True, attackers can have a lot of fun exploiting software vulnerabilities, but they’re nowhere near the top when it comes to the list of their favorite toys.
That’s the finding of a new report (registration required), from the US security firm Praetorian, based on 100 penetration tests covering 75 unique organizations and 450 real-world attacks.
The report, from Josh Abraham, a practice manager for Praetorian, compiles the top internal attacks used in pen tests over the past three years that have resulted in successfully accomplishing goals such as a sitewide compromise and/or access to specific, sensitive information.
Not to shrug off software vulnerabilities. They’re quite real, and they can obviously be quite dangerous.
But organizations tend to focus on them too much, at the expense of considering risk elements that are even worse, according to the report:
The fixation on patch management is compounded by professional service firms who equate a penetration test to little more than running a vulnerability scan against an organization’s network.
In a nutshell, dumb passwords and stolen credentials are a lot handier when it comes to cracking enterprise networks.
These are Praetorian’s top five attack vectors:
- Weak domain user passwords (a root cause of compromise in 66% of cases).
- Broadcast name resolution poisoning (aka WPAD, or Web Proxy Autodiscovery Protocol: 64%). We reported on WPAD a few months ago: the protocol is designed to find browser configuration files on the internal network, but recent research shows that attackers may be able to trick WPAD into downloading booby-trapped versions of those configuration files from the public internet instead.).
- Local administrator attacks (aka Pass the Hash: 61%).
- Cleartext passwords stored in memory (aka Mimikatz, an open-source password stealer that can grab a memory dump of password data from a Windows computer: 59%. It featured in a recent Mr. Robot episode).
- Insufficient network access controls (52%).
What makes weak passwords even worse is Active Directory, Microsoft’s directory service for Windows domain networks, which Praetorian says prevents users from selecting strong passwords. Compounding the issue even further is that most organizations give administrative permissions to users, according to the report.
Most successful attacks don’t have just one root cause, the report noted. In fact, 97% of the attacks had two or more root causes.
The report notes that the top four attack vectors are based on exploiting stolen credentials.
The last finding in Praetorian’s list boils down to insufficient network segmentation, the report says:
Attackers can use credentials wherever they are allowed, even in places the users might not need or know about. This is why it is important to restrict access at the network level based on business requirements.
True that: a lack of internal segmentation is regularly cited as a contributing factor in many data breaches, as cited, yet again, by Verizon in its recent Data Breach Investigations Report.
The Praetorian report quoted Rob Joyce, who Wired refers to as the nation’s “hacker-in-chief” but who’s also known as the head of the National Security Agency’s (NSA’s) Tailored Access Operations – the government’s top hacking team:
…attackers don’t rely on zero-day exploits extensively – unique attacks that take advantage of previously unknown software holes to get into systems. That’s because they don’t have to.
[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days.
There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.
Guy
“What makes weak passwords even worse is Active Directory, Microsoft’s directory service for Windows domain networks, which Praetorian says prevents users from selecting strong passwords. ”
How exactly does AD prevent users from choosing secure passwords?
It doesn’t always *enforce* secure passwords, but I have set our domain policy to require a minimum of 14 characters and to disallow password re-use. That’s really not a bad start.
(It’s true I’d prefer to set a longer minimum, which AD doesn’t support, but if it’s really important to an organisation, there’s nothing to stop them integrating 2FA into their domain, something AD also won’t prevent.)
Reader
Last week, I was in Amtrak’s business class passenger lounge at the Union Station in Los Angeles. There, passengers can access Amtrak’s WiFi.
Amtrak’s WiFi user ID is pretty lame. But omg, their WiFi password?
Yep. You guessed it.
1234567890
No, I am not making this up! lol
Larry M
What’s the difference whether the password in a public lounge is weak or strong? Or for that matter, whether the network is open? In any case you’re on a network with a bunch of strangers, one or more of whom could be malicious.
In this case you disable NetBIOS and don’t use FTP or telnet, If you’re doing anything important use https exclusively and use a VPN if possible.