The study showed results from the company’s penetration testing projects in the second half of 2020 and the first half of 2021. In the 93% of cases where the team was able to penetrate local company networks, it only took them an average of two days to do so.
In addition, the researchers were able to confirm the feasibility of 71% of “unacceptable events” that 20% of the organizations requested being checked. These events included the disruption of technological processes and the provision of services, as well as the theft of funds and important information. All of these events could be conducted in under a month, with attacks on some systems taking only a matter of days.
Another worrying finding was that an insider could gain complete control over the infrastructure of 100% of organizations.
The organizations included in the analysis came from a range of vital sectors, including finance (29%), fuel and energy (18%), government (16%), industrial (16%) and IT (13%).
The most common way of penetrating a corporate network was credential compromise (71% of organizations). This mainly resulted from easily guessable passwords, including for accounts used for system administration.
The researchers added that most organizations had no network segmentation by business processes, enabling threat actors to develop several attack vectors simultaneously.
Ekaterina Kilyusheva, head of research and analytics, Positive Technologies, commented: “In order to build an effective protection system, it is necessary to understand what unacceptable events are relevant for a particular company. Going down the path of the business process from unacceptable events to target and key systems, it is possible to track their relationships and determine the sequence of protection measures in use.
“To make it more difficult for an attacker to advance inside the corporate network toward the target systems, there are a number of interchangeable and complementary measures organizations can take, including separation of business processes, configuration of security control, enhanced monitoring and lengthening of the attack chain. The choice of which technology solutions to use should be based on the company’s capabilities and infrastructure.”