The level of protection against external and internal attacks in the tested companies was in most cases low: many confirmed attack vectors aimed at accessing critical resources were found, and potential attackers would not even need to be highly qualified to apply these vectors. In internal penetration tests, 96% of organizations were assessed as having a low level of security. As for external attacks, the situation was slightly better: 68% of organizations had a low level of security, and in 32%, this level was below average.

A strong sign of high-level information security in a company is the use of result-oriented security. The first step toward result-oriented security is preparing a list of business-critical events that make it impossible for a company to function normally. Next, it is necessary to identify the target and key systems in a company's infrastructure. Setting specific objectives of a penetration test (assets to be accessed) allows us to test the security of target and key systems. If your organization already has a mature information security system supported by a sufficient budget, the next step is to verify whether attackers can trigger business-critical events at your company.

By default, the purpose of an external pentest is to gain access to a company's internal network, while the main objective of an internal pentest is to obtain maximum privileges in a company's infrastructure.

47% of the organizations set specific goals of a penetration test; 27% of them wanted to check whether their business-critical events could be triggered. For example, software developers usually test the possibility of supply chain attacks on their customers. In this case, pentesters look for ways to access developers' servers and application source code in order to check and, if found, demonstrate the possibility of introducing a special code fragment into the final product version. If the code is successfully introduced, it means that a real attacker can introduce malicious code into this company's product in the same way.

To describe attacks, experts around the world use the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) matrix. We analyzed attack vectors used by pentesters and placed the 80 most commonly used techniques on the MITRE ATT&CK heat map. All the techniques and sub-techniques on this map are worth looking at, because a penetration test is a simulation of a real attack. Armed with knowledge about the approaches attackers may use, it is possible to ensure preventive protection and keep tabs on security incident monitoring and response. In particular, the exploit public-facing application technique deserves special attention. In internal penetration tests, this technique was successfully applied in all the tested organizations, and in almost all cases pentesters exploited web application protection flaws. Real-life attackers use a similar approach, securing your web applications is a must.

MITRE ATT&CK heat map

Download heat map

Results of external penetration tests

In 96% of organizations, attackers would be able to breach the network perimeter and penetrate the internal network. The remaining 4% is a banking company where pentesters managed to access a buffer zone between the external and internal networks (DMZ). This company had undergone multiple penetration tests in the past and had done solid work on eliminating mistakes.

Figure 5. Results of external penetration tests (percentage of organizations)

At 96% of companies, our pentesters accessed the internal network.

On average, it takes five days and four hours to penetrate a company's internal network, and the fastest attack took just one hour.

In 57% of the companies, a penetration vector consisted of no more than two steps A step in an attack is an action in which attackers obtain data or privileges needed to proceed further with the attack. on average, penetration would require four steps.

Figure 6. Minimum number of steps to penetrate the local network (percentage of companies)

Low complexity vectors were detected in 53% of organizations, which means that even low-skilled attackers armed with only public tools could conduct a successful attack on these companies.

Figure 7. Minimum complexity of internal network penetration vectors (percentage of organizations)

Methods of internal network penetration

The main entry points were vulnerabilities and flaws in web application configurations: such vectors were identified at all companies without exception (DMZ was also accessed by exploiting web application flaws).

Figure 8. Protection flaws that allowed pentesters to access a LAN (percentage of organizations)

It took our pentesters only one hour to discover the vulnerability that was subsequently used in an attack aimed at gaining access to the LAN. This attack was the fastest of all attacks in the 2021–2022 penetration tests.

Figure 9. Successful attacks in external penetration tests (percentage of organizations)

Legitimate actions are performed by ordinary users and system administrators as part of their routine life and job. However, legitimate actions can also be part of an attack vector. It is not easy for an information security specialist to tell which legitimate events have been initiated by criminals. Legitimate actions include changing user passwords; remote connection to system resources; collecting information about a network, domain, and users; creating a memory dump of the lsass.exe process; or uploading files to a server using application's built-in functions.

Figure 10. Legitimate actions that allowed pentesters to perform attacks during external penetration tests

To distinguish between legitimate actions and those initiated by attackers, user activity should be strictly monitored, especially when it comes to users with elevated privileges, such as system administrators.

