NodeZero Analysis Reveals the Three Major Attack Themes and the Year’s Top 10 Threats, Weaknesses and Vulnerability Themes; Offers Mitigations and Policy Recommendations.
Horizon3.ai, a leading cybersecurity firm focused on autonomous penetration testing, today issued, “Year in Review 2022: Through the Eyes of the Attacker,” its inaugural edition of the cybersecurity threatscape.
The report reveals the three major attack themes and ten most common misconfigurations, vulnerabilities and weaknesses attackers are likely to detect and exploit. Findings are derived from nearly 7,000 penetration tests (pentests) using the award-winning NodeZero™ platform. Nearly 1 million assets were evaluated in tests conducted by companies that deploy industry-leading security tools, employ experienced cybersecurity practitioners, and implement compliance policies.
A staggering 7% of those assets contributed to or would be directly affected by a critical impact as defined by Mitre Corp. – an event that would cause program failure and an inability to achieve the customers’ minimum acceptable requirements – with over 200,000 different attack paths to impact.
Testing revealed conclusively that security teams, tools and policies all require tuning and enforcement, and that in order to accurately assess the effectiveness of an organization’s posture, it is crucially important to continually attack the environment in the same way a malicious cyber threat actor would.
Three Main Attack Themes and Ten Most Commonly Exploited Vulnerabilities
The three main themes or causes of exploitable weaknesses, vulnerabilities and misconfigurations that arose over the past year are:
- Credential policies are weak, or often not enforced: most often, attackers don’t “hack” in using sophisticated tools or exploits, they simply “live off the land” and log in with legitimate credentials. Recent research showed that 62% of all detections indexed by the fourth quarter of 2021 were malware-free.
- Patching is rare, but fixes to misconfigurations are even rarer: many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including from CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog. For example, NodeZero exploited the Remote Desktop Services RCE Vulnerability (CVE-2019-0708) “BlueKeep” 552 times this past year, and EternalBlue (CVE-2017-0144) 565 times. Critical VMware vulnerabilities were exploited 365 times, and misconfigurations and vulnerabilities were also common in popular DevOps tools and resources such as Jenkins (58 instances), GitLab (41 instances), Docker (50 instances) and Kubernetes (54 instances).
- Tools need oversight and tuning to work effectively: “But my EDR should’ve stopped that….” was a common refrain among participants whose large investments in EDR solutions failed during pentests. Many companies could not detect an unauthorized host such as NodeZero in their environment and prevent it from dumping a SAM database full of credentials. Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets. For example, NodeZero was able to use Windows MITM attacks (NTLM Relay) 1,450 times and captured 138,662 credentials.
Each of the top 10 vulnerabilities and weaknesses that NodeZero enumerated and exploited were the direct result of these three weaknesses, and each led to critical impacts, deeper implications, and ultimately to positive action by the customer to remediate them.
The top 10 vulnerabilities detected in 2022 are:
- Weak or reused credentials
- Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
- Credential dumping from Windows or Linux hosts
- Exploitation of critical Cybersecurity Agency and Critical Infrastructure Agency (CISA) vulnerabilities
- Exploitation of critical VMware vulnerabilities
- Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
- Misconfigurations and vulnerabilities in Routers, iLOs, and iDRACs
- Windows Man-in-the-Middle attacks (NTLM relay)
- Windows Active Directory Elevation of Privilege Escalation Vectors (Kerberoasting)
- Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)
“These findings underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry,” said Snehal Antani, CEO and co-founder of Horizon3.ai. “Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors. Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective, and most importantly – whether their assets and environments are secure.”
“While we are honored by the numerous awards, accolades and customer wins that the last year has brought, the ability to help customers find, fix and verify the vulnerabilities and weaknesses that would otherwise make their organizations easy prey for threat actors is the singularly rewarding mission that everyone at Horizon3.ai thrives on.”
The Report also offers mitigation strategies and policy recommendations for each of the three main attack themes. For example, among recommendations regarding weak or unenforced credential policies, Horizon3.ai recommends that organizations:
- Increase training for employees on basic cyber security, including the dangers of credential reuse and weak or easily guessed passwords.
- Institute password policies that include sophistication and length requirements. We recommend our customers require passwords to have at least 15 characters in length and use at least one upper case letter, number, and special characters. Consider using a password manager with multifactor authentication.
- When creating a temporary password for a new user or a user that requires an account unlock, require the password to be used within a specific timeframe before the account becomes disabled. We recommend locking the account after 24 hours if the temporary password is not utilized.
- Require the use of multifactor authentication for logging into environments and segmented networks when possible. This ensures a high degree of certainty that a cyber threat actor will not be able to gain access to systems unless they also have control of the second device, such as a registered cellphone or other device to confirm a login attempt.
- Implement a configuration management process that directs default credentials are changed before systems are deployed in a production environment.
- Disable the accounts of current or former employees who no longer require access. Oftentimes, cyber threat actors are disgruntled employees or former employees that would like to seek retribution against an organization and already have access. Disabling and not deleting the former user account allows the organization to retain any files or data that individuals may have generated while limiting the organization’s risk.
- And lastly, verify that each of the above guidelines are implemented, enforced, and effective by attacking your environmental teams, tools, and rules using NodeZero.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!