There is never a quiet year in cybersecurity. But some are more challenging than others, and 2020 was uniquely disruptive.
COVID-19 forced businesses to compress years’ worth of digital transformation into a few months, and malicious actors capitalized on the rush to remote work and the cloud. The number of data records exposed in 2020 skyrocketed to 37 billion—a 141% increase compared to 2019.
The CBI Red Team partnered with a variety of organizations to put their defenses to the test. The analytics we have developed for penetration testing and red teaming engagements enable us to extend the value of our findings to help you prioritize issues as you work to improve your security posture in 2021.
Social engineering is still considered to be an organizations’ most probable threat. In 2020, 75% of organizations around the world experienced some type of phishing attack. And according to the FBI, business email compromise (BEC) attacks cost U.S. organizations $1.8B.
On a positive note, one of the early observations we made in 2020 was that clients are getting better at deploying technologies such as endpoint detection and response (EDR) and advanced email security controls to enhance social engineering payload detection and prevention. We also observed advancements with Microsoft’s cloud-based email protection solutions.
Percentage of Payloads (C2) successfully detonated (established shell) using social engineering
An interesting finding related to social engineering was the overwhelming accessibility of sensitive data. This primarily resulted from running phishing attacks aimed at email. When we were able to gain access to email or SharePoint from the outside, we found a significant amount of sensitive information such as VPN profiles, passwords, intellectual property, financial data, HR data, and more. There is a tremendous opportunity for improvement in controlling sensitive data with technologies including data discovery, data classification, data loss prevention (DLP), digital rights management (DRM), and other access control and encryption solutions.
|Was confidential data accessed/compromised through social engineering attacks?
||Was confidential data accessed/compromised through external penetration testing?
Surprisingly, we also noticed that roughly 27% of the environments we assessed with social engineering did not have email spoofing remediated. This often occurs when the organization’s primary domain is secured with spoof prevention configurations such as SPF, DKIM, and DMARC, but secondary domains remain unprotected.
Was email domain spoofing possible?
Forced authentication attacks are still very successful. These are simple attacks during which we send an email to several targets. Within the email is a hidden link to a picture. This link is not a normal HTTP link; it is called an SMB link. When the end-user opens the email, the option to “Right Click to Download Images” is presented. If the user right-clicks, the link is executed and an NTLM authentication request is sent to our SMB server on the internet, capturing the username and the NTLM password hash. We can then crack that hash, and use the credentials to expand our footprint.
We saw an increase in the success of this attack in 2020 that is likely related to remote workforce expansion. While organizations typically block port 135/139/445 from the corporate LAN to the internet, many failed to implement endpoint firewalls for remote workers, leaving them vulnerable to this attack.
How often were Forced Authentication attacks successful?
External penetration testing also produced some interesting metrics. For example, the number of organizations we found to be using Microsoft Office 365 (O365) was overwhelming. Around 94% of the customers we evaluated in 2020 were using some level of O365 cloud services; the percentage of customers running in Google Cloud (GCP) or solely on-premises was minuscule by comparison.
Percentage of organizations using O365
Top techniques used to gain initial access from the outside
Once inside the network, it is often fairly easy to move laterally, escalate privileges, and compromise critical assets. But not always. Many organizations, we found, had a profound level of awareness and detection capabilities that succeeded in reducing the impact of our progression with technologies such as EDR and SIEM.
However, the internal networks of most organizations still have significant room for improvement. Among the most impactful attacks on the inside to watch out for are Man-in-the-Middle (MitM) attacks.
MitM attacks were successful in nearly 80% of the environments we assessed in 2020. Most of these attacks focused on IPv6, LLMNR, NBT-NS, and MDNS. In most cases, hashes were captured and cracked or relayed because of a lack of SMB signing or ineffective usage of Kerberos as the authentication protocol. This was often the initial access vector used in gaining full control over the domain and network.
While MitM attacks have been used for years, they are getting more sophisticated as they target mobile devices. We are likely to see MitM attacks embedded in the attackers’ 2021 playbook in addition to being incorporated into advanced malware propagation techniques.
MitM Attack Success
In 94% of the environments we assessed, these attacks were successful. They are problematic because it is difficult to protect the entire environment against cached credential attack vectors. There are multiple ways to pursue access to cached credentials, and as a result, there are multiple ways that organizations need to defend themselves. Just having a few machines or servers without adequate protection is enough to enable cached credential attacks to escalate and potentially gain complete control over the internal environment.
Successful Cached Credential Attacks
The threats we have described—and many more—will persist well into 2021 and beyond. Companies of all sizes need to up their security game to stay protected. In addition to effectively integrating technologies such as EDR, email security, MFA and data security controls, advisory services such as penetration testing are invaluable. Engaging with experts like CBI’s Red Team enables you to examine your environment with a fresh set of eyes and uncover any hidden exposures before attackers do.
For more information about CBI and Advanced Testing Services, contact us.