We also recommend implementing two-factor authentication to protect critical resources. Two-factor authentication makes it much more difficult for attackers to move laterally within a network and reduces their ability to affect target and key systems of the company.

Web application vulnerabilities

At least one attack vector related to exploitation of vulnerabilities or web application configuration flaws (Exploit Public-Facing Application) was detected in every tested organization. The most common attack vector was exploitation of vulnerabilities in CMS Bitrix: these vulnerabilities were used by attackers to access the internal networks of 10 organizations. Figure 11 shows one such attack vector.

1C-Bitrix, whose vulnerabilities allowed attackers to access internal networks in most tested organizations, releases security updates when needed, for example for CVE-2022-27228. We recommend regularly checking for security updates and installing them promptly.

For recommendations on how to implement a vulnerability management process, see this article.

The second most common network penetration point was vulnerabilities in Microsoft Exchange. WebTutor rounds out the top three. Our pentesters exploited such vulnerabilities in five organizations in total.

Figure 12. Vulnerable software that served as a point of entry into the network (percentage of organizations)

Check for updates and install them timely.

14% of LAN penetration vectors that exploited vulnerabilities in web applications included exploitation of zero-day vulnerabilities. Four zero-day vulnerabilities were detected in external penetration tests.

Zero-day vulnerabilities in Bitrix CMS were exploited in four organizations. Other zero-day vulnerabilities were detected in video conferencing software and a CRM system. Positive Technologies adheres to the principles of responsible disclosure of vulnerability information. Software manufacturers are informed about all detected vulnerabilities.

In most cases, critical vulnerabilities were related to weak password requirements and a lack of software updates. Critical vulnerabilities in web application code were detected in 53% of the tested companies.

Figure 13. Vulnerability severity by category (percentage of organizations)

Perimeter vulnerabilities

96% of organizations were vulnerable to attacks on internal network resources, and in nine out of 10 organizations, a potential attacker could gain unauthorized access to sensitive information.

Figure 14. Common security threats identified in external penetration tests (percentage of organizations)

To protect the perimeter, perform security assessment of web applications regularly.

Confidential information to which attackers could gain access included trade secrets. Attackers can use this information to demand a ransom for non-disclosure or to sell it to the victim's competitors.

In addition to accessing a company's internal network, an attack on a network perimeter may cause other negative consequences, such as web application defacement, modification of information on official resources, injection of malicious code to attack the victim's customers, theft of employee credentials, and access to corporate resources and mail followed by spam and phishing.

Brief conclusions of external penetration tests

We recommend paying special attention to password policy and web application security. These two factors allowed us to access the internal networks of many organizations. Detailed recommendations on setting up a secure password policy can be found in the chapter "Password policy flaws". To protect web applications, Positive Technologies recommends conducting regular security assessments, implementing a vulnerability management process, and using application-level firewalls to protect against attacks.

Results of internal penetration tests

An internal penetration test assesses how well the IT infrastructure is protected from attacks conducted by an internal attacker who can connect to a company's LAN.

In 100% of tested companies, we managed to gain control over the domain.

It usually takes five days to obtain maximum privileges in an organization's domain, and the quickest attack was performed in just one hour. On average, nine steps were required to obtain maximum privileges in the domain.

It took an average of 10 days to trigger a business-critical event.

Figure 15. Minimum number of steps needed to gain the maximum privileges in the domain (percentage of organizations)

On average, each organization had two high, medium, and low-complexity vectors for obtaining maximum privileges in the domain. One of the organizations had five low-complexity vectors for obtaining maximum privileges in the domain.

Figure 16. Minimum complexity of attack vectors aimed at obtaining maximum privileges in the domain (percentage of organizations)

At 57% of the tested companies, there was a simple way to gain control over the infrastructure.

Attackers would need only basic knowledge of how to attack information systems and could use publicly available exploits or automated software to perform attacks.

The attack vector complexity depends on the attacker qualification required to perform an attack and the number of actions needed to achieve the goal.

