Zero Vulnerabilities ≠ Safe

Companies continue to be breached by modern attackers using constantly evolving techniques. Therefore, organizations must start assessing their internal security first and not only focus on perimeter defenses and vulnerability assessments. However, it is also essential to remember that when my team at Improsec finds one or more paths to becoming Domain Administrator, it is not because of patches that might be lacking or a known software vulnerability. It is more the misuse of features, misconfiguration, internal oversight because of complexity, and so on.

A vulnerability assessment is just one part of a complete security check and therefore a company can regularly receive assessments that find zero vulnerabilities and still get attacked by both insider and external threats if they haven’t complimented their vulnerability assessments with a proper internal penetration test.

  

Vulnerability Assessment

Organizations perform vulnerability assessments to identify potential security weaknesses in their systems. A vulnerability analysis process analyzes the organization's vulnerability to discover whether it is at risk of known vulnerabilities, rates its severity, and recommends mitigation or remedying the threats.

By performing vulnerability assessment, organizations can discover if their software and systems are using insecure default settings and passwords that are easily guessable and check if systems or applications are behind on their patches.

However, it is , but not as effective when it comes to finding a potential escalations of user privileges, incorrect authentication mechanisms, as well as identifying or vulnerabilities due to code injection attacks, such as SQL injection and cross-site scripting.

Is Vulnerability Assessment Enough?

The short answer is no; you should implement penetration testing and vulnerability assessment as part of your yearly security activities. They can be combined to complete a vulnerability analysis because they each have their strengths. A Vulnerability Assessment and Penetration Test are two separate tasks with typically different results performed within the same field of application.

Companies can use vulnerability scanners to detect known flaws in their systems that can be automated and locate them if they exist. While penetration tests, very simplistic said, are where human creativity is needed to identify flaws in business logic, misconfigurations, and so on, you could also say that penetration tests are designed to demonstrate the risk of compromise in an actual attack, rather than finding every flaw in a system.

From a security standpoint, it is a wrong decision that companies only focus on vulnerability assessment on their internal network; instead, every company should do proper internal penetration testing to remain safe from insider and external threats.

Assume Breach Mentality

An assume breach mentality is an approach to cybersecurity that considers cyberattacks "will happen," as opposed to thinking they "might happen." Organizations cultivate their defense solutions by taking that data breaches are likely to occur and continuously testing for vulnerabilities and weaknesses throughout their network.

Assume breach Testing

Assume breach is usually performed after vulnerability assessment has been completed. A mock insider threat mimics how a malicious insider may compromise or damage the network, services, or data.

As a rule of thumb, a standard user with access privileges is the starting point of an internal network penetration test.

Scenarios could be, but a not limited to the ones mentioned below:

  • Employees working for the company who are unhappy (malicious insiders) try to compromise and damage the system.

  • An external malicious attacker tries to access the system using social engineering, phishing scams, and stolen credentials.

Organizations tend to concentrate on threats from the outside. Although potential external threats are far more common, internal threats - such as malicious insiders, careless employees, and even customers or clients - can be equally (if not more) dangerous.

There was an increase of 47 percent in insider incidents from 2018 to 2020, according to the report "2020 Cost of Insider Threats: Global Report[1]”. Also, a year later, in 2020, the average cost of insider threats had increased by 31 percent to $11.45 million, compared to $8.76 million in 2018. A third of data breaches are projected to result from insider threats. These threats can come from:

  • Weak or shared passwords

  • Weak access controls

  • Insecure file-sharing or unencrypted data

  • Network misconfigurations

  • Lack of awareness about social engineering and phishing

  • Ransomware attacks

  • Insecure remote networks and devices

These threat vectors need to be identified and addressed on a priority basis. Penetration testing is a critical component of this.

Read more here: https://improsec.com/en/internal-penetration-test-assume-breach

 

AD weaknesses

There are many areas of an AD that can be weak and thereby attacked; identifying these areas is key to staying secure; one of many issues is that in an extensive Active Directory (AD) environment, with many permissions, it is tough to determine their security implications. And one way to combat this is to use BloodHound.

BloodHound uses lateral movement paths to identify AD privilege escalation paths.

An AD environment's hidden and often unintended relationships are revealed with BloodHound using graphs. It's possible to identify chained attacks using BloodHound that would normally be impossible to find in a hurry. Using BloodHound, the shortest path to the target can be found.

It is possible that you remediate ALL possible pathways to domain administrators. You can make great queries to find all paths, but the resulting graph can be huge, and it can be difficult to understand how the graph relates to the problem at hand.

Read more here:  https://improsec.com/tech-blog/improhound-identify-ad-tiering-violations

 

 Tiering is the Solution

Ensuring that every AD object only has the permissions it needs is not practical. As a result, you should create tiers in your AD by drawing lines and ensure no permissions cross these lines (attack paths). The "legacy AD tier model" has been replaced by Microsoft's Enterprise Access Model[1], which also covers cloud, OT, etc., and not just AD on-premises, but AD tiering remains one of the most effective approaches to prevent attackers from escalating from an AD user to a Domain Administrator.

 Read more here: https://improsec.com/tech-blog/securing-windows-environments

 

 [1] “2020 Cost of Insider Threats: Global Report