Attackers Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros priority list because exploiting software doesnt even rank among the top five plays in the attackers playbook, according to a new report from Praetorian.
Organizations would be far better served by improving credential management and network segmentation, according to researchers there.
Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these root causes though, were not zero-days or malware at all.
The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were:
abuse of weak domain user passwords -- used in 66% of Praetorian pen testers successful attacks
broadcast name resolution poisoning (like WPAD) -- 64%
local admin password attacks (pass-the-hash attacks) -- 61%
attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%
insufficient network segmentation -- 52%
The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens
after
a social engineer gets past step one.
If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next? says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but building in the defenses so its really not a big deal if they do.
As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organizations entire computing environment, exfiltrating all documents along the way --
should
not, but often does. By implementing mitigations against the attacks mentioned above, an organization ensures you dont have that cascading effect, from one stolen credential, says Abraham. The blast radius is very minimal.
The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers. But the report states that Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports. Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of hacking. The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were the most efficient and undetected technique for compromising an enterprise.
Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons. For one, he says, malware can fail or cause system failures, which draw attention to the attacker. Vulnerability scans are noisy and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, design weaknesses will be present in the environment until the design changes, states the report, meaning they have a long shelf life, because they take a longer time to fix.
Mitigation
There are basic, inexpensive practices and tools that would hugely improve organizations security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements.
He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because theyre the most achievable. According to the report:
Deploying Microsofts LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks.
Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.
Once thats done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix.
Some (not all) of Praetorians suggestions in the report include:
To strengthen passwords:
increase Active Directory password length requirements to at least 15 characters
enhance password policy enforcements (expiration, etc.)
implement two-factor authentication for all administrator access and remote access.
To mitigate broadcast name resolution poisoning:
populate DNS servers with entries for all known valid resources
disable LLMNR and NetBIOS on end-user workstations.
To improve network segmentation -- after proper inventory of systems, data, and review with lines-of-business about employee access:
Enforce network Access Control Lists (ACLs) so that only authorized systems have access to critical systems -- on a machine basis, by VLAN, or per user with next-gen firewalls.
Update network architecture and network diagrams to reflect the new ACLs.
For Praetorians complete mitigation suggestions,
see the report
.
Related Content:
Hacking A Penetration Tester
So You Want To Be A Penetration Tester

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Playbook Top 5 Is High On Passwords, Low On Malware