In this Whiteboard Wednesday, Kwan Lin, senior data scientist at Rapid7, dives into key learnings from our latest Under the Hoodie penetration testing report. This includes successful techniques our pen testers utilized, and what you can do to help shore up your defenses.
To read the full Under the Hoodie report, or watch our pen tester confessional videos, visit rapid7.com/hoodie
Hi, my name is Kwan Lin, Senior Data Scientist at Rapid7 and one of the authors of the recently released 2019 Under the Hoodie report.
Under the Hoodie examines penetration testing in a systematic manner. The analysis in the report is based on surveys collected from pen testers involved with 180 engagements between September 2018 and May 2019. The survey is extensive and includes over 90 questions, which cover topics on external assessments that originate from the internet, internal assessments that focus on infrastructure and other components that aren’t expected to be accessible from outside of the organizational network, assessments that straddle both internal and external arrangements, and other assessment types.
While our penetration testers are highly skilled professionals, the breadth of each of their perspectives is naturally limited to only the engagements that they are individually involved in. However, by collecting data across numerous pentesting engagements, we are enabled to move beyond anecdotal accounts and draw broad generalizations that reflect on overall trends and patterns in the world of penetration testing.
We found that pentesters are in general highly effective at identifying vulnerabilities. In fact, across all the surveys, pentesters were able to find at least one vulnerability 96% of the time. This number might seem alarmingly high, but each find by a pentester represents a gap that has been identified and that could potentially be closed to actual malicious actors.
One of the most prominent vulnerabilities we found, particularly for external assessments, was weak transport layer security where encryption standards for externally facing resources were either weak or non-existent. This creates the risk that sensitive data - such as passwords or confidential details - could be exposed in transit.
On internal engagements, our pen testers achieved domain administrator access about 76% of the time and were able to collect sensitive information 87% of the time. Once the pentesters were able to gain administrator access, they were very often also able to collect sensitive information. While these percentages might seem suspiciously high, these patterns are consistent with findings in prior Under the Hoodie reports.
On a number of engagements, our pentesters also found glaring gaps in security patching. Two vulnerabilities that they paid particular attention to were Conficker, which is quite old, and Eternal Blue, which is comparatively new. It’s worth noting that patches are readily available for both vulnerabilities.
Through the survey data, we were also able to get a better sense of the particular techniques pentesters liked to rely on to do their work. Once pentesters gain footholds on internal environments, they often rely on tools like Windows Management Instrumentation (WMI) and PsExec - which are intended for remote administration - as a means to pursue lateral movement. In contrast, PowerShell was utilized far less commonly, possibly because PowerShells restrictions in enterprise Windows environments are becoming increasingly common.
Password management it seems remains a challenging topic for many organizations. Our pentesters successfully captured credentials in 72% of engagements. Passwords were discovered in a variety of ways, including through offline password cracking, password spraying, or guessing with obvious or common password patterns (such as the season plus year, followed by a punctuation mark, or some variation of combining the company name with a year value). The results reinforce the notion that humans are generally bad at managing passwords and are not nearly as creative as they might believe themselves to be.
We’ll conclude now with a handful of recommendations for how to improve security, based on the exploits achieved by our pentesters:
—Pay attention to patch management. There are often very legitimate reasons that get in the way of timely patch management, but failure to apply patches potentially leave exposed vulnerabilities that can easily be exploited by malicious actors.
—Consider using password management tools rather than relying on people to effectively manage their passwords on their own. The numbers show that people consistently utilize weak passwords, and it could only take one weak set of credentials for a pentester to gain a solid foothold within an organization’s network. Also consider implementing account lockouts for multiple failed login attempts and multi-factor authentication if these measures aren’t already in place.
—A lot of the effort by our pentesters is dedicated to some form of lateral movement. Lateral movement efforts can significantly be impeded with effective asset and service inventory and management. Take the time to scan yourself to find assets that might have been forgotten and are still lingering. These represent golden opportunities for pentesters and bad actors alike.
We hope this brief overview of the Under the Hoodie report has helped dispel some of the mystique surrounding penetration testing. If you’re interested in learning more about our findings, head on over to our website at Rapid7.com to view the full report.
If you have any questions, feel free to contact us by email at research@rapid7.com.
