Positive Technologies' penetration testing results in 2021–2022: 96% of organizations are not protected against local network penetration

Positive Technologies analyzed the security of dozens of Russian companies1 and concluded that 96% of organizations were not protected against local network penetration2. To determine this, specialists managed to obtain full control over these organizations’ infrastructure. On average, it took a mere five days and four hours to gain access to a company’s internal network. Besides gaining control, of all the business-critical events specified by the companies, 89% were triggered.

According to the research, the level of protection against external and internal attacks in the tested companies was, in most cases, very low3: many confirmed attack vectors aimed at accessing critical resources were found, many of which could be applied by potential attackers who did not need to be highly qualified to apply these vectors.

The analysis showed that in 96% of organizations attackers would be able to breach the network perimeter and penetrate the internal network. In 57% of the companies, a penetration vector consisted of no more than two steps4; on average it would require only four. The quickest attack took the pentesters one hour. It took attackers an average of five days and four hours to gain access to a company’s internal network.

The main entry points were vulnerabilities and flaws in web application configurations: such vectors were identified in every single company tested. 14% of network penetration vectors that exploited vulnerabilities in web applications included exploitation of zero-day vulnerabilities. Three such vulnerabilities were identified in external penetration tests. In most cases, critical vulnerabilities were related to weak password requirements and a lack of software updates. Critical vulnerabilities in the code of web applications were detected in half of the tested companies. To protect web applications, Positive Technologies recommends conducting regular security assessments, implementing a vulnerability management process, and using application-level firewalls to protect against attacks.

According to the research, in external penetration tests, potential attackers could gain unauthorized access to confidential information, such as trade secrets, in 9 out of 10 companies. Cybercriminals can sell this information to the victim company’s competitors or use it to demand a ransom for non-disclosure. In addition to accessing a company’s internal network, an attack on network perimeter may cause other negative consequences, such as web application defacement, modification of information on official resources, injection of malicious code to attack the victim’s customers, theft of employee credentials, and access to corporate resources and mail followed by spam and phishing.

In internal penetration tests, specialists managed to gain full control of domain resources in 100% of organizations. It was possible to access confidential information in 68% of the tested companies. Such confidential information included, for example, customer personal data and knowledge bases of the companies. Critical and high-risk vulnerabilities related to password policy flaws were detected in 85% of organizations. In 60% of companies, pentesters found critical and high-risk vulnerabilities related to the use of outdated software versions. Positive Technologies recommends implementing a strict password policy and using two-factor authentication to access critical resources.

In 47% of the studied companies, the specialists set specific pentest goals, and in 27% of the companies, they verified whether business-critical events could be triggered. In most cases, such business-critical events included theft of critical information, access to the accounts of top managers, theft of funds, and shutdown of key business processes.

Positive Technologies analyst Yana Yurakova: "Among all the business-critical events specified by the companies, 89% were triggered. On average, it would take attackers 10 days to trigger a business-critical event. In some cases, attackers didn’t even need maximum privileges in the domain. Most business-critical events that pentesters managed to trigger were related to potential reputational damage (61% of events), regulatory sanctions (57%), and financial loss (39%)."

The research includes the MITRE ATT&CK heat map, which shows popular techniques and sub-techniques that were successfully used by the Positive Technologies’ pentesters. Positive Technologies believes that this card can be especially useful for quick incident response and infosec specialists, because pentesters imitated the actions of real attackers. Armed with knowledge about approaches that attackers can use, a company can ensure preventive protection and monitor and respond to security incidents promptly.

The full version of this study is available on the Positive Technologies site.

  1. 57% of tested companies are among the largest companies in Russia by sales volume according to RAEX-600. Most of the tested organizations (63%) are financial and manufacturing companies, as well as government institutions. The study included the results of assessment of companies that allowed Positive Technologies to use anonymized data for research purposes.
  2. The analysis is based on 53 internal, external, and comprehensive penetration tests conducted at 30 organizations in the second half of 2021 and the first half of 2022. The analysis included only attacks on companies’ infrastructure; it did not include social engineering attacks and attacks on wireless networks.
  3. Overall security level is an expert assessment that takes into account the number of detected attack vectors, including potential ones, the level of importance of the accessed resources, as well as the complexity of attack vectors and the required attacker qualifications. A strong sign of high-level information security in a company is the use of result-oriented security developed by Positive Technologies.
  4. A step in an attack is an action in which the attacker obtains data or privileges needed to proceed further with the attack.