Companies should have the security posture of their information infrastructure assessed by experienced and qualified professionals. The most important thing is to check whether an external or internal malicious actor can perform a successful attack and trigger non-tolerable events. This can be achieved through penetration testing.

Penetration testing, or pentesting, means assessing the security of an information system by simulating real attacks to verify whether such an attack could cause damage (financial, reputational, or otherwise) to an organization. The results reveal the current vulnerabilities and infrastructural weaknesses and are key to improving protection, monitoring, and incident response. Classic pentesting is not meant to find as many vulnerabilities as possible. The purpose, rather, is to assess whether attackers can penetrate the system or escalate privileges, given the existing information protection system. For this, a single vulnerability may be enough. However, there is also security analysis, another type of security assessment, which focuses on identifying as many weaknesses as possible in the design, development, and operation of systems or applications.

A total of 28 penetration testing projects were conducted with 39% of the organizations tested listed in the RAEX-600.

By default, the purpose of an external pentest is to gain access to a company's internal network, while the main objective of an internal pentest is to obtain maximum privileges in a company's infrastructure.

The sample for the study included projects in which no significant restrictions were imposed on the actions of the pentesters and the boundaries broad enough to obtain an objective assessment of the level of security. The study included only organizations that allowed Positive Technologies to use anonymized data for research purposes.

The final performance reports include vulnerabilities that were discovered in the search for attack vectors and exploited to achieve the targets. Each chapter contains relevant security recommendations.

In 96% of projects, the organizations were found to be unprotected from attackers attempting to penetrate their internal network. Only one of them was reliably protected: researchers were only able to gain access to the demilitarized zone (DMZ) (A DMZ is a buffer zone between the internet and the internal network).

The earliest penetration of the organization's LAN occurred on the first day of the assessment. On average, it takes 10 days for professionals to gain access to a LAN.

Of the organizations where internal pentesting was conducted, 100% were not protected from an internal attacker taking complete control of the IT infrastructure.

For 63% of organizations, a low-skilled attacker would be able to penetrate the LAN from outside. A similar proportion of organizations could be subject to an internal, low-skilled intruder gaining full control of their IT infrastructure.

In one of the projects, the specialists gained maximum privileges in the Active Directory domain after 6.5 hours, while in other projects, the figure varied from one to seven days.

In 64% of projects, an attacker could gain unauthorized access to important confidential information. Such information included intellectual property and employee correspondence.

In every project, we confirmed that at least one non-tolerable event could be realized, often without needing to gain full control of the IT infrastructure. For example, at one organization where specialists were unable to access the LAN, the possibility of unauthorized access to a database (DB) with the personal data of more than 460 thousand users was revealed.

In 21% of projects, specialists found signs of compromise, including web-based command-line interpreters or changes to configuration files. This means that the real attackers had previously compromised the IT infrastructure of those organizations.

Critical vulnerabilities related to the use of outdated software were found in 70% of external penetration testing projects . In 19% of the projects, pentesters found vulnerabilities related to insecure web app code. The same proportion of organizations exhibited critical password policy vulnerabilities. In 11%, critical vulnerabilities caused by incorrect software configuration were found.

The level of security against an external or internal intruder at the organizations analyzed was generally quite low. This means that multiple attack vectors aimed at gaining access to a company's critical resources without requiring highly skilled attackers were revealed. In internal penetration tests, 81% of organizations were assessed as having a low level of security. When testing the infrastructure from the perspective of an external intruder, the situation was slightly better: 74% of organizations have a low level of security, and another 15% have a below-average level.

An overall security level is an expert assessment covering the number of attack vectors detected, including potential ones, how important any compromised resources are, how complex the attack vectors are, and how qualified the attackers need to be. 

Pentesting is one of the requirements of result-driven cybersecurity

One major sign of a company's maturity and security is adherence to result-driven cybersecurity. Penetration testing is one way to assess the security of information systems, along with security assessments and cybersecurity audits.

