You might not know it based on the hype and marketing dedicated to APTs and vulnerabilities, but most criminals don't need to target software or use fancy tactics to ruin a network and compromise sensitive data.
Josh Abraham, a practice manager for Praetorian, recently compiled a report [registration required] on common attack vectors used during 100 pen test engagements at 75 different organizations between 2013 and 2016.
"We compiled this paper to detail the top internal attacks we used over the past three years that resulted in Praetorian achieving its objectives. Common objectives include achieving a sitewide compromise and/or access to sensitive information the client requested we gain access to."
Thing is, when it came to achieving their goals, they didn't need to use software vulnerabilities.
Organizations tend to get fixated on vulnerabilities. True, patching vulnerabilities is important, but this fixation comes at the "expense of elements of risk that are often more important," the report says.
"The fixation on patch management is compounded by professional service firms who equate a penetration test to little more than running a vulnerability scan against an organization’s network."
So what are the aforementioned elements that are more important than vulnerabilities?
In 66-percent of the engagements included in the report, weak domain passwords were the number one attack path. The usage of Active Directory, given its limitations on complexity when it comes to passwords, prevents users from selecting strong passwords. Compounding this issue is the fact that most organizations grant administrative permissions to their users.
Broadcast Name Resolution Poisoning:
"This attack can be used when an attacker is on the corporate network. The attacker configures its system to respond to broadcast requests such as LLMNR, NetBIOS, or MDNS by providing its own IP," the report explains.
The other three attack types in the report include Pass the Hash, locating cleartext passwords in memory , and taking advantage of weak network access controls.
The point of the report seems to be that a focused attacker has plenty of options, and while vulnerabilities are one of the tools in the box, they're not the only option.
Granted, patch management is an important aspect of a security program, but as the report shows, patches can't fix weak passwords or poor access controls. In fact, all of the techniques in the report are design flaws in the environment.
"The reason attackers focus on exploiting design weaknesses is because they more prevalent and reliable vectors. Design weaknesses will be present in the environment until the design changes. They also have a longer shelf life, which makes them very attractive, since they won’t be fixed in a short period of time (monthly or quarterly patch cycle)," the report concluded.
Aside from listing the five attacks, the report also includes advice for dealing with them.