Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.
Organizations would be far better served by improving credential management and network segmentation, according to researchers there.
Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.
The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were:
- abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks
- broadcast name resolution poisoning (like WPAD) -- 64%
- local admin password attacks (pass-the-hash attacks) -- 61%
- attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%
- insufficient network segmentation -- 52%
The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do."
As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does. By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."
The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers. But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of hacking. The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise."
Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons. For one, he says, malware can fail or cause system failures, which draw attention to the attacker. Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.
There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements.
He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report:
- Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks.
- Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.
Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix.
Some (not all) of Praetorian's suggestions in the report include:
- To strengthen passwords:
- increase Active Directory password length requirements to at least 15 characters
- enhance password policy enforcements (expiration, etc.)
- implement two-factor authentication for all administrator access and remote access.
- To mitigate broadcast name resolution poisoning:
- populate DNS servers with entries for all known valid resources
- disable LLMNR and NetBIOS on end-user workstations.
- To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access:
- Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with "next-gen" firewalls.
- Update network architecture and network diagrams to reflect the new ACLs.
For Praetorian's complete mitigation suggestions, see the report.