Developing a list of non-tolerable events and the scenarios by which they can be realized, while identifying the target systems the hacking of which would result in unacceptable consequences, is the first step towards result-driven cybersecurity. The second step is to identify the key systems and potential points of entry. This is necessary to see non-tolerable events in the context of an organization's infrastructure and understand what an attacker needs to gain control over in order to cause non-tolerable events.

Once the above steps have been completed, the system can undergo initial testing regarding of how secure its internal network is from penetration and the internal infrastructure is from relinquishing full control. These questions can be answered through classical pentesting or continuous pentesting. The difference between them is that continuous pentesting carries on for a whole year over several stages, resulting in several reports on security against external and internal intruders. Either will verify the possibility of realizing non-tolerable events.

A quarter of the client companies independently defined the goals of the testing and what counts as a non-tolerable event for them. Our experts verified 90% of all such designated non-tolerable events. For the remaining projects, the goals were defined by default.

Popular MITRE ATT&CK tactics and techniques

The following table lists the 20 most popular tactics, techniques, and sub-techniques from the MITRE ATT&CK matrix that were used by pentesters in security analysis and the verification of non-tolerable events (The statistics account for only successful hacker attempts, not all attempts).

A study of pentesting reports showed that 96% of the IT infrastructures studied were vulnerable to external intruders. For the remaining 4%, only the DMZ could be accessed. These companies had undergone multiple pentests in the past and had done solid work on eliminating mistakes.

27% of LAN penetration vectors consisted of one or two steps (A step in an attack is an action in which attackers obtain data or privileges needed to proceed further with the attack.), but on average, four steps were required.

Since each project could have multiple LAN access vectors, it is worth reviewing each group of vectors for a given project and selecting the one with the lowest number of steps.

42% of the systems tested relinquished LAN access within one or two steps. The average was four steps.

Simple vectors were found in 58% of the projects. A simple vector is a sequence of actions through which a potential attacker can use standard, freely available security analysis tools to cause a non-tolerable event.

The largest number of critical vulnerabilities was caused by outdated software in the organizations' information systems. Weaknesses in password policies and insecure web app code also often caused vulnerabilities.

Methods of penetrating an internal network

The main reasons for successful penetration of an internal network were weaknesses in password policy, vulnerabilities in web app code (including third-party apps), and weaknesses in the configuration of services along the network perimeter (such as VPNs or Citrix). One common configuration flaw in such systems is the lack of two-factor authentication or insufficient verification of user authorization.

You don’t necessarily need access to the LAN to cause a non-tolerable event. An attacker only needs to exploit one or more vulnerabilities exposing critical systems to cause a non-tolerable event for a company. Every single vulnerability in the information system must be found and fixed. In 2023, external pentests identified 423 vulnerabilities, of which 34% were critical or high risk.

Notably, vulnerabilities caused by outdated software (including those with web interfaces) often exposed access to the LAN, leading to security threats.

The use of popular products beset with vulnerabilities can jeopardize any company, so prompt vulnerability remediation is crucial: info about vulnerabilities currently used by attackers is reported to the MaxPatrol VM vulnerability management system within 12 hours. This allows you to react in time and eliminate the most dangerous vulnerabilities, thereby protecting the company's infrastructure.

Insecure configuration files are not nearly as represented among the high and critical severity vulnerabilities (8%) as they are among vulnerabilities of any severity level (28%). In contrast, zero-day vulnerabilities, which account for just under 4% of all vulnerabilities, count for 8% of the dangerous ones.

Nevertheless, every vulnerability must be fixed. For example, an attack exploiting password policy flaws can allow a potential attacker to obtain account credentials and then escalate the attack to gain full LAN access.

Each attack involves reconnaissance and exploration of the internal infrastructure under the cover of seemingly legitimate actions which are not malicious or disruptive.

In 63% of the vectors, our researchers obtained the information necessary to further the attack using the System Network Configuration Discovery technique (studying network configuration), in 48%—the System Information Discovery technique (viewing current system configuration), and in 40%—the File And Directory Discovery technique (exploring file system).

