Securealities: Penetration Risk Report

Penetration Risk Report The threats that are your weakest link

Foreword by Mark Weatherford, SVP and Chief Cybersecurity Strategist at vArmour

1

TABLE OF CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Research scope and approach . . . . . . . . . . . . . . . . . . . . . .

7

Report findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Overall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 By company size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 By industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Retail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Technology/Cloud services providers . . . . . . . . . . . . . . . . . . . . . . . . . 24 Healthcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Financial services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Standardized pen testing approach and methodology . . . . . . . .

36

Social engineering methodology . . . . . . . . . . . . . . . . . . . . . 37 Risk rating scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

38

About Coalfire Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 About Coalfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix: Cyber kill chain . . . . . . . . . . . . . . . . . . . . . . . .

2 | COALFIRE.COM

40

FOREWORD by Mark Weatherford, SVP and Chief Cybersecurity Strategist at vArmour, member of Coalfire Advisory Board

Interestingly, collecting and analyzing data often reveals things that are unexpected and challenge your previously established opinions and convictions. Coalfire has uncovered a few of those unexpected issues in this report, which highlights information from more than 300 individual penetration tests they conducted during a recent sevenmonth period. The report reiterates many commonly held beliefs, but also makes you pause and reconsider others. For example, are large organizations really more vulnerable to insider threats than midsized organizations? This would be surprising when you think of the available resources large companies have to spend on training and user awareness, but unremarkable when you think about it through the lens of disparate global entities where geography and culture might play disproportionate roles in overall enterprise security. One of the most important things the data highlights is that we – the collective

we – need to continue focusing on security fundamentals. Too often, companies spend too much time and money trying to identify really complex, sophisticated technical cybersecurity challenges when, if they spent the same time and energy doing the basics, they could reduce their overall corporate risk by literal orders of magnitude. Put another way, we should probably spend less time worrying about the next zero-day vulnerability or determining attribution of attackers, and spend more time worrying about an accurate inventory, system patches, and employee training. You can go to Wikipedia or any number of sources and get various definitions for a “penetration test,” but the reality is that inconsistency rules the day in operational environments. Coalfire has done a nice job of creating a uniform and dependable framework, along with repeatable processes that deliver results consistent enough to develop measurable metrics. Data. It’s a beautiful thing.

3

Executive summary The intent of this research report was to uncover the facts behind cybersecurity risk in enterprises today. Is company size a significant factor? Vertical industry? Are certain areas of the network more at risk than others? What we learned may surprise you; in fact, some of the most commonly held assumptions, such as the belief that the largest enterprises are the most secure because of their relative wealth of cybersecurity staffing and funding, are the most erroneous. There is in fact a security “sweet spot” with regard to company size – but it is not what you might think. Before revealing the conclusions, let’s look at what we studied. The findings in this report are based on Coalfire’s penetration testing engagements in 2017, which were

conducted on enterprises of all sizes and vertical industries. To gain meaningful answers to our questions, we stratified our study by: • Business size, comparing the findings for small (up to $100M), medium ($100M to $1B), and large (greater than $1B) businesses • Attack vector, highlighting where the majority of vulnerabilities lie across application and internal and external network attacks • Industry, considering financial services, retail, healthcare, and technology/ cloud service providers (CSPs) Below are some of our most (and least) surprising revelations: There is a “security sweet spot” with regards to company size, and that spot is the midsized organization. While the large enterprise may be too IT diverse, complex, ever-changing, and geographically distributed to consistently apply best practices, and the small enterprise too unsophisticated or underfunded, the

Figure 1: High-risk vulnerabilities found by client size (all test types) 50%

40%

49% 30%

34%

38%

20% Large Source: Coalfire’s Penetration Risk Report, 2018

4 | COALFIRE.COM

Medium

Small l

midsized business appears to provide the proper mix necessary to secure its environment more uniformly across the architecture. But it is not all rainbows and unicorns for midsized companies either: They also were found to be the most susceptible to phishing attacks, largely attributable to being positioned in the middle – too big to have the intimacy of a small company and too small to have the formalized processes established in a large organization.

Below are some additional summary findings, which are discussed in depth in this report:

Internal networks showed higher risk factors than external networks. While companies are typically more concerned with external, internet-based attacks, the majority of the high-risk vulnerabilities uncovered in our research are associated with application and internal attack vectors. Most organizations are doing a relatively good job establishing controls to thwart external infrastructure attacks.

