Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
April 6, 2021
2020 Cybersecurity in Review: A Red Team’s Perspective

There is never a quiet year in cybersecurity. But some are more challenging than others, and 2020 was uniquely disruptive.

COVID-19 forced businesses to compress years’ worth of digital transformation into a few months, and malicious actors capitalized on the rush to remote work and the cloud. The number of data records exposed in 2020 skyrocketed to 37 billion—a 141% increase compared to 2019.

The CBI Red Team partnered with a variety of organizations to put their defenses to the test. The analytics we have developed for penetration testing and red teaming engagements enable us to extend the value of our findings to help you prioritize issues as you work to improve your security posture in 2021.

Key Findings Summary

EDR and Social Engineering While there are many technically advanced attacks to worry about, social engineering continues to be the most widely used and successful attack vector. EDR and email security controls can help, and consistent security awareness training and testing is critical.
Monitoring The traditional corporate LAN transformed into a more hybrid mesh topology. The combination of a remote workforce and rapid transition to the cloud is introducing endpoint and application-based threats. However, it also makes traditional Man-in-the-Middle (MitM) attacks harder to pull off.
MFA Many organizations still lack password security and multi-factor authentication (MFA). Inadequate MFA coverage—such as not having it deployed on all external authentication assets or not enabling it for all users—provides attackers with an easy way into the network.
Encryption Data security is a critical effort that is often not prioritized. Many companies mistakenly rely on CSPs to secure their digital assets. Lack of effective encryption or proper data access controls can provide direct access to the crown jewels.
Guard Providing holistic protection against cached credential attacks is worth the effort. Cached credentials offer nation-state threat actors and ransomware operators a quick and easy way to compromise the entire network. Organizations should deploy effective countermeasures such as Microsoft’s Credential Guard to reduce the risk and impact.

 

Gaining Access With Social Engineering

Social engineering is still considered to be an organizations’ most probable threat. In 2020, 75% of organizations around the world experienced some type of phishing attack. And according to the FBI, business email compromise (BEC) attacks cost U.S. organizations $1.8B.

On a positive note, one of the early observations we made in 2020 was that clients are getting better at deploying technologies such as endpoint detection and response (EDR) and advanced email security controls to enhance social engineering payload detection and prevention. We also observed advancements with Microsoft’s cloud-based email protection solutions.

Percentage of Payloads (C2) successfully detonated (established shell) using social engineering

Percentage of Payloads (C2)

It is important to note that the payloads developed for our penetration testing differ somewhat from those used during our red team engagements. During a penetration test, we often do not have the luxury of time, and may not be able to develop a fully custom obfuscated payload designed to defeat the controls we encounter. Nevertheless, we observed that detection and prevention of social engineering payloads are improving among our customer base.

Sensitive Data

An interesting finding related to social engineering was the overwhelming accessibility of sensitive data. This primarily resulted from running phishing attacks aimed at email. When we were able to gain access to email or SharePoint from the outside, we found a significant amount of sensitive information such as VPN profiles, passwords, intellectual property, financial data, HR data, and more. There is a tremendous opportunity for improvement in controlling sensitive data with technologies including data discovery, data classification, data loss prevention (DLP), digital rights management (DRM), and other access control and encryption solutions.

Was confidential data accessed/compromised through social engineering attacks?
Accessed through Social Engineering
Was confidential data accessed/compromised through external penetration testing?
Accessed through Penetration Testing

Spoofing

Surprisingly, we also noticed that roughly 27% of the environments we assessed with social engineering did not have email spoofing remediated. This often occurs when the organization’s primary domain is secured with spoof prevention configurations such as SPF, DKIM, and DMARC, but secondary domains remain unprotected.

Was email domain spoofing possible?

Email Spoofing

Forced Authentication Attacks

Forced authentication attacks are still very successful. These are simple attacks during which we send an email to several targets. Within the email is a hidden link to a picture. This link is not a normal HTTP link; it is called an SMB link. When the end-user opens the email, the option to “Right Click to Download Images” is presented. If the user right-clicks, the link is executed and an NTLM authentication request is sent to our SMB server on the internet, capturing the username and the NTLM password hash. We can then crack that hash, and use the credentials to expand our footprint.

