The actions of hackers are difficult to distinguish from those of ordinary users

[Tomcat]

Positive Technologies experts published the results of internal penetration testing (23 internal penetration testing projects for 2019 were selected for the report from among those companies that allowed the use of anonymized data). The analysis showed that almost half of all the actions of criminals may not differ from the usual activities of users and administrators.

The report states that in 2019, all companies tested were able to gain full control over the infrastructure on behalf of an insider. Typically, this took about three days, while on one network it took only 10 minutes. In 61% of companies, at least one simple way to gain control over the infrastructure was identified, which is within the power of even a low-skilled hacker.

According to experts, legitimate actions that allow developing an attack vector accounted for 47% of all actions of pentesters. These include, for example, creating new privileged users on hosts, creating a memory dump of the lsass.exe process, unloading registry branches, or sending requests to a domain controller. All of these actions allow you to obtain the credentials of users of corporate networks or information necessary for the development of an attack. The danger is that such actions are difficult to distinguish from the usual activities of users or administrators, which means that the attack goes unnoticed.

Distribution of successful attacks by category

“Attacks on internal networks typically rely on OS architecture and Kerberos and NTLM authentication mechanisms to collect credentials and move between computers. For example, an attacker can extract credentials from OS memory using special utilities such as mimikatz, secretsdump, procdump, or built-in OS tools such as taskmgr to create a memory dump of the lsass.exe process. We recommend using up-to-date versions of Windows (above 8.1 on workstations or Windows Server 2012 R2 on servers). Domain privileged users should be included in the Protected Users group. Modern versions of Windows 10 and Windows Server 2016 include Credential Guard technology to isolate and protect the lsass.exe system process from unauthorized access.

Testing has also shown that an attacker can exploit known vulnerabilities in outdated software versions that allow remote execution of arbitrary code on a workstation, elevation of privileges, or learn important information. Most often, during testing, experts were faced with the lack of up-to-date OS updates. Thus, according to Positive Technologies pentesters, 30% of companies still have Windows vulnerabilities described in the 2017 security bulletin MS17-010, and in some even MS08-067 (October 2008).