What do successful pentesting attacks have in common?

In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network.

Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management.

These statistics are based on the results of 33 pentesting projects the company’s testers performed in the past year. The objective of the engagements varied:

External penetration testing insights

Attempts to breach the network perimeter and obtain access to LAN resources were successful in 92 percent of external pentests, and at half of the companies they were able to breach the network perimeter in just one step.

Vulnerabilities in web application code are the main problem on the network perimeter. 75 percent of penetration vectors are caused by poor protection of web resources. Reaching an internal network from the outside can typically be accomplished with well-known security vulnerabilities, without requiring exceptional skill or knowledge on the part of would-be attackers.

“What many of our successful pentesting attacks had in common was the presence of interfaces on the network perimeter that should not be accessible from the outside. For example, an Internet-accessible video surveillance system not only allows an attacker to view video, but also to run arbitrary commands on the server. This shows how important it is to correctly delineate the network perimeter and monitor the security of every component,” noted Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.

She also pointed out that as a web application grows in complexity and number of features, there is a higher chance of a coding error by developers, and this is where an attacker can slip through.

“These errors are frequently found during penetration testing, but by far the best way to find them is white-box testing with analysis of source code. Fixing vulnerabilities after the fact usually involves changing the code, which requires a lot of time. To avoid downtime and disruption, we recommend installing a web application firewall to prevent exploitation of vulnerabilities while fixes are pending, as well as to protect from new and zero-day vulnerabilities,” she added.

They also recommend minimizing the number of services on the network perimeter and making sure that sensitive information (access credentials, corporate address books, etc.) is not available publicly. Finally, for monitoring the effectiveness of protection measures, undergoing penetration testing on a regular basis is advised.

Internal penetration testing insights

PT’s testers managed to obtain full control of infrastructure on all tested systems in internal pentesting engagements.

The most common successful attack vectors against internal networks included:

• Brute force attacks against the internal network (using dictionary passwords to break into an account) and insufficient protection against recovery of passwords from OS memory. Also, interception of account credentials was exploited with great success: among companies at which network traffic was analyzed, not one secured sensitive information from interception.
• Failure to install updates, especially those fixing critical vulnerabilities. On internal infrastructure, vulnerable OS versions were the most frequent, and were found on 44 percent of tested systems.
• Vulnerability to social engineering – Specially crafted emails with attachments or web links were sent to employees. Results showed that one out of three employees risked running malware on a work computer, one out of seven engaged in dialog with an imposter and disclosed sensitive information, and one out of ten entered account credentials in a fake authentication form.
• Vulnerability in Wi-Fi networks – a key vector for threats against internal corporate infrastructure. At 87 percent of tested clients, Wi-Fi networks were accessible from outside of client premises, such as from a nearby cafe, parking lot, or public waiting area. On 63 percent of systems, weak Wi-Fi security enabled accessing resources on the local network.

For more insights and specific security recommendations, check out the report.