Ordinary users and system administrators perform legitimate actions as part of their everyday lives and jobs. However, legitimate actions can be part of an attack vector. It is not easy for a cybersecurity specialist to tell which seemingly legitimate events have been initiated by criminals. To do so, monitoring the activity of all the users and systems in the infrastructure is necessary. This can be done with:

• The OS event log, including events related to security audits and system logins
• The application event log
• The domain controller event log

Then, use the following to process this info, detect, and prevent attacks:

• Security incident and event management (SIEM) systems
• Network traffic analysis (NTA) systems
• Intrusion detection systems (IDS)
• Intrusion prevention systems (IPS)
• Web application firewalls (WAF)
• Next-generation firewalls (NGFW)
• Endpoint detection and response (EDR) and more modern extended detection and response (XDR) solutions

Weaknesses in web apps and products from vendors

As described above, third-party solutions can be a major security threat. The following are examples of vulnerable software that allowed specialists to infiltrate a customer's infrastructure.

We predict that supply chain attacks through compromising the software of IT companies will be a major trend in 2024. This can affect businesses that use third-party software in any sector.

The table presents the known vulnerabilities in third-party software that were most often exploited by the researchers to gain access to systems. Update packages were released for all of these vulnerabilities.

In addition, during the external pentest, Positive Technologies specialists found 16 zero-day vulnerabilities in the software, six of which are of a critical threat level according to CVSS 3.1.

PT SWARM researchers constantly assess the security of various web apps and products. In 2023, they discovered 32 new CVE vulnerabilities.

Besides security weaknesses in vulnerable third-party software, the researchers found 37 vulnerabilities in the customers' web apps. Among the latter, 15 were of a critical or high severity level.

SQL injection can lead to serious consequences such as loss of sensitive information, data destruction, unauthorized access, or upload of malicious code. Half of these vulnerabilities are of a critical severity level.

Conclusions of the external penetration tests in brief

Having analyzed the outcomes of external pentesting, we recommend ensuring that software running in the information system receives timely security updates, implementing a strong password policy, securing the source code of web apps susceptible to serious vulnerabilities, and ensuring the secure configuration of services running in the infrastructure Security flaws in all the above were used by researchers to gain access to companies' internal networks. For detailed recommendations on how to configure the password policy, see the chapter "Password policy issues".

To protect web apps, Positive Technologies recommends conducting regular security assessments, implementing secure development and vulnerability management processes, and using web application firewalls to protect against attacks. To mitigate the risks from vendor solutions as much as possible, we recommend updating software promptly and monitoring the latest vulnerabilities and security patches.

An internal pentest mainly assesses how well the IT infrastructure is protected from attacks by an internal attacker who can connect to a company's LAN.

In 100% of the projects where internal pentesting was performed, control of the domain was achieved.
In 81% of the projects, the overall security level was found to be low.

The least time taken to obtain maximum privileges in the Active Directory domain was 6.5 hours from the start of the internal pentest.

Each vector consists of around 11 steps (The number of steps required for LAN access is also considered). On average, two vectors of different complexity were detected in each project. Therefore, the shortest attack vectors are taken into account to determine the minimum number of steps needed to gain control of a domain controller.

In the vast majority of projects, attack vectors of low (38%) and medium (50%) complexity were detected.

 

Simple attack vectors were found in 38% of the projects.
 

Simple attack vectors are characterized by the perpetrator having only a basic knowledge of attacking information systems and using publicly available exploits and automated software.

For example, such attack vectors could be based on exploiting two vulnerabilities in Microsoft Exchange—one for remote code execution (CVE-2022-41082) and one for privilege escalation (CVE-2022-41080)—using publicly available exploits. In some cases, the infrastructure was vulnerable to the exploitation of the Zerologon vulnerability, requiring only a single action to gain administrator privileges.

The attack vector complexity depends on the attacker qualification required to perform an attack and the number of actions needed to achieve the goal.

The main reasons for a low level of security among customers were outdated software versions, insecure configuration of IT system components, and weaknesses in password policy. Notably, during internal pentesting, the security researchers found a critical vulnerability in web app code, which is rare in such work.