In one organization, pentesters managed to compromise the domain administrator's account as early as during an external penetration test. Password policy turned out to be a weakness not only in this organization: critical and high-risk vulnerabilities related to password policy flaws were detected in 85% of organizations. In 60% of companies, pentesters found critical and high-risk vulnerabilities related to the use of outdated software versions.

Figure 17. Vulnerabilities and security flaws detected during internal penetration tests by severity level (percentage of organizations)

In one company, an external attacker could use the Autodiscover service in Microsoft Exchange to collect information about the organization and then bruteforce credentials to penetrate the LAN and gain maximum privileges in the domain (see Figure 18). After accessing the server in the internal network, the attacker could obtain domain administrator privileges in just two steps.

Positive Technologies recommends implementing a strict password policy and using two-factor authentication to access critical resources.

In 93% of the organizations, our pentesters replicated the account krbtgt and obtained the NT password hash of the krbtgt user. With this data, real attackers can conduct a golden ticket attack and gain access to the network with any privileges. Our study revealed that a potential attacker could conduct a golden ticket attack in almost all the tested organizations. If successful, attackers can access any domain resources with any privileges. However, penetration tests normally have a strict framework agreed upon in advance with a company, which is why golden ticket attacks were not carried out.

If the krbtgt account is compromised, the password for that account should be changed twice, and the incident should be thoroughly investigated. If it is impossible to determine whether an attacker is present in your system at the time of a check, we recommend reinstalling the operating system on the computers that may have been compromised.

What pentesters do in the internal network

In all tested organizations, pentesters conducted credential brute-force attacks to move laterally within an internal network and access various resources. They mainly used password spraying (49%) and password guessing (33%), and sometimes they used password cracking (16%) sub-techniques.

Figure 19. Credential brute force percentage of sub-techniques used by pentester

Password spraying is a password brute-force attack performed using a list of popular dictionary passwords and user IDs. Attackers take one password and start guessing an identifier for it. This method helps to avoid the account being blocked.

Password guessing is an attack that involves bruteforcing account passwords. To facilitate the task, password dictionaries, previously compromised passwords, and information about company password policy can be used.

Password cracking is an attack aimed at recovering a password using an existing hash sum or other obtained information, for example if reversible coding is used to store passwords.

In addition to brute force, pentesters collected credentials from regular user files (79%), replicated data from Active Directory (93%), found them in a memory dump of the lsass.exe process (68%), and obtained them in Kerberoasting attacks (36%).

Figure 20. Methods of obtaining credentials (percentage of companies)

An example of a Kerberoasting attack is shown in Figure 21. Pentesters used vulnerabilities related to name spoofing in Active Directory (CVE-2021-42278) and spoofing requests to KDC (CVE-2021-42287). In both cases, exploitation was aimed at privilege escalation.

To move laterally within an internal network and access resources, pentesters mostly used stolen pass-the-hash (93%) and pass-the-ticket (39%) authentication data, as well as connected to shared network resources (71%), RDP (61%) and SSH (57%) remote access protocols.

Figure 22. Main techniques used to move laterally within the internal network (percentage of organizations)

Use event monitoring systems to timely keep track of attacks.

In order to elevate privileges in the infrastructure, attackers can use compromised local (68%) or domain (93%) user accounts or software vulnerabilities (89%). In 32% of organizations, pentesters used access token manipulation. For example, an attacker could duplicate an access token for a user and act on this user's behalf.

Figure 23. Main techniques and sub-techniques used by pentesters to elevate privileges (percentage of organizations)

Among successful attacks, the most frequently used techniques were credential brute force and legitimate actions: these methods were used in every tested organization.

Figure 24. Successful attacks in internal pentests (percentage of organizations)

In most cases, legitimate actions included collecting data about network hosts and vulnerable software versions (used in 36% of all attacks). The second place belongs to file uploading (17%); by files we mean software that pentesters needed to perform attacks. The third most frequently used technique was remote connection to company resources (12%). For this, pentesters often used publicly available protocols, such as RDP and SSH.

Figure 25. Legitimate actions in the system during internal penetration tests (percentage of all attacks)

The first five techniques in the list of the MITRE ATT&CK matrix below are related to credential brute force and use, as well as to the analysis of files and directories on the companies' servers. These techniques were used at all the tested organizations.