We saw an increase in the success of this attack in 2020 that is likely related to remote workforce expansion. While organizations typically block port 135/139/445 from the corporate LAN to the internet,  many failed to implement endpoint firewalls for remote workers, leaving them vulnerable to this attack.

How often were Forced Authentication attacks successful?

Forced Authentication

External Penetration Testing Data

External penetration testing also produced some interesting metrics. For example, the number of organizations we found to be using Microsoft Office 365 (O365) was overwhelming. Around 94% of the customers we evaluated in 2020 were using some level of O365 cloud services; the percentage of customers running in Google Cloud (GCP) or solely on-premises was minuscule by comparison.

Percentage of organizations using O365

Using O365
Top techniques used in our external penetration tests provide insight into where organizations are most at risk.

  • Phishing attacks that capture passwords (credential harvesting) were the most successful at breaching the perimeter.
  • Password spraying continues to be effective as a result of poor password management and inadequate MFA coverage.
  • We also observed an increase in web application and service vulnerabilities and exploits, most likely related to accelerated cloud adoption.

Top techniques used to gain initial access from the outside

Top Techniques to Gain Access

Internal Penetration Testing Data

Once inside the network, it is often fairly easy to move laterally, escalate privileges, and compromise critical assets. But not always. Many organizations, we found, had a profound level of awareness and detection capabilities that succeeded in reducing the impact of our progression with technologies such as EDR and SIEM.

However, the internal networks of most organizations still have significant room for improvement. Among the most impactful attacks on the inside to watch out for are Man-in-the-Middle (MitM) attacks.

MitM attacks were successful in nearly 80% of the environments we assessed in 2020. Most of these attacks focused on IPv6, LLMNR, NBT-NS, and MDNS. In most cases, hashes were captured and cracked or relayed because of a lack of SMB signing or ineffective usage of Kerberos as the authentication protocol. This was often the initial access vector used in gaining full control over the domain and network.

While MitM attacks have been used for years, they are getting more sophisticated as they target mobile devices. We are likely to see MitM attacks embedded in the attackers’ 2021 playbook in addition to being incorporated into advanced malware propagation techniques.

MitM Attack Success

MiTM Attack Success

Another pervasive threat the CBI Red Team was able to successfully leverage is cached credentials. Adversaries will almost always attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and related software.

In 94% of the environments we assessed, these attacks were successful. They are problematic because it is difficult to protect the entire environment against cached credential attack vectors. There are multiple ways to pursue access to cached credentials, and as a result, there are multiple ways that organizations need to defend themselves. Just having a few machines or servers without adequate protection is enough to enable cached credential attacks to escalate and potentially gain complete control over the internal environment.

Successful Cached Credential Attacks

Successful Cached Creds Attacks

Moving Towards Cyber-Maturity

The threats we have described—and many more—will persist well into 2021 and beyond. Companies of all sizes need to up their security game to stay protected. In addition to effectively integrating technologies such as EDR, email security, MFA and data security controls, advisory services such as penetration testing are invaluable. Engaging with experts like CBI’s Red Team enables you to examine your environment with a fresh set of eyes and uncover any hidden exposures before attackers do.

For more information about CBI and Advanced Testing Services, contact us.


References

  1. “2020 Year End Report: Data Breach QuickView,” RiskBased Security, 2021 https://pages.riskbasedsecurity.com/en/en/2020-yearend-data-breach-quickview-report
  2. “Must-Know Phishing Statistics: Updated 2021” Tessian, Rosenthal M. February 2021 https://www.tessian.com/blog/phishing-statistics-2020/
  3. “FBI: Business Email Compromise Cost $1.8B in 2020,” DarkReading, March 2021 https://www.darkreading.com/attacks-breaches/fbi-business-email-compromise-cost-$18b-in-2020/d/d-id/1340452#:~:text=The%20Internet%20Crime%20Complaint%20Center,reported%20losses%20exceeding%20%244.1%20billion
About the Author
CBI - Shaun Bertrand
Shaun Bertrand
Senior Vice President, Security Programs
Shaun Bertrand leads the Red Team, CBI’s Advanced Testing Services practice. Shaun brings over 20 years of experience in the information security field with a core focus of providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...