sb-as logo
Story image

Hackers difficult to distinguish from legitimate users - study

Almost half of all actions by attackers are identical to the usual activities of users and admins, a new report has found. 

The Penetration Testing of Corporate Information Systems report from Positive Technologies found that in most companies, even a low-skilled hacker can obtain control of the infrastructure. 

In 2019, Positive Technologies testers, acting as internal attackers, managed to obtain full control of infrastructure at all tested companies, usually within three days. One of the networks took just 10 minutes. 

At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. 

The testers noted that legitimate actions that would be unrecognisable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. 

These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. 

The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates. For example, according to Positive Technologies pentesters, in 30% of companies they can still find Windows vulnerabilities described in the 2017 Security Bulletin MS17-010, and sometimes even MS08-067 (dated October 2008).  

"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers," says Dmitry Serebryannikov, director of security audit department, Positive Technologies.

"For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe. 

"In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group," he says.

"Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorised access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."

Ekaterina Kilyusheva, head of information security analytics research group at Positive Technologies, says in an internal pentest, the specialists can demonstrate the feasibility of actuating business risks or obtaining access to business systems.

"Risks vary by company, but some of them are common to many, such as compromise of critical information in case of access to executive workstations," she says 

"For instance, during internal pentests our specialists could access technological networks of industrial companies and ATM control systems in banks, thus demonstrating the real threat an attack poses to the company. 

"By empirically assessing anticipated business risks, penetration testing enables building an efficient, effective security system based on the best available options."

Story image
Digital transformation and cloud security top of mind for enterprise
In the era of the coronavirus pandemic, digital transformation and cloud security are the chart-topping topics enterprises want to know more about.More
Story image
New CompTIA cybersecurity skills certification available worldwide
Private sector business and defense organisations alike rely on CompTIA Security+ to build cybersecurity skills among their frontline cyber defenders.More
Story image
DevSecOps increasingly important, but APAC organisations lagging behind
The rise of DevSecOps comes at a time when IT leaders are faced with an increasingly active cyber threat landscape, coupled with higher consumer expectations of digital offerings and application usage due to a sharp increase in online activities.More
Story image
Check Point a Leader in Firewall Magic Quadrant for 21st Time
It is the 21st time in the company’s history that Check Point has been named a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls.More
Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More