This may seem an unusual thing for a security provider to admit, and it feels a little uncomfortable to us, but we recently uncovered a flaw in our own defences when we staged a security attack against ourselves. And we feel the results are a vital lesson to everyone fighting the cybersecurity battle.
We wanted to understand how our systems would stack up in the face of an attack and, if someone really came at us with malicious intent, whether they would be successful.
To do this, our SensePost experts carried out a horizontal brute force attack, which began with using open source technology, such as LinkedIn, to build a credible ActiveDirectory account of user IDs. They took a series of commonly used passwords and tried them out across the entire list of users – and found a match that provided access to one user.
Running that user’s credentials, they were able to gain a list of all active users, against which they again ran the passwords and managed to gain access to an administrative user. They then used a tool called Mimikatz – which was used in the infamous WannaCry hack – to extract cache credentials for the domain administrator.
So essentially, using a list of example passwords, they were able to hack into a domain admin’s account in less than a day.
The perils of passwords
This may sound shocking – indeed our management was shocked at the ease with which this occurred – and the assumption was that people were using insecure passwords. But on the contrary, the passwords used met suggested levels of security credentials – the vast majority were between 8 and 12 digits long and used combinations of letters and numbers and capital letters.
The passwords weren’t cracked because they were weak, but because they used formats that were predictable. Our data tells us that one in three passwords (32%) starts with a capital letter and ends in a number, around one in seven ends in two numbers (15%), one in eight (12%) contains a year and one in every 11 passwords ends in three numbers (9%). The high likelihood is that I’ve just mentioned a format that you use for at least one of your logins to one of your many online accounts.
Cybercriminals are well aware of this, and use this information to build templates that form the basis of highly targeted attacks. In fact, the actual password our attacker was able to crack was ‘rte6cdeiP,’ which was far from simple and wouldn’t get you fired in the real world. But this serves to highlight how important it is to have segmentation or detection in place to prevent an attacker from running amok.
Let down by legacy
Potentially the scariest thing we’ve taken away from this experiment was the threat that unused, seemingly harmless legacy technology can pose. That old computer that’s been sitting collecting dust in the corner for three years? It could be an attacker’s route into your critical systems and data.
Our faux attacker was able to find a machine with legacy vulnerability, an old ticketing system that had been replaced had no data on it, wasn’t being used and was disconnected from the environment. This mitigated the attacker’s ability to steal data from the machine itself, but that wasn’t their intent – more worryingly, it enabled them to elevate their privileges across the domain.
Our data tells us nearly two-thirds of cyber-attacks (64%) will have a high or critical vulnerability, and on average it takes one of our highly skilled analysts three days to discover it. When a customer implements the advice we apply in one of our assessments, it takes them 21 days to find a vulnerability – which is a huge improvement.
These unpatched vulnerabilities can come back to bite you so, no matter how inconsequential you feel a machine may be, always ensure you remove the threat.
Discovering a common threat
We also went through a controlled experiment to breach the server using Microsoft DDE, which wouldn’t normally work on our system, so we faked it a little to evaluate how our detection technology would work.
It began with an email containing a Word document with an embedded DDE object, which allowed the attacker to reach out to and evoke external data sources or command objectivity. It popped up a common ‘end of formula’ message box and messages about whether you want to enable editing, from which hitting yes triggered a download of PowerShell that gives them full remote command and control of the machine.
This was detected as DDE isn’t permitted and we were able to monitor a change in the registry, which offered a first clue that a machine was vulnerable. We also picked up that the machine was attempting to ‘talk out’ to an external source, and the use of PowerShell to communicate with the command and control centre.
While these events may have hurt our ego a little, we believe they are vital learnings for all businesses in how vulnerable you could be to attackers. Every single war game of this type that we are involved in provides value for us and enables us to make improvements, enhance our systems and techniques, and provide even more value to our customers.
Find out how we can help you understand the risks your business could face by carrying out a Security Assessment Report.