Hackers difficult to distinguish from legitimate users - study
Almost half of all actions by attackers are identical to the usual activities of users and admins, a new report has found.
The Penetration Testing of Corporate Information Systems report from Positive Technologies found that in most companies, even a low-skilled hacker can obtain control of the infrastructure.
In 2019, Positive Technologies testers, acting as internal attackers, managed to obtain full control of infrastructure at all tested companies, usually within three days. One of the networks took just 10 minutes.
At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker.
The testers noted that legitimate actions that would be unrecognisable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller.
These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems.
The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates. For example, according to Positive Technologies pentesters, in 30% of companies they can still find Windows vulnerabilities described in the 2017 Security Bulletin MS17-010, and sometimes even MS08-067 (dated October 2008).
"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers," says Dmitry Serebryannikov, director of security audit department, Positive Technologies.
"For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe.
"In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group," he says.
"Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorised access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."
Ekaterina Kilyusheva, head of information security analytics research group at Positive Technologies, says in an internal pentest, the specialists can demonstrate the feasibility of actuating business risks or obtaining access to business systems.
"Risks vary by company, but some of them are common to many, such as compromise of critical information in case of access to executive workstations," she says
"For instance, during internal pentests our specialists could access technological networks of industrial companies and ATM control systems in banks, thus demonstrating the real threat an attack poses to the company.
"By empirically assessing anticipated business risks, penetration testing enables building an efficient, effective security system based on the best available options."