Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.
Organizations would be far better served by improving credential management and network segmentation, according to researchers there.
Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.
The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were:
The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do."
As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does. By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."
The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers. But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of hacking. The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise."
Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons. For one, he says, malware can fail or cause system failures, which draw attention to the attacker. Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.
There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements.
He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report:
Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix.
Some (not all) of Praetorian's suggestions in the report include:
For Praetorian's complete mitigation suggestions, see the report.
Related Content:Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio