Cybercriminals can penetrate 93 percent of company networks
In 93 percent of cases, an external attacker can breach an organization's network perimeter and gain access to local network resources.
This is among the findings of a new study of pentesting projects from Positive Technologies, conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.
An attacker's path from external networks to target systems begins with breaching the network perimeter. According to the research, on average, it takes two days to penetrate a company's internal network. Credential compromise is the main route in (71 percent of companies), primarily because of simple passwords being used, including for accounts used for system administration.
Ekaterina Kilyusheva, head of research and analytics at Positive Technologies, says: "In 20 percent of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger. In total, Positive Technologies pentesters confirmed the feasibility of 71 percent of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days."
Once an attacker has credentials with domain administrator privileges they can obtain many other credentials for lateral movement across the corporate network and access to key computers and servers. According to the study, most organizations have no segmentation of the network by business processes, and this allows attackers to develop several attack vectors simultaneously.
"In order to build an effective protection system, it is necessary to understand what unacceptable events are relevant for a particular company," Kilyusheva adds. "Going down the path of the business process from unacceptable events to target and key systems, it is possible to track their relationships and determine the sequence of protection measures in use. To make it more difficult for an attacker to advance inside the corporate network toward the target systems, there are a number of interchangeable and complementary measures organizations can take, including separation of business processes, configuration of security control, enhanced monitoring, and lengthening of the attack chain. The choice of which technology solutions to use should be based on the company's capabilities and infrastructure."
The full study is available on the Positive Technologies site.