Hacker Actions Are Often Indistinguishable from Regular User Activity
Experts from Positive Technologies have published the results of their internal penetration testing work. The report analyzed 23 internal penetration testing projects conducted in 2019, using anonymized data from companies that allowed its use. The analysis revealed that nearly half of all actions taken by attackers can be indistinguishable from the normal activities of users and administrators.
The report states that in 2019, testers were able to gain full control over the infrastructure in every company tested, acting as an internal threat. Typically, this took about three days, but in one network, it took only 10 minutes. In 61% of companies, at least one simple method was found to gain control over the infrastructure—something even a low-skilled hacker could accomplish.
According to the experts, legitimate actions that allow attackers to advance their attack vector made up 47% of all actions performed by penetration testers. These include, for example, creating new privileged users on network nodes, creating a memory dump of the lsass.exe process, exporting registry branches, or sending requests to the domain controller. All these actions can provide access to user credentials for corporate networks or information needed to further the attack. The danger is that such actions are hard to distinguish from the normal activities of users or administrators, meaning the attack can go unnoticed.
Distribution of Successful Attacks by Category
“During attacks on internal networks, architectural features of the OS and authentication mechanisms like Kerberos and NTLM are typically used to collect credentials and move between computers. For example, an attacker can extract credentials from OS memory using special utilities such as mimikatz, secretsdump, procdump, or built-in OS tools like taskmgr to create a memory dump of the lsass.exe process. We recommend using up-to-date versions of Windows (above 8.1 on workstations or Windows Server 2012 R2 on servers). Domain privileged users should be included in the Protected Users group. Modern versions of Windows 10 and Windows Server 2016 feature Credential Guard technology, which isolates and protects the lsass.exe system process from unauthorized access. For additional protection of privileged accounts, especially domain administrators, two-factor authentication should be used,” says Dmitry Serebryannikov, Director of Security Analysis at Positive Technologies.
The testing also showed that attackers can exploit known vulnerabilities in outdated software versions, allowing them to remotely execute arbitrary code on a workstation, escalate privileges, or obtain important information. Most often, experts encountered a lack of up-to-date OS patches during testing. According to Positive Technologies’ penetration testers, 30% of companies still have Windows OS vulnerabilities described in the 2017 security bulletin MS17-010, and some even have vulnerabilities from MS08-067 (October 2008).