61 percent of networks vulnerable to low-skilled hackers
Almost half of all actions by attackers are identical to the normal activities of the users and admins, and in most companies even a low-skilled hacker can obtain control of the infrastructure.
These are among the findings of a new study from penetration testing specialist Positive Technologies. Testers, acting as internal attackers, managed to obtain full control of infrastructure at 23 tested companies usually within three days.
One of the networks though took just 10 minutes. At 61 percent of the companies, the research found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker.
Legitimate actions that would be unrecognizable from regular user activity accounted for 47 percent of the actions that allowed testers to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. Such activities could allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it's hard to differentiate between these actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can, however, be spotted with security incident detection systems.
"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers. For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe," says Dmitry Serebryannikov, director of the security audit department at Positive Technologies. "In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group. Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorized access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."
The full report is available from the Positive Technologies site.