sb-eu logo
Story image

Hackers difficult to distinguish from legitimate users - study

Almost half of all actions by attackers are identical to the usual activities of users and admins, a new report has found. 

The Penetration Testing of Corporate Information Systems report from Positive Technologies found that in most companies, even a low-skilled hacker can obtain control of the infrastructure. 

In 2019, Positive Technologies testers, acting as internal attackers, managed to obtain full control of infrastructure at all tested companies, usually within three days. One of the networks took just 10 minutes. 

At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. 

The testers noted that legitimate actions that would be unrecognisable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. 

These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. 

The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates. For example, according to Positive Technologies pentesters, in 30% of companies they can still find Windows vulnerabilities described in the 2017 Security Bulletin MS17-010, and sometimes even MS08-067 (dated October 2008).  

"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers," says Dmitry Serebryannikov, director of security audit department, Positive Technologies.

"For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe. 

"In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group," he says.

"Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorised access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."

Ekaterina Kilyusheva, head of information security analytics research group at Positive Technologies, says in an internal pentest, the specialists can demonstrate the feasibility of actuating business risks or obtaining access to business systems.

"Risks vary by company, but some of them are common to many, such as compromise of critical information in case of access to executive workstations," she says 

"For instance, during internal pentests our specialists could access technological networks of industrial companies and ATM control systems in banks, thus demonstrating the real threat an attack poses to the company. 

"By empirically assessing anticipated business risks, penetration testing enables building an efficient, effective security system based on the best available options."

Story image
Spending on managed security services in A/NZ to grow despite COVID headwinds
COVID-19 has changed security priorities significantly, and managed security services in A/NZ are set to benefit. More
Story image
McAfee finds vulnerabilities in 'temi' the videoconferencing robot
Temi is commonly used in environments including businesses, healthcare, retail, hospitality, and other environments including the home.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More