Operations
8/18/2016
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attacker's Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers' five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.

The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were:

  1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks
  2. broadcast name resolution poisoning (like WPAD) -- 64%
  3. local admin password attacks (pass-the-hash attacks) -- 61%
  4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%
  5. insufficient network segmentation -- 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do."

As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does. By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal." 

The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers. But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of  hacking. The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise."

Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons. For one, he says, malware can fail or cause system failures, which draw attention to the attacker. Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix. 

Mitigation 

There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements.

He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report:

  • Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks.
  • Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes. 

Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix.

Some (not all) of Praetorian's suggestions in the report include:

  • To strengthen passwords:
    • increase Active Directory password length requirements to at least 15 characters
    • enhance password policy enforcements (expiration, etc.)
    • implement two-factor authentication for all administrator access and remote access.
  • To mitigate broadcast name resolution poisoning:
    • populate DNS servers with entries for all known valid resources
    • disable LLMNR and NetBIOS on end-user workstations.
  • To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access:
    • Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with "next-gen" firewalls.
    • Update network architecture and network diagrams to reflect the new ACLs.

For Praetorian's complete mitigation suggestions, see the report

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Apprentice
10/8/2016 | 9:57:21 AM
Get rid of Microsoft Windows!
How many exploits, such as cleartext passwords in ill-protected memory, are unique to Windows?  Ransomware barely exists outside Windows.  These security companies make a lot of money from Microsoft's security weaknesses.  If they cared about their customers' needs, they'd push them off Windows.
SteveMorris
50%
50%
SteveMorris,
User Rank: Apprentice
9/23/2016 | 5:16:23 AM
Encryption
I`m personally thinking that password managers are the best way to protect you data. I am feeling more comfortable, when my passwords are encrypted and stored in the cloud. This is not that expensive, and i can reccomend 3 of them - Keeper, Lastpass and Passwork (https://passwork.me). The last one is better for an entrepreneurs
jlepich
100%
0%
jlepich,
User Rank: Apprentice
9/21/2016 | 12:39:56 PM
"insufficient network segmentation"
I really think "insufficient network segmentation" should be something along the lines of "insufficient network isolation" or "insufficient network protection." I talk to a good number of network and security people who seem to assume that if they have different VLANs/subnets (network segmentation) then they are somehow protected from attackers moving laterally inside the network. This is unfortunately a common misconception. Without the appropriate network traffic isolation/filter/protection, threats can move from one layer 2 segment to another layer 2 segment very easily. I personally think that network/security admins need to start looking at implementing rudimentary security controls like ACLs, (which I know this piece mentions, but not soon enough in my opinion) on strategic network devices through the enterprise. Don't even worry about drilling down to the UDP/TCP port level at the point, but put in place easy to understand IP based ACLs that, for instance reduce attack surface by limiting desktop PCs from reaching other desktop PCs, etc. or the end user community from reaching the desktops/laptops of company executives. Your CEOs PC simply should not be reachable from end user devices.     

 
Jenpen
50%
50%
Jenpen,
User Rank: Apprentice
9/8/2016 | 2:09:09 PM
Creating a strong password
It is necessary for the parents to teach the simple ways of ensuring cyber security to their children. It will help preventing irreparable loss due to breach of information on a shared computer.
EricP436
50%
50%
EricP436,
User Rank: Apprentice
8/23/2016 | 11:15:46 AM
password "strength"?
"increase Active Directory password length requirements to at least 15 characters and enhance password policy enforcements (expiration, etc.)"

What good does that do?  if passwords are read from memory, length and age do not matter in the least.  The longer the password the more likely it will be deliberately weakened by whoever generates it.  Password aging is a much worse idea and is specifiically not recommended by NIST now.  If password hashes are stolen it means the system is compromised and cannot be trusted to leak any other valuable information including cleartext passwords read from memory.  It will be great when people finally get away from the 1980's mentality of vulnerable hashes.

At least two factor authentication made the list.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.