Hacker's Playbook Findings Report Third Edition
We've just released the third edition of our Hacker's Playbook Findings Report. This new edition is similar to our previous Hacker's Playbook Findings Reports, in that it summarizes key enterprise security trends, from the point of view of an attacker.
Unlike many of these types of industry reports, our findings are based on actual deployments, in real customers. We don't scour the headlines to see what attacks were most prevalent, or ask trade show attendees what their biggest concerns might be. SafeBreach actually runs millions of breach methods in real production environments, then takes the anonymized data and highlights what attacks are best at thwarting or bypassing security, as well as other key trends.
So what's new in this third edition? Well, we certainly have more data - we pulled our data from close to 11.5 million different simulations, to get a clear picture of real world security, across industries and verticals. We saw some new trends, and definitely saw some previous tactics still finding success, but to me, the bottom line for defenders is: We're not making the most of what we have.
The specifics are in the report, but I'll summarize here:
Defense-in-depth is dead?
Based on our findings, it appears most companies maintain a strong focus on perimeter security for network-based attacks, but aren't doing much to prevent malicious file transfer at the network level. It would appear that file-level scanning is pushed all the way down to endpoints only, negating the defense-in-depth strategy of having multiple layers of protection across the kill chain.
Additionally, we saw a high-level of successful attacks which were able to move laterally once inside networks. In fact, when looking at the top lateral movement attacks, they were all basically successful 2/3rds of the time. This indicates that in the majority of cases, threats that beat perimeter defenses are free to spread. In today's world, where devices are constantly on the move, the LAN is no longer a safe space. We can't assume that internal traffic is safe - we have to implement internal defenses. Truthfully, we should never assume our internal traffic is more secure that Internet traffic.
It's only stealing if you actually take something
We continue to see a high level of outbound attack methods finding success. This means, again, that enterprises are often spending all their resources on attempting to prevent threats from entering the network. Even simple outbound attacks, like HTTP POST and GET, or NTP-based attacks were successful up to 56% of the time.
Ransomware wins because we let it
There have been lots of discussion about how best to defend against ransomware - keeping good backups, patching, and more. But we also have to remember that ransomware signatures are known - and our controllers can block those known attacks. Sadly, we saw that in many cases, even older well-known ransomware was not blocked in the network, and was able to get through the perimeter, all the way to host disk, without difficulty.
Again, defense in depth teaches us that we should have overlapping defenses - network AV or anti malware as well as endpoint, so that if one controller misses a signature (for example), perhaps the other will protect us. Given the amount of success we saw with getting ransomware through defenses, it would appear many enterprises are relying only on endpoint security as a single line of defense.
Our defenses are only as good as they are configured to be - and in many cases, configuration simply isn't optimized. In fact, in SafeBreach deployments, we see that hundreds, and sometimes thousands, of attacks can be stopped without a single dollar of investment in new controllers. Rather, thanks to automating attacks, and finding where controllers are simply poorly optimized or misconfigured, companies can improve security posture with what they already have. Free security? Sounds almost too good to be true… but it's proven fact.
So, is your configuration up to snuff? There's only one way to be sure...