3. Medium-sized companies are four times easier to breach through social engineering than large companies.

Humans are the weakest link in security. Because phishing has been demonstrated to be a first line of attack in the majority of incidents, allowing attackers to gain an insider position (where, as we have demonstrated, enterprises are deficient in security posture), the mistakes of employees, customers, and partners continue to pose the most significant threat to the organization.

1. As noted previously, while companies are generally more secure in their external network posture, all organizations, regardless of size, are equally vulnerable to external attackers. 2. Large companies are 39% more vulnerable to the insider threat than SMBs.

4. Despite the disparity, all companies are vulnerable to social engineering attacks, making people a key point of risk. 5. Issues and their remedies are largely the same across industries, with the following exceptions: ––Retail applications were almost three times less secure than other industries. ––Financial services companies were least susceptible to insider threats. ––Technology/CSPs struggle with application security, but were the second most secure behind financial services. ––Healthcare companies’ external security posture was (marginally) the worst of all four industries examined. 5

6. Finally, at a high level, the top five most common enterprise vulnerabilities identified in our research were: ––Insecure protocols: This finding encompasses all issues resulting from an organization using protocols that are unnecessary and expose sensitive information. –– Password flaws: Leveraging horizontal and traditional brute force techniques still works. Multifactor authentication is seemingly still in the early adopter stage. ––Patching/patch management: The most commonly found flaw was missing operating system patches that prevent local privilege escalation attacks from being successful. ––Out-of-date software: As opposed to patch management, out-ofdate software includes old versions of common software, as well as third-party libraries integrated into enterprise applications. ––Cross-site scripting: The perennial favorite web application flaw made the list. Sanitization of input is vital to preventing application-based compromises. More expansive details on vulnerabilities and remediations are presented in the bulk of the report.

6 | COALFIRE.COM

Based on the data presented and analyzed, Coalfire has the following overall recommendations for small, midsized, and large organizations: We recommend small organizations focus on integrating security checkpoints in engineering and development processes. Cybersecurity within these core functions often lags behind the rapid rate of change in these companies. People have proven themselves to truly be the weakest link in the security program for all companies, but particularly for the midsized enterprise. Our recommendation for these companies is to focus security investment primarily around people, establishing enterprise-level programs to enhance security awareness, conducting ongoing social engineering testing programs, and investing in technologies that will reinforce the desired behavior. Large companies should prioritize asset management. As they say, you cannot secure what you cannot “see.” Organizations that suffer from technology sprawl and complex, decentralized operations should focus investments into solutions that will increase visibility across their vast enterprises. The remainder of this report details our findings and recommendations for addressing some of the most common vulnerabilities uncovered in our research.

RESEARCH SCOPE AND APPROACH In this report, Coalfire presents findings derived from our in-depth client penetration testing engagements from January through July 2017. The data represents 148 client engagements, and a total of 310 individual penetration tests (as many clients request more than one pen test type per engagement). The data represents customers of all sizes within financial services, technology/ cloud, healthcare, and retail industries. We provide penetration testing services including internal and external network, application, and social engineering to

help clients understand their overall security posture, as well as meet compliance (PCI DSS, FedRAMP, HIPAA, and others) readiness requirements. Our findings represent all of these testing subtypes. Our engagements average a one-week duration. Longer tests more accurately simulate reallife conditions, as hackers are not time-bound; however, clients are often working to meet deadlines (such as compliance deadlines) or are restricted by budget.

7

Report findings As we entered into this research, we had some preconceived notions that we expected would become evident in the data. These notions are commonly accepted in our industry, holding true for many of our clients and often posited as an assumption in various studies and journals. Fundamentally, we assumed the data would bear out two assumptions: First, that large enterprises, given their more mature processes and greater resources for securing the organization, would have more mature IT operations and generally be more secure than smaller organizations. We also assumed that we would see all organizations better prepared to defend against an external, internet-based attack, versus the threat of an internal attack. There are several industry research reports that echo this, stating that large enterprises were more than twice as likely to have a dedicated information security program – a control and construct with the sole objective of securing the enterprise.1

OVERALL Reviewing our data results in total, including companies of all sizes and in all vertical industries, we found that the results met expectations. For the most part, organizations have their external presence under control; their internal networks and applications appear to be less of a focal point.

Figure 2: Vulnerabilities found by test type 22%

External

41%

38%

59%

Internal

32%

36%

Application 0

20%

43%

40%

Source: Coalfire’s Penetration Risk Report, 2018

21%

60%

80% High

Ryan Brooks. “Cybersecurity Risks in Large Enterpises and SMBs.” Netwrix Blog, June 28, 2017. https://blog.netwrix.com/2017/06/28/cybersecurity-risks-in-large-enterprises-and-smbs/ 1

8 | COALFIRE.COM

9%

100%

Medium l

Low

The results revealed numerous vulnerabilities that could be grouped into specific categories across the many attack vectors. Those categories included eight distinct groups in which we have categorized the findings. Risks for each vulnerability found in those groups differed, of course, due

Top five issues

Insecure protocols

to the type of finding and the level of compromise that could be achieved through it. When evaluating all “high-risk” groups as one, five quickly became apparent. All companies, regardless of size, generally displayed these five vulnerablities:

Recommended fix Harden your Windows® environment. Disabling Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) and enabling Server Message Block (SMB) Signing across the enterprise are the most effective ways of combating this threat.

Password flaws

Implement two-factor authentication. Weak passwords, poorly managed passwords, and insufficient password encryption are all rendered moot when requiring a second factor for authentication.

Patching/patch management

Expand patch management beyond “Windows update.” Organizations that rely on Windows update, or Windows services, to manage patches in their environments are missing many common application packages that address the typical first targets of an attack.

Out-of-date software

Maintain accurate asset inventory. Solutions designed leveraging third-party libraries and tools and solutions that are no longer maintained can expose a network to an attack based on vulnerable components. Maintaining an accurate inventory of systems and their dependencies will help control the spread of this vulnerability.

Cross-site scripting

Implement a robust development program with security. Cross-site scripting is reasonably easy to detect with automated scanners, and the fix is usually easy as well. Implementing application scanning preproduction is a great way to fix issues before they are published.

9

BY COMPANY SIZE This data was gathered from numerous verticals, all of which have vastly different business objectives and use technology in different ways to achieve those objectives. To get a handle on the data, we had to stratify it in some meaningful way. Thus, given that their common denominator was revenue, one of the analysis vectors we used was to classify the organizations by size: small (up to $100M; 92 companies), medium ($100M to $1B; 30 companies), and large (greater than $1B; 26 companies). Data comparisons by size (revenue) stratification We anticipated seeing the large, billion-dollar companies demonstrating the strongest cybersecurity posture given their much deeper resource pool and generally more mature processes and programs. We expected small organizations to generally be the opposite, with some being the proverbial “wild west” due to the absence of formality in process and procedure and relative lack of staffing and budget. These assumptions were proven quite incorrect. At the highest level,

considering the types and proportion of issues identified, large companies performed the worst. Midsize companies fared best in our study, followed by the small companies. Midsized companies had the lowest proportion of high-risk vulnerabilities across the board. (To understand Coalfire’s risk rating scale, refer to page 38.) Why did midsized businesses do best overall, with large organizations faring so poorly? This could be a byproduct of how organizations become a $1B company. To deploy security consistently and comprehensively across an environment, it is critical to understand what comprises the environment. Asset inventory and management is a challenging issue for many organizations, large and small. Large organizations do not become large organizations entirely on their good looks and charm. For many companies, growth is largely “inorganic,” achieved through mergers and acquisitions. As the asset collection grows, the attack surface grows. An acquiring company with its own asset management challenges often integrates

Figure 3: Vulnerabilities found by client size 49%

Small

34%

Medium

43%

38%

Large 0

20%

23%

38%

40%

Source: Coalfire’s Penetration Risk Report, 2018

10 | COALFIRE.COM

16%

34%

23%

60%

80% High

100%

Medium l

Low

other companies that come with their unique asset management challenges. When you mix poor asset management into a growing attack surface, you find the security posture will erode quickly, as it is inversely proportional to the growth of the attack surface. Larger organizations also struggle with rapid change, shadow IT, and employee turnover, all of which produce a “cyber-dynamic” environment that is harder to control and achieve full visibility into. We see that the greatest area of vulnerability for the large organization is in the internal network – leading us back to the importance of understanding the cyber kill chain (a concept originally developed by Lockheed Martin and described in the Appendix), and that internal threats must be addressed to thwart attacks from progressing. We must also consider the unavoidable impact of overall security spend. Do big organizations, which can be orders of magnitude larger than their smaller counterparts, actually spend the same percentage on security? We doubt it. We endeavored to find this answer, but this is a challenging data point to quantify satisfactorily. IT budget surveys show that medium-sized businesses spend a higher percentage of their budgets on security than their small counterparts, and large businesses spend disproportionately less. A study by SANS Institute depicts those companies with IT budgets of $10 to $50M having the largest proportion.2 Another report, this one by ROI consultancy firm Alinean Inc., illustrates IT security spending per staff member is higher at midsized companies than large companies: “Small and medium-sized companies often outspend larger ones. The average small company spends 6.9% of revenue on IT. Midsized companies spend 4.1%. Larger companies spent a miserly 3.2% of revenue. Midsized companies spend $13,100 per employee on IT. Large companies spend $11,580 per employee.”3 Perhaps security simply does not scale? Is the current state of technology unable to help us solve our biggest security challenges? We propose that security

SANS Institute. “IT Security Spending Trends.” February 2016. https:// www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697

2

Alinean Inc. “How Company Size Relates to IT Spending.” 2015. https:// searchcio.techtarget.com/magazineContent/How-Company-Size-Relatesto-IT-Spending

3

11

operations actually do not scale beyond a certain size, represented in Figure 4, where the effort and resources to maintain a high degree of security increases exponentially relative to company size.

Effort and resources

Figure 4: Scalability of security operations

Small

Medium

Large

Source: Coalfire’s Penetration Risk Report, 2018

The green highlighted area in the graph where the slope is the least demonstrates where we believe the “security sweet spot” lies. In this model, the business in the sweet spot is established and still growing, but has more mature and deliberate processes and is less tumultuous than its smaller brethren. As an organization’s growth and changes can be anticipated, the application and operation of technical security solutions can be managed and risk can be constrained. However, as an organization grows beyond a certain point (the red highlighted area in the chart), IT and security operations are plagued by the problems described earlier. The midsized business appears to provide the proper mix necessary to secure its environment more uniformly across the architecture. But it is not all sunshine for midsized companies either: They are also the most susceptible to phishing attacks as we address in the next section. 12 | COALFIRE.COM

The impact of social engineering As discussed, phishing is often the primary method of infiltrating an organization; Coalfire penetration testers use phishing as a part of red team engagements and as standalone test types to determine an organization’s social engineering defenses. Because it is not always included in contracted engagements, we present data separately, to offer a more comprehensive picture of enterprise vulnerability in this area. Social engineering can be a subjective issue when considering the impact of an individual falling victim to an attack. Some consider the level of access ultimately gained as the benchmark for risk, whereas others consider the number of individuals that fell victim to the phish as the metric. When we evaluated the data with regards to the “level of access” metric, we provided context to the risk by considering the possible outcomes. A phishing attack that coerces an individual to provide our team all the information we need to penetrate their network (“full compromise”) should be considered the highest risk, and one that results in an individual following some sort of direction, like opening an email or visiting a website (“partial compromise”), as a medium-risk instance. Medium-risk issues are very important to include here as those are the first steps to enabling the tester to continue to progress in the kill chain. With regards to the “number of individuals compromised” metric, we have presented the data by the number of people out of the sample set who provided any level of access via the phish (See Figure 5). This corresponds to both the full- and partialcompromise categories described above.

Finally, neither of these perspectives fail to address the objectives of the adversary. All an adversary needs is a single compromise to control a network. Accordingly, we’ve analyzed the proportion of companies that an attacker would be able to breach given at least one failure – regardless of the number of total failures.

Individuals compromised

Figure 5: Social compromise

Small

Medium

Large

Company size Source: Coalfire’s Penetration Risk Report, 2018

The social engineering data proved to be completely opposite of what we found when evaluating technical attack vectors alone. Midsized companies turned out to be the least secure, regardless of how we viewed the data. Why are midsized companies so much more vulnerable to phishing/social engineering than small and large companies? While the sweet spot for security operations is where the midsize business can best secure its technology, we believe the characteristics of the small and large organizations lend themselves to be better at securing the person. Smaller organizations tend to be more intimate environments, where individuals are more in tune with the operation of the

business. While they lack mature processes and perhaps have underdeveloped training and awareness programs, they make up for it by being small enough to promote awareness of what is going on throughout the business, which is key in identifying a potential scam. Large businesses are more impersonal, but benefit from having “seen it all” by nature of having such a large staff. Lessons learned from that experience tend to manifest in the form of strictly administered, recurring, and regularly audited security training and awareness programs. Midsized organizations are stuck being too big to provide staff with a natural awareness of company operations, yet too small to have assembled formal training, awareness, and draconian (yet “idiot-proof”) email controls. This leaves them susceptible to the broadest range of social attacks.

13

Figure 6: Compromises during Coalfire’s phishing campaigns 22%

15%

24%

Small companies

Medium companies

Large companies

41% 71%

67% l

No compromise

Any compromise

Full compromise

Source: Coalfire’s Penetration Risk Report, 2018

The data in Figure 6 demonstrates an interesting data point. We targeted just over 2,000 people at midsized companies and just over 1,800 people at large companies. Proportionately speaking, medium-sized companies had almost twice as many targets that fell prey to our phishing campaigns. However, that only resulted in 4% higher success4 rate per company. This reinforces the adage that “one bad apple spoils the bunch” and also supports the assertion that people continue to represent the weak link in the security chain. In all fairness, our phishing campaigns are not the run-of-the-mill, Nigerian-royaltywants-to-give-you-money variety. Most phishing engagements are well crafted, calling out things that are specific to the business. Our top three most successful campaigns for this period were: 1. Compensation changes (48% compromise rate) – a Microsoft® Office document with embedded “malware” written by our

4

team, claiming to describe compensation package changes, purportedly sent from the target’s payroll group 2. Benefits portal login request (45% compromise rate) – purporting to be from the target’s HR department, requesting the user log in to an upgraded, singlesign-on benefits portal using their network login 3. Office 365® upgrade (37% compromise rate) – similar to the above, but coming from IT teams reminding users to test out their network credentials prior to migrating to Office 365 to avoid service interruption when that change is made Our least successful campaign? A free Starbucks gift card offer for filling out a survey and “signing it” with your network credentials, averaging 4% compromise. Free coffee doesn’t fool anybody anymore it seems, but mess with someone’s pay or email, and you get prompt attention.

Success is defined as the phishing campaign resulting in at least one full compromise/remote access.

14 | COALFIRE.COM

Does the sample size of the campaign matter? As it turns out, not really. We favor a smaller sample size to avoid detection when doing these engagements, but in the aggregate, we get the same results across companies of all sizes and number of targets.

Figure 7: Social compromise via phishing (top tests) Client A

17% (108 of 643) 1% (10 of 500)

Client B 33% (117 of 350)

Client C Client D

6% (14 of 236) 9% (19 of 204)

Client E Client F

7% (14 of 197)

Client G

5% (9 of 175)

Client H

17% (29 of 166)

Client I

62% (84 of 135)

Client J

12% (12 of 100)

Client K

42% (40 of 95) 1% (1 of 88)

Client L Client M

100% (75 of 75)

Client N

20% (15 of 75)

Client O

23% (17 of 75)

Client P

61% (40 of 66)

Client Q

14% (9 of 66)

Client R

9% (6 of 66)

Client S

5% (3 of 61)

Client T

23% (14 of 61)

0

100 No clicks

200

300

400

500

600

700

% of social compromise (# of targets in campaign)

Clicks

Source: Coalfire’s Penetration Risk Report, 2018 15

While the percentages in Figure 7 might seem low at first glance for some of these organizations, this impression can be misleading. A single phishing compromise can (and has) either fully compromised the organization or enabled an attacker to proceed to move laterally throughout the network, gaining access to and control of other assets in the enterprise. Seventeenpercent of Client A still represents 108 individuals. Generally speaking, larger organizations often have more sophisticated, frequent, and refined information security training programs, as well as better endpoint security, and thus, this data represents some of the more favorable results we typically see. One such Coalfire customer (Customer G), a financial company, stated that their resilience to social engineering attacks was due to the detection of techniques that they learned of by engaging outside testing firms to continually “raise the bar� for social engineering. These controls include implementing brand protection, which detects the registration of domains formed with keywords relating to their brands or products, and by labeling external email with a warning that it was generated outside the organization. They also reinforce all these efforts with ongoing, unannounced social engineering testing campaigns. One other interesting point to note: Clients A and C are state government agencies, whereas Client B is a federal agency. We don’t provide a broad mix of these clients in our dataset, but we found this difference quite interesting. The federal agency had robust endpoint detection and response systems, as well as a rigidly administered security training and awareness program. The state agencies had neither. 16 | COALFIRE.COM

