Thousands of Tests on a Million Assets Indicate That No Matter How Big Your Security Spend, Your Company’s Defenses are Probably Weaker – Much Weaker – Than You Think
By Peter R. Kelly
New research from Horizon3.ai pinpoints the three major attack themes and the ten most common misconfigurations, vulnerabilities, and weaknesses that attackers are likely to detect and exploit. As the report “Year in Review 2022: Through the Eyes of the Attacker” makes clear, so much of what organizations need to do to shore up their defenses remains either undone or under-addressed.
The findings were based on some seven thousand pentest that evaluated a million assets in companies with industry-leading security tools, employ experienced cybersecurity practitioners, and compliance policies. Tests were conducted via the NodeZero platform and point to an uncomfortable truth: regardless of how well-resourced your company’s cybersecurity team and budget are, your defenses are likely to be much weaker than you – or your customers – believe them to be.
“Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors,” said Snehal Antani, CEO and co-founder of Horizon3.ai.
A surprising seven percent of assets tested either contributed to or would be directly affected by a critical impact as defined by Mitre Corp. – an event that would cause program failure and an inability to achieve the customers’ minimum acceptable requirements.
The three main themes or causes of exploitable weaknesses, vulnerabilities and misconfigurations that arose over the past year are:
- Credential policies are weak, or often not enforced: most often, attackers don’t “hack” in using sophisticated tools or exploits, they simply “live off the land” and log in with legitimate credentials. Recent research showed that 62% of all detections indexed by the fourth quarter of 2021 were malware-free.
- Patching is rare, but fixes to misconfigurations are even rarer: many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including from CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog. For example, NodeZero exploited the Remote Desktop Services RCE Vulnerability (CVE-2019-0708) “BlueKeep” 552 times this past year, and EternalBlue (CVE-2017-0144) 565 times. Critical VMware vulnerabilities were exploited 365 times, and misconfigurations and vulnerabilities were also common in popular DevOps tools and resources such as Jenkins (58 instances), GitLab (41 instances), Docker (50 instances) and Kubernetes (54 instances).
- Tools need oversight and tuning to work effectively: “But my EDR should’ve stopped that….” was a common refrain among participants whose large investments in EDR solutions failed during pentests. Many companies could not detect an unauthorized host such as NodeZero in their environment and prevent it from dumping a SAM database full of credentials. Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets. For example, NodeZero was able to use Windows MITM attacks (NTLM Relay) 1,450 times and captured 138,662 credentials.
Each of the top 10 vulnerabilities and weaknesses that NodeZero found and exploited were the direct result of these three weaknesses, and each could have led to critical impacts and deeper implications, had the organizations being tested not addressed them. These vulnerabilities are:
- Weak or reused credentials
- Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
- Credential dumping from Windows or Linux hosts
- Exploitation of critical Cybersecurity Agency and Critical Infrastructure Agency (CISA) vulnerabilities
- Exploitation of critical VMware vulnerabilities
- Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
- Misconfigurations and vulnerabilities in Routers, iLOs, and iDRACs
- Windows Man-in-the-Middle attacks (NTLM relay)
- Windows Active Directory Elevation of Privilege Escalation Vectors (Kerberoasting)
- Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)
“These findings underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry,” Antani said.
“Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective, and most importantly – whether their assets and environments are secure.”
“Year in Review 2022 – Through the Eyes of the Attacker” is downloadable at https://go.horizon3.ai/2022-Year-in-Review
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.