Analysis of 128 penetration tests conducted in the fourth quarter of 2016 shows that approximately two-thirds of tested companies were successfully breached. This is despite the limited time — in 89% of cases, less than two weeks — available to the pentesters compared to the effectively unlimited time available to blackhat attackers.
Rapid7, which was appointed a CVE numbering authority in December 2016, analyzed 128 of the engagements it undertook in the closing months of last year. These involved both internal testing and external testing. In most cases the client company was more interested in external testing (67.2%) over internal testing (21.1%). A few (8.6%) combined both internal and external tests, while a smaller number of tests (3.1%) were neither (code and IoT audits, for example).
External pentests involved testing web sites, phishing, VPNs and so on. Internal tests looked at, for example, network misconfigurations, software, and wifi. Although there were fewer internal tests, states Rapid7, “Overall, penetration testers successfully compromised the target organization through software vulnerabilities or network misconfigurations just over 80% of the time.”
The good news, it added, is that “most of the techniques used can be defended against with sensible, widely understood and appropriately tailored network security best practices, including patch management, network segmentation, and regular assessments of the most likely sources of risk in the enterprise.”
Pentesters are usually asked to evaluate protection in specific areas. Unsurprisingly, given the increasing scope of regulations, the most frequent request (57% of the companies tested) is to test against the theft of personally identifiable information (PII). This is followed by sensitive internal data at 55.5%. And yet, “despite the recent uptick in online industrial espionage, the surveyed organizations seemed the least interested in specifically protecting copyrighted material [2.3%], digital certificates [3.1%], source code [9.4%], or trade secrets [13.1%].”
It is tempting to infer from this that compliance pressures are focusing defense of PII over purely business secrets. Indeed, Rapid7 director of research, Tod Beardsley, told SecurityWeek, “It was surprising that companies are focusing so much attention on protecting PII, given that real criminals have such a variety of goals, including an increased interest in industrial espionage. We do think that this is due to compliance requirements that mandate PII protections, and therefore, organizations are dedicating their limited resources to making sure their PII story is solid. This is certainly rational, but we worry that organizations are growing too focused on PII protections while criminals are expanding their areas of interest.”
The report highlights the value of protecting credentials. “The number one method of obtaining account access,” it states, “starts with very simple password guessing; enforcing more machine-generated, rather than human-generated, passwords would go a long way toward defending against this threat, as would more widespread adoption of two-factor authentication.”
Rapid7 outlines the methods it uses to ‘acquire’ client credentials. The most common, and the most successful, is manual guesswork. “Here’s a time-saving tip,” it comments: “If you know a lot of, or all, usernames, just try <Current season><current year>. People love that password, and according to our survey data, manually guessing patterns like this is successful a surprising (depressing?) fraction of the time.”
The two most common methods of defending credentials are account lock-outs and two-factor authentication. However, 32.8% of enterprises did not use lockouts, while for another 42.2% the lockout had no effect or simply delayed the compromise. Rapid7 points out that 14% of the surveyed sites also lacked detection controls. “Combined with a lack of effective lockouts, this is a prescription for inevitable compromise.”
2FA authentication is a more successful method of protecting credentials; but is surprisingly rare. “2FA is generally effective in preventing the most common forms of credential compromise, especially when combined with a reasonable detection control like user behavior analytics,” says Rapid7.
Once an account is compromised, both pentesters and attackers will seek to locate and use more privileged credentials. Such a process is described in one of several case studies outlined in the report. This client was a technology company. Rapid7 detailed “how good information gathering, coupled with precise password sprays, can ultimately result in going from an unauthenticated nobody on the internet, to an authenticated user on the Domain, and ultimately to a Domain Administrator.”
The first step was to search the internet for names or usernames and the potential username format. “This username enumeration technique produced several valid accounts in the domain, which were then re-ran through a brute-force attack against the OWA installation using that favorite password of pen testers, <CurrentSeason><CurrentYear>. This attack produced several valid credentials pairs.”
2FA was in use, connected to a VPN endpoint; but Rapid7 by-passed it by changing a compromised e-mail account to one controlled by Rapid7 and using the VPN’s self-service enrollment feature. This got the pentesters into the system, and they then scanned the internal hosts until they found an old Group Policy Preference file containing service account credentials vulnerable to trivial decryption. “This user was a Domain Administrator on the network,” reports Rapid7, “and therefore Rapid7 had fully compromised this domain upon connecting to the domain controller with this account.”
Rapid7 is concerned at the consistency with which it can compromise its clients. There seems to be no difference between small companies with a small attack surface, and large enterprises with a large attack surface. “Over two-thirds of [our] penetration testers remain undetected,” it concludes. “Beyond network segmentation, patch management, or any other technical countermeasure, a routine malicious behavior detection strategy that is at least able to catch these frenetic bursts of malicious activity is the best technical protection solution money can buy today.”