This analysis illustrates the unfortunate truth that humans are often the first conduit into the enterprise that attackers exploit to get their foot in the doorway to enterprise assets. Humans are both fallible and predictable, and attackers capitalize on those tendencies. To help secure the enterprise, an important layer of defense is information security (InfoSec) training, which can assist with broad-based awareness on: • The company’s overall security policies and what employees need to do to comply • Best practices in avoiding social engineering techniques, such as critically reviewing attachments and links or avoiding clicking links when possible • Additional best practices to avoid vulnerabilities, such as strong password conventions and two-factor authentication • Physical security awareness InfoSec training is only successful if it is sponsored, reinforced, and advocated from leadership on down and built into the holistic company culture. We also recommend comprehensive phishing testing for the organization so that employees can learn to discern increasingly sophisticated attacks. For more information, read “Getting the Most Value Out of Your Phishing Program.”

17

BY INDUSTRY Coalfire conducts cyber risk advisory, cyber engineering, and assessment engagements as well as penetration testing services for customers across all vertical industries. While our study data, broken into vertical subsets, represents smaller sample sizes, we did find that the data supported our experience with, and understanding of, the cybersecurity challenges and macroenvironments of the verticals we serve. In this section, we provide overarching insights into these market areas from our expert risk advisors. We also believed based on years of penetration testing and assessment experience that size was not the only influencing factor. We anticipated seeing specific trends and patterns by vertical sector. Our data included companies that fell into four verticals – technology/ CSPs, healthcare, retail, and financial. Clearly, a retail store is an entirely different operational model than a hospital, so surely their vastly disparate natures would yield a different set of outcomes. Contrary to the resource difference between small and large organizations, we posited no preconceptions about how the industries would shape up other than being confident there would be a recognizable difference. Overall, we found that all industries have a similar risk posture from an external perspective (Figure 8). But when comparing susceptibility to the internal threat (Figure 9) and application risk (Figure 10), the most secure is clearly the financial sector. The data showed a clear difference in the state of their application security over the other industries.

18 | COALFIRE.COM

Retail was found to be the least secure of the four in our study, driven by a significantly greater proportion of high-risk findings across applications. Why are applications so different for retail versus financial? Retail companies have several factors typically playing against them. First, they are generally in a low-margin, costconscious business. High sensitivity to price pressures vendors to provide cut-rate services. This pricing pressure drives professional penetration testing companies to leverage automation as much as possible to be competitive in this market. While automation can be a workable solution when testing networks and infrastructure, as there are many vulnerabilities and corresponding exploits that have been addressed by security scanning tool vendors, this approach has serious drawbacks when testing applications. Applications that have been built by companies and are not considered “commercial off the shelf” (COTS) do not have the benefit of having a vast user base and access to throngs of independent researchers because they simply do not garner as much attention. Finding exploitable vulnerabilities in applications often requires a human to understand the security model and unravel “business logic” to pull off an attack. Ultimately, application penetration testing is akin to “zero-day” research, and that isn’t something that can be automated. Those that try to do so are missing the mark, and we have found that applications tested through automated means are rife with issues that are not detectable by technology alone. Yet.

Figure 8: Level of external risk found by vertical Tech/CSP

25%

Retail

24%

55%

21%

Financial services

41%

41%

18%

Medium

100%

80%

60%

40%

20%

0 High

29%

44%

27%

Healthcare

40%

35%

l

Low

Figure 9: Level of internal risk found by vertical Tech/CSP

Financial services

Medium

100%

80%

60%

40%

20% High

15%

34%

51% 0

2%

32%

66%

Healthcare

11%

23%

67%

Retail

7%

34%

58%

l

Low

Figure 10: Level of application risk found by vertical Tech/CSP

Financial services

40%

20% High

29%

49%

22% 0

19%

49%

32%

Healthcare

13%

26%

61%

Retail

20%

39%

41%

Medium

60%

Low Source: Coalfire’s Penetration Risk Report, 2018

100%

80% l

19

Retail Retail providers included in our study comprised a range of retail consumer services. Retail organizations can be characterized by having highly complex environments that are difficult to secure; most have multitudes of widely distributed store locations, numerous suppliers, distribution centers, logistical centers, contractors, employees, and widely diverse IT equipment, often made more complex through M&A-based growth. In support of the interests of the consumer and the credit card industry, the Payment Card Industry (PCI) Council publishes the governing standard for this industry, the PCI Data Security Standard (DSS). The council and the standard are sensitive to the complexity and challenges of managing a secure environment in a generally lowmargin business. The standard has been built to limit the impact of compliance by defining “in-scope” and “out-of-scope” systems. In-scope systems are considered those that are directly involved in processing credit card data, and out-of-scope systems are those that have nothing to do with it.