Although there were not many critical vulnerabilities among those caused by insecure configuration (6%), a combination of several lower-risk vulnerabilities in this category can expose maximum privileges in the Active Directory domain. The figure below displays the vector through which the experts detected a running certificate enrollment service and then conducted a PetitPotam attack. Best practices for setting up a configuration resistant to attacks based on NTLM protocol relay to certificate services (AD CS) can be found on the Microsoft website.

What pentesters do in the internal network

Once the researchers gained access to an internal network, they attempted to gain a foothold in the system. In other words, they needed to find a way to access the organization's systems at any time without too much effort.

A web interpreter is often created to interact with the OS of a node in the LAN. This is a script written in a programming language used to call a function to interact with the OS, to which the command is passed for execution. As such, a researcher or attacker can gain a foothold on the network perimeter. Three projects showed signs of compromise in the form of attackers hosting such web interpreters. In all cases, the script was written in PHP. Positive Technologies researchers used a similar technique in 14 projects. However, it often falls under external pentesting.

Techniques that are usually included in the internal pentesting phase include Account Manipulation, the Local Account sub-technique of the Create Account technique, and the Domain Accounts sub-technique of the Valid Accounts technique. Don't forget that the statistics do not take all hacker actions within a project into account but only those used in successful vectors.

Once entrenched in the infrastructure, attackers usual look for a way to escalate privileges (if they haven't already). In most cases, our researchers successfully used techniques such as Valid Accounts, Exploitation For Privilege Escalation, and Abuse Elevation Control Mechanism.

You may notice that the Valid Accounts: Domain Accounts sub-technique is mentioned above. This means that the researchers had the credentials from existing accounts in the domain. The question arises of how they obtained such accounts. Figure 23 summarizes the actions taken by the researchers to obtain credentials:

For a more detailed understanding of the most-exploited OS Credential Dumping technique (obtaining OS credentials on a compromised host), review the sub-techniques that were used as part of it.

• DCSync. In such an attack, the attacker impersonates a domain controller. The attack is based on the inherent ability to replicate data between domain controllers, during which credentials are transferred, among other things.
• LSA secrets. Attackers attempt to gain access to LSAs, which are storage units where the system stores sensitive credentials, including passwords for user and service accounts.
• LSASS memory. Criminals try to access the memory of the LSASS process, which is responsible for various Windows authentication subsystems. There may be very important data in its memory, such as NT hashes or Kerberos tickets.
• NTDS. Hackers try to access the NTDS.dit file, which is a database of objects in Active Directory and the relationships between them.

To move within the perimeter, including using the credentials obtained during the previous step, the researchers used the following techniques:

In most cases, remote access protocols such as SSH and RDP are used for lateral movement.

Pass the hash is an attack where—instead of standard authentication, in which a username and password are input in cleartext to access an account—the attacker inputs a username and password hash. As a result, the attacker accesses the system through a compromised account.

Vulnerabilities in internal networks and unacceptable consequences of attacks

Notably, in a project, full control over resources can be obtained in more than one domain. For example, our researchers took control of a total of 31 domains during internal pentests. Control of critical systems implies that researchers have verified the possibility of a non-tolerable event occurring in customer-designated target systems.

During the testing, the researchers verified 90% of the non-tolerable events identified by customers as supplemental to our lists.

Such events included, inter alia, privileged access to target systems, code base leakage or irretrievable loss, theft of certain information or the compromise thereof, withdrawal of funds, or financial gain in ways not inherent to an application's logic.

Conclusions of the internal penetration tests in brief

During internal pentests, our researchers obtained maximum privileges in the domains of all of the organizations. In addition, they verified the possibility of realizing almost all (90%) of the non-tolerable events. The verified non-tolerable events that the customers themselves highlighted include: gaining access to particular information systems and network segments, embedding code into the customer's source code, gaining user rights in business segments, and obtaining certain confidential information.

Special attention should be paid to credential bruteforcing. Brute Force was used in 33 successful attack vectors. It is also important to secure systems from the OS Credential Dumping sub-techniques. We recommend thoroughly checking your infrastructure for the indicators of compromise mentioned above. Quality monitoring systems can help you detect the movement of attackers through your network during an attack.

