Positive Technologies has shared the results of penetration tests conducted in 2023. According to the research, only 4% of organizations are protected against attackers breaching their internal network. Attackers could have seized full control of the IT infrastructure in every company where an internal penetration test was conducted. The fastest time to penetrate the local network was one day.
Penetration tests were conducted by PT SWARM across companies in various sectors such as IT, finance, industry, services, and telecommunications. The goal of penetration testing is to determine whether an external or internal attacker can successfully attack an organization and trigger an event that is deemed non-tolerable for the business.
The comprehensive tests revealed that in 63% of organizations, a low-skilled attacker could have breached the local network from the outside. Similarly, in a similar proportion of organizations, a low-skilled internal attacker could have gained full control over the IT infrastructure, demonstrating the thoroughness of the testing process.
In 96% of projects, the organizations were found to be unprotected from attackers attempting to penetrate their internal network. Only one company withstood the pentest, with researchers managing to access only the so-called demilitarized zone (a buffer area between the internet and the internal network) thanks to prior pentesting and top-notch vulnerability remediation.
The fastest penetration of the organization’s LAN occurred on the first day of testing. On average, it took specialists 10 days to gain access.
In 100% of companies where an internal test was conducted, bad actors could have gained full control over the infrastructure. In one of the projects, the specialists gained maximum privileges in the Active Directory domain after 6.5 hours, while in other projects, the figure varied from one to seven days.
In almost every company, the specialists managed to obtain employee credentials and gain unauthorized access to important confidential information, including intellectual property and internal communications.
Positive Technologies Research Analyst Grigory Prokhorov says: “In every organization where PT SWARM conducted internal penetration tests, maximum privileges in the domain were gained. In 90% of cases, the possibility of triggering non-tolerable events was verified; for this, the specialists did not always require full control over the IT infrastructure. For example, even in a company where PT SWARM couldn’t access the LAN, the specialists proved that unauthorized access to a database with personal data of over 460,000 users was possible.
To achieve cyber resilience, a company needs to not only conduct penetration tests but also keep its IT infrastructure always ready to fend off cyberattacks. That’s why experts at Positive recommend that organizations continuously assess and monitor the security of their critical assets by identifying and making attacker pathways more difficult.
To proactively bolster defenses, companies need to use automation solutions, such as MaxPatrol Carbon. The metaproduct analyzes potential scenarios of cyberattacks on critical assets, ranks them by severity, and provides practical recommendations to IT and cybersecurity teams for neutralizing threats. For real-world network security challenges like blocking known threats at the company perimeter, protecting systems against malware, and detecting attacker movements, Positive Technologies recommends using PT NGFW, PT Sandbox, and PT NAD.