20 | COALFIRE.COM

In our experience through cybersecurity engagements with retail enterprises, we have generally observed that retail organizations primarily manage to optimize PCI DSS compliance, securing in-scope systems and point-of-sale (POS) environments, rather than focusing on taking an overall security risk- or governancebased approach across their organizations. As PCI is the driving standard in this industry and non-compliance can impact an organization’s ability to carry out business, compliance is clearly a critical objective. However, many organizations are interpreting in-scope and out-of-scope systems as being the demarcation line for implementation of common security practices. Through this interpretation, they are artificially limiting security efforts to merely supporting compliance initiatives. External in-scope systems that are part of a penetration testing scope for retailers had the least occurrences of high- and mediumrisk findings across our engagements. Figure 11 illustrates their primary vulnerabilities.

High risk

Figure 11: Retail external testing results

Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure protocols

Misconfiguration

Out-of-date software

Password flaws

Patching

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

The data from the internal testing (Figure 12), however, was telling. In stark contrast to the external findings, a vast number of internal issues contributed to compromise of cardholder data environments across the engagements included in this study. Coalfire’s experience with this testing echoes that of which has been published in the root cause analyses of numerous breaches in recent years: By focusing on in-scope systems, many enterprises have not invested in applying a consistent, rigorous security governance program across all of the potential points of security risk.

21

High risk

Figure 12: Retail internal testing results

Medium risk

Relative frequency

Low risk

Encryption flaws

Insecure protocols

Misconfiguration

Out-of-date software

Password flaws

Patching

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

Finally, the application footprint (Figure 13) was found to have a high proportion of significant findings. Examining these individual vulnerabilities compared to others show the presence of much fewer medium and low findings – indicating that the flaws found in these applications were more likely to result in compromise than in other industries.

High risk

Figure 13: Retail application testing results

Medium risk

22 | COALFIRE.COM

is

er ab

si

le Us c in om g po kn ne ow nt n s

ng

f ac un ce cti ss on co - le nt ve ro l l

ns it ex ive po da su ta re M

ln vu

d an

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

Se

fig Se ur cur at i t y io n co n is m

ob In je se ct cu re re fe d re ire nc ct es

B

In

je

ct io ro n se ke ss n io au n m the an nt ag ica em tio en n t C ro ss -s ite sc rip tin g

Relative frequency

Low risk

We postulate that the majority of applications built to process payment information have fewer roles and simpler role-based authentication; the applications generally are of narrower scope; and exploitation of any interfaces in the application can lead to data compromise. Thus, things that may not be able to be capitalized on in other applications may be a quick route to compromise in a payment application. For increased protection, retail organizations would be well served to take a risk-based

and data governance-based approach to their security programs across the entire enterprise, establishing a corporate governance mechanism that provides policy direction and thoroughly vets third-party providers, supports security objectives embedded throughout the lifecycle, and builds a robust security operations program with a true “blue team� capability. Compliance will be a byproduct of an effective security program; it should not be the sole objective.

23

Technology/CSPs More and more public and private organizations are moving their applications, partially or in totality, to the cloud, inspiring common-sense concerns and questions regarding security rigor in this industry. While we can’t draw conclusions about the security stature of every CSP across the board, we have observed some general trends through our many penetration tests

and advisory engagements of note, which offer opportunities to improve overall security posture in the technology/CSP vertical. This dataset contained the results of all types of cloud architectures, including Infrastructure-as-a-Service (IaaS), Platformas-a-Service (PaaS), Software-as-a-Service (SaaS), and hybrid solutions.

High risk

Figure 14: Tech/CSP external testing results

Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure protocols

Misconfiguration

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

24 | COALFIRE.COM

Out-of-date software

Patching

Web application

In the technology/CSP industry, our findings indicate that the greatest risk presented to the company is the insider threat (Figure 15), followed closely by application insecurities, dominated by cross-site scripting and use of known vulnerable components. To compound this issue, technology/CSP companies generally rely heavily on applications as the primary interface with

their internal and external user/customer base and accordingly may be reluctant to interrupt operations by updating applications. Our application testing data (see Figure 16) supports this as it demonstrates the largest number of injection vulnerabilities, authentication issues