During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise.
On only seven percent of systems could the difficulty of accessing critical resources be considered "moderate". Penetrating the network perimeter has also become easier over time; the difficulty of accessing the internal network was assessed as "trivial" in 56 percent of tests in 2017, compared to 27 percent in 2016.
On average, Positive Technologies testers found two attack vectors per client that would allow their internal network to be penetrated. For one client, 10 different penetration vectors were detected. The age of the oldest vulnerability found (CVE-1999-0532) was 18 years.
Corporate Wi-Fi networks are a convenient launch point for attackers; among tested companies, 40 percent used easy-to-guess dictionary passwords for access to their Wi-Fi networks. Moreover, 75 percent of Wi-Fi networks were accessible from outside of company offices, and the same proportion failed to enforce per-user isolation. As a result, intruders can attack personal and corporate laptops connected to Wi-Fi without ever having to set foot in the target's building.
Another weak point in the security stance of most companies was found to be their employees, who are vulnerable to social engineering attacks. In testing, 26 percent of employees clicked a link for a phishing website; almost half of them proceeded to enter their credentials in a fake authentication form. One in six employees opened a simulated malicious file attached to an email and 12 percent of employees were willing to communicate with intruders.
Positive Technologies analyst Leigh-Anne Galloway described how these attacks play out in practice: "To gain full control over the entire corporate infrastructure, an attacker usually penetrates the network perimeter and takes advantage of vulnerabilities in out-of-date OS versions. From this point the sequence of events is predictable - the attacker runs a special utility to collect the passwords of all logged-in OS users on these computers. Some of these passwords might be valid on other computers, so the attacker repeats this process. Gradually, system by system, the attacker continues until obtaining the password of the domain administrator. At that point, it's game over—the attacker can burrow into the infrastructure and control critical systems while staying unnoticed."
Stopping insider attackers requires a comprehensive, in depth defensive approach. Basic security measures include keeping operating systems and applications up to date, as well as enforcing use of strong passwords on all systems by all users, especially administrators.
Positive Technologies experts recommend using two-factor authentication for administrators of key systems and refraining from giving administrator privileges to ordinary employees on their computers. Even if some systems have been compromised already, rapid detection can still minimize the damage. SIEM and other solutions enable responding effectively in a timely manner.