sb-nz logo
Story image

Hackers difficult to distinguish from legitimate users - study

Almost half of all actions by attackers are identical to the usual activities of users and admins, a new report has found. 

The Penetration Testing of Corporate Information Systems report from Positive Technologies found that in most companies, even a low-skilled hacker can obtain control of the infrastructure. 

In 2019, Positive Technologies testers, acting as internal attackers, managed to obtain full control of infrastructure at all tested companies, usually within three days. One of the networks took just 10 minutes. 

At 61% of the companies, we found at least one simple way to obtain control of infrastructure that would have been feasible even for a low-skilled hacker. 

The testers noted that legitimate actions that would be unrecognisable from regular user activity accounted for 47% of the actions that allowed pentesters to create an attack vector. These actions included creating new privileged users on network hosts, creating a memory dump of lsass.exe, exporting registry hives, and sending requests to the domain controller. 

These actions allow hackers to obtain credentials from corporate network users or information required to develop the attack. The risk is that it is hard to differentiate between such actions and the usual activities of users and administrators, making it more likely that the attack will remain unnoticed. These incidents can however be detected with security incident detection systems. 

The testing also demonstrated that the attackers can exploit known vulnerabilities found in outdated software versions to remotely execute arbitrary code, escalate privileges, or learn important information. What the experts see most often is lack of current OS updates. For example, according to Positive Technologies pentesters, in 30% of companies they can still find Windows vulnerabilities described in the 2017 Security Bulletin MS17-010, and sometimes even MS08-067 (dated October 2008).  

"During attacks on the internal networks, hackers usually use peculiarities of the OS architecture, Kerberos and NTLM authentication mechanisms to collect credentials and move between computers," says Dmitry Serebryannikov, director of security audit department, Positive Technologies.

"For instance, the hackers can extract credentials from the OS memory with special utilities, such as mimikatz, secretsdump, and procdump, or with embedded OS tools, such as taskmgr, for creating memory dump of process lsass.exe. 

"In order to mitigate the risk of an internal attack, we recommend using current Windows versions (8.1 or later on workstations and Windows Server 2012 R2 or later on servers). Privileged domain users should also be placed in the Protected Users group," he says.

"Recent versions of Windows 10 and Windows Server 2016 have Remote Credential Guard, a technology for isolating and protecting lsass.exe from unauthorised access. For extra protection of privileged accounts such as domain administrators, we recommend two-factor authentication."

Ekaterina Kilyusheva, head of information security analytics research group at Positive Technologies, says in an internal pentest, the specialists can demonstrate the feasibility of actuating business risks or obtaining access to business systems.

"Risks vary by company, but some of them are common to many, such as compromise of critical information in case of access to executive workstations," she says 

"For instance, during internal pentests our specialists could access technological networks of industrial companies and ATM control systems in banks, thus demonstrating the real threat an attack poses to the company. 

"By empirically assessing anticipated business risks, penetration testing enables building an efficient, effective security system based on the best available options."

Link image
Data is an organisation's most significant asset - here's how to protect it
Data resilience strategies are becoming more crucial as more value is ascribed to a company's data. If it's not stored securely and cost-effectively, expect problems.More
Story image
Fast track your digital transformation with dynamic security services from Fortinet
Jon McGettigan, Fortinet A/NZ Regional Director, explains how enterprises can speed up their network service delivery programmes by embracing Fortinet’s dynamic security services.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
5 ways to use data science to predict security issues - Forcepoint
Data science enables people to respond to problems in a better way, and to also understand those problems in a way that would not have been possible 50 years ago.More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More