It is also vital to strengthen protection and monitoring not only for target systems, but also for key systems, because they are an intermediate link in an attack aimed at triggering a non-tolerable event.

Password policy issues

As noted above, password policy weaknesses are one of the key links in a large number of attack vectors. Attackers can use the Brute Force technique and, if they succeed in bruteforcing a login-password pair, gain the privileges of their victims.

In external penetration testing, 56% of attack vectors aiming to gain access to a LAN included Brute Force techniques. The same proportion was recorded during internal pentests for the share of vectors implementing privilege escalation in the domain. However, if we consider all the projects where this technique was successfully applied, the proportion rises to 72%. This means that in seven out of 10 infrastructures, credentials can be bruteforced to gain unauthorized access to information.

A total of 128 vulnerabilities involving password policy flaws were identified. Among them, 14 are of a critical severity level and 16 are of a high severity level. Such flaws are not only common for domain accounts, but also for individual software, such as DBMS servers, virtualization platforms, and infrastructure monitoring systems.

Using the MITRE ATTACK matrix, the experts deployed several brute force sub-techniques (Password Guessing, Password Spraying, and Password Cracking) in the following ratio:

Password guessing is an attack that involves bruteforcing account passwords. To facilitate the attack, password dictionaries, previously compromised passwords, and information about company password policy may be used.
Password spraying is a password brute-force attack performed using a list of popular dictionary passwords and user IDs. Attackers take one password and start bruteforcing an identifier for it. This method helps to avoid the account getting blocked.
Password cracking is an attack aimed at recovering a password using an existing hash sum or other information obtained, for example, if reversible coding is used to store passwords.

The proportion of each sub-technique used by the experts during a brute-force attack:

So what passwords were compromised? They can generally be divided into several categories:

• Simple or dictionary passwords (12345678, Qwerty123, Aa12345678, 123qweASD)
• Short passwords (123456, 123, 111111)
• Company name (******2022)
• Default passwords (123, change-on-install, 111111).

As an aside, in some cases, the fact that the system lacked two-factor authentication was key. There were cases where a person could reuse a password multiple times.

To solve problems related to password policy, we recommend the following:

• Set requirements for password complexity and banning the use of dictionary passwords.
• Use a password containing at least eight characters, as well as symbols, numbers, and letters in upper and lower cases.
• Create unique passwords for different accounts and resources, and ensure that at least the last three passwords are not reused.
• Create passphrases rather than passwords—an easy way to greatly complicate passwords.
• Set a maximum password lifetime.
• Use password managers.

Depending on your IT infrastructure, multifactor authentication may be recommended for:

• All external perimeter services without exception, but mainly for VPN and RDG services and email or multimedia authentication pages
• Critical internal services, the compromise of which can lead to non-tolerable events or major damage to the organization (for example, to minimize the possibility of theft of funds, entrance into the 1C system should be protected with two-factor authentication)
• Internal services that store (or can store) sensitive information and/or can greatly assist an attacker in exploring the infrastructure and moving laterally within the perimeter (including help desk systems and password managers)
• Infrastructure management systems (including CI/CD management servers)
• Access to source code storage servers (including Ansible Playbooks, GitLab, and the MS Team Foundation Server)
• Access to admin interfaces of information security tools (such as SIEM, AF, NAD, DLP, and an antivirus management console)
• Confirmation of particularly important actions

If MFA cannot be used for an application on the outer perimeter, we recommend removing it from the outer perimeter and providing access to it via VPN.

Penetration tests usually demonstrate a low level of security of organizations. During such tests, our researchers help identify insecurities in key and targeted systems, thereby informing companies of the possibility of real attackers causing a non-tolerable event. As in 2022, the percentage of companies vulnerable to an external intruder remained at 96%. Full control of domain resources was established in 100% of those organizations where access to the internal network was gained. The figure was also the same in 2022.

Notably, organizations that conduct regular pentests and take the corresponding security measures eventually attain a higher security level.

By regularly testing the efficiency of security controls and checking whether your cybersecurity specialists are ready to detect and counter attacks at early stages, you can head off non-tolerable consequences.