.

Insufficient Access Control Lists on Network Shares and Services

Shared drives and repositories on the network are another popular target for malicious actors. Once they’ve collected and exfiltrated data from drives or folders, they can use it to extort organizations or plan further compromises. Assessment teams regularly find sensitive information, including clear text passwords, in shared drives. If access control lists aren’t properly configured, unauthorized users may be able to access these shared drives.

Poor Credential Hygiene

Poor credential hygiene makes it easier for threat actors to gain initial access, maintain persistence, and move laterally on the network, especially if MFA is weak or misconfigured. CISA and the NSA warn of two primary sources of poor credential hygiene: easily crackable passwords and clear text password disclosure. Lax password policies that don’t require sufficient length or randomness often lead to easily crackable passwords. Storing passwords in clear text anywhere on the network is also a serious security risk. Should a malicious actor gain access to files containing clear text passwords, they could use these credentials to appear exactly like a legitimate user.

Unrestricted Code Execution

Often one of the first things malicious actors do after gaining access to a network is to execute code that allows them to take the next step in the kill chain. If unverified programs are allowed to run, threat actors will be able to execute malicious payloads at will. Assessment teams and malicious actors are frequently able to leverage unrestricted code execution via executables, dynamic link libraries (DLLs), HTML applications, macros, and other techniques.

How RevealX Can Help Mitigate Insufficient Internal Network Monitoring

NSA and CISA provide recommendations for mitigation for each of the misconfigurations above in the full advisory. These mitigations are based on existing cybersecurity frameworks and guidance to protect against the most common threats and TTPs. RevealX can help organizations achieve many of the recommendations for mitigation of insufficient internal network monitoring.

The agencies recommend establishing a baseline of applications and services, as well as a baseline of normal traffic activity. RevealX automatically discovers and classifies all assets on the network, and within a few weeks of implementation it also establishes a baseline of normal network activity. This allows security and IT teams to rapidly identify anomalous assets and behavior via machine learning. This user activity baselining also enables organizations to meet the third recommendation, which is to use auditing tools capable of detecting privilege and service abuse opportunities.

The final mitigation recommendation is to implement a security information and event management (SIEM) system to aggregate logs and correlate, query, and visualize alerts from network endpoints, logging systems, endpoint detection and response (EDR) systems, and intrusion detection systems (IDS). RevealX integrates easily with SIEMs and EDR via secure API, and it even provides IDS capabilities.

RevealX enables security and IT teams to exceed these recommendations with unparalleled network visibility. Full packet capture, unrivaled protocol fluency, and unmatched, out-of-band decryption delivered at line-rate speeds and cloud scale leave attackers with no place to hide on the network.