The most common configuration problems found in the majority of penetration tests can be easily resolved with straightforward fixes.
Analysis from more than 50 engagements in the first half of 2019 by Lares, shared exclusively with Infosecurity, found that the top five penetration test discoveries are:
- Brute forcing accounts with weak and guessable passwords
- Kerberoasting
- Excessive file system permissions
- WannaCry/EternalBlue
- Windows Management Instrumentation (WMI) lateral movement
Chris Nickerson, founder of Lares, said that these top five findings were common in “95% of the tests.”
Specifically, Lares confirmed that in three of the five most common findings, security basics including password, privilege and patch management could resolve the issues and that “every single vulnerability can be avoided or eliminated through better cybersecurity hygiene practices.”
In the case of brute forcing accounts, this can be resolved with the use of multi-factor authentication or with account lockout policies, while 'kerberoasting' can be managed with strong passwords, both in terms of length and complexity.
Meanwhile, “excessive file system permissions” can be mitigated with tools to detect file permissions abuse, enabling installer detection for all users and limiting the privileges of user accounts and groups.
Also, while they were publicly disclosed in 2017, the EternalBlue vulnerability can be mitigated by applying the Microsoft patch, disabling SMBv1 and blocking inbound SMB at your perimeter.
The only one of the top five which is not resolved with standard 'basics' is WMI lateral movement, which Lares said can be mitigated by disabling WMI or RPCS, restricting non-administrator users from connecting remotely to WMI, and preventing credential overlap across systems of administrator and privileged accounts.
In an email to Infosecurity, Nickerson said that WMI is rarely protected or restricted, so it tends to be a widely used vector for access/execution. “For instance: the most common way we bypass 2FA logins in RDP is using WMI directly,” he explained.
Asked if he felt that this shows a lack of network visibility, or whether that is not really possible as lateral movement is a common issue, he agreed saying “there are ways to correlate logs of using WMI on a host to detect spraying or one to many/many to one execution, so there is opportunity to pick up its use and artefacts of its execution on the host.”
He also said that east/west traffic analysis is lacking in many environments, and “the most optimal solution is to ‘chain’ the detection techniques to correlate UBA, network traffic analysis and host based execution.”
Infosecurity asked Nickerson if he felt that four of the top five most common findings being fixed with common techniques was a positive thing, or if it was demoralizing that basic securty is proving to be so difficult?
Nickerson said: “It seems to me that these techniques are not only the basics, but they have been a common way to compromise enterprises for years. It indicates to me that we are still stuck in the ‘buy a thing to make us secure’ mentality versus ‘tune what we have to work better.’
“The good part is that these techniques are addressable with fairly simple configuration. I think the industry is starting to catch on to the fact that they need to constantly tune their environment and not just buy ‘x’ new product.”
Nickerson praised the work of “purple team” type engagements that focus on defensive improvement, rather than the “traditional hack and report.
“Many teams are still operating from a ‘vulnerability focused perspective,’ the shift to including techniques in their protection/detection strategy is the next evolution of the defensive program and will be a major change in measuring the effectiveness of their controls,” he said.
“Testing for vulnerabilities and techniques (like integrating testing and tuning based on the descriptions provided by Mitre's ATT&CK framework) will help programs stay ahead of the curve and begin tracking how their defenses improve over time, opposed to the never ending vulnerability tail chase.”