Vulnerabilities in internal networks and unacceptable attack consequences

In internal penetration tests, specialists managed to gain full control of domain resources in 100% of organizations. It was possible to access confidential information in 68% of the tested companies. Such confidential information included customer personal data and knowledge bases of the companies.

Figure 27. Top three security threats detected in internal penetration tests (percentage of organizations)

Software vendors turned out to be particularly vulnerable to supply chain attacks. As a result of such attacks, customer devices may be infected with malware, or sensitive information may be stolen by attackers.

In 47% of the studied companies, the specialists set specific pentest goals, and in 27% of the companies they verified whether business-critical events could be triggered. In most cases, such business-critical events included theft of critical information, access to the accounts of top managers, theft of funds, and shutdown of key business processes.

Interesting fact: it takes six days to disrupt an information system of a government organization and less than a month to steal money from a financial institution. In total, our specialists managed to trigger 42 out of 47 business-critical events specified by the tested companies. On average, it would take attackers 10 days to trigger a business-critical event. Criminals would need two weeks to trigger 75% of business-critical events and a month to trigger 89% of such events.

Figure 28. Main types of damage caused by the triggering of business-critical events (percentage of all verified events)

Unacceptable events may lead to reputational damage (61%), regulatory sanctions (57%), and financial loss (39%). One event can affect different aspects of company operations. For example, if attackers inject malicious code into a product, the targeted company may face reputational damage and lost profits due to customer churn, as well as fines and penalties.

In some cases, attackers did not even need maximum privileges in the domain in order to trigger a business-critical event. Figure 29 shows an example of one such attack.

The attack was carried out in two simple steps: 1) analyzing the web application, and 2) exploiting a vulnerability and loading a web command line interpreter.

Brief conclusions of internal penetration tests

In all the tested organizations, our pentesters managed to obtain maximum privileges in the domain. They also verified whether business-critical events could be triggered and concluded that criminals would need a month to trigger 89% of events that would have a serious negative impact on company operations.

The most common techniques used by pentesters were brute force and subsequent use of employee credentials, as well as techniques aimed at analyzing infrastructure and user privileges, such as account discovery, permission groups discovery, and domain trust discovery. These techniques enabled pentesters to move silently within the infrastructure. Pay special attention to those techniques. Such attacks can be detected using event monitoring systems. By timely identifying an anomaly, you can save precious time and take measures to prevent an attack.

However, before implementing monitoring systems and building a vulnerability management process, focus on password policy: our pentesters managed to compromise employee domain accounts in 100% of organizations.

It is also vital to strengthen protection and monitoring not only for target An information system whose compromise can lead to an unacceptable event for an organization. systems, but also for key An information system whose compromise would greatly simplify subsequent attacks on target systems. systems, because they are an intermediate link in an attack aimed at triggering a business-critical event.

Password policy flaws

Download an infographic on password policy

If we summarise the existing problems in the password policies of the analysed companies, 4 main problems can be identified:

• weak and dictionary passwords;
• short passwords;
• reuse of passwords;
• absence of two-factor authentication;

To solve these problems we offer:

• Set minimum password complexity requirements and avoid using dictionary passwords.
• Minimum password length should be 10 characters for ordinary users and 12 characters for privileged users.
• Use unique passwords for different accounts and resources. Prevent users from reusing at least three previous passwords.
• Use two-factor authentication or the SSO (single sign-on) technology.
• Download domain user password hashes and check for weak and dictionary passwords.

Conclusion

Penetration tests usually demonstrate a low level of security of organizations, and these pentests were no different: A cyberattack can lead to negative consequences in every organization we tested. To combat this, companies can conduct regular security assessments and work on their mistakes to reach higher levels of performance and security. We recommend paying special attention to common security flaws and attack techniques mentioned in this report, and prioritize the security of target and key infrastructure systems. By regularly testing the efficiency of security measures at your company and checking whether your infosec specialists are ready to detect and counter attacks at early stages, you can head off unacceptable consequences before they occur.