Aggregated data from penetration tests and red team engagements suggests that many enterprise organizations are making progress in securing their networks against cyber adversaries.
External and internal assessments that pen-testing firms have conducted in recent years show that although organizational networks continue to present multiple weaknesses, attackers may be having a harder time finding and exploiting them from outside the network.
"I won't say that the days of 'point, click, and exploit' are over, but they sure are rare," says Chris Nickerson, CEO at pen-testing firm Lares. While security hardening, hygiene, patch management, password quality, and lack of visibility continue to remain big challenges, security organizations are evolving, he notes.
Increasingly, attackers are being forced to change their tactics and employ malware-less, "living-off-the-land" approaches to hide their malicious activity. "It is rare that 'exploitation' is the first hook into the environment anymore," Nickerson says. "Now tools and technology are required to observe normal system functions to determine if they are being used maliciously."
Lares recently analyzed data from hundreds of pen-test engagements to see what similarities it could find across enterprise networks. The results showed that accounts with weak and easily guessable passwords continue to be the biggest problem for most organizations. Other common vulnerabilities and attack vectors include weaknesses related to Kerberos authentication, excessive file system permissions, Window Management Interface (WMI)-enabled lateral movement, inadequate network segmentation, and improper access control.
Other pen-testing firms have found similar issues. In a report last year, Coalfire identified out-of-date software as the most commonly present threat in organizations where it conducted pen tests. Like Lares, results improvements enterprise security
