Positive Technologies has shared the results of penetration tests conducted in 20231. According to the research, only 4% of organizations are protected against attackers breaching their internal network. In every company where an internal penetration test was conducted, attackers could have seized full control of the IT infrastructure. The fastest time to penetrate the local network was one day.
Penetration tests were conducted by PT SWARM across companies in various sectors such as IT, finance, industry, services, and telecommunications. The goal of penetration testing is to determine whether an external or internal attacker can successfully attack an organization and trigger an event that is deemed non-tolerable for the business.
The tests revealed that in 63% of organizations, a low-skilled attacker could have penetrated the local network from the outside, and in a similar proportion of organizations, a low-skilled internal attacker could have gained full control over the IT infrastructure.
In 96% of projects, the organizations were found to be unprotected from attackers attempting to penetrate their internal network. Only one company withstood the pentest, with researchers managing to access only the so-called demilitarized zone (a buffer area between the internet and the internal network) thanks to prior pentesting and top-notch vulnerability remediation.
The fastest penetration of the organization's LAN occurred on the first day of testing. On average, it took specialists 10 days to gain access.
In 100% of companies where an internal test was conducted, bad actors could have gained full control over the infrastructure. In one of the projects, the specialists gained maximum privileges in the Active Directory domain after 6.5 hours, while in other projects, the figure varied from one to seven days.
In almost every company, the specialists managed to obtain employee credentials and gain unauthorized access to important confidential information, including intellectual property and internal communications.
Positive Technologies Research Analyst Grigory Prokhorov says: "In every organization where PT SWARM conducted internal penetration tests, maximum privileges in the domain were gained. In 90% of cases, the possibility of triggering non-tolerable events was verified; for this, the specialists did not always require full control over the IT infrastructure. For example, even in a company where PT SWARM couldn't access the LAN, the specialists proved that unauthorized access to a database with personal data of over 460,000 users was possible."
To achieve cyber resilience, a company needs to not only conduct penetration tests but also keep its IT infrastructure always ready to fend off cyberattacks. That's why experts at Positive Technologies recommend that organizations continuously assess and monitor the security of their critical assets by identifying and making attacker pathways more difficult. To proactively bolster defenses, companies need to use automation solutions, such as MaxPatrol Carbon. The metaproduct analyzes potential scenarios of cyberattacks on critical assets, ranks them by severity, and provides practical recommendations to IT and cybersecurity teams for neutralizing threats. For real-world network security challenges like blocking known threats at the company perimeter, protecting systems against malware, and detecting attacker movements, we recommend using PT NGFW, PT Sandbox, and PT NAD.
- Penetration tests were conducted at 28 organizations. The report contains the results of penetration tests in organizations that have consented to the publication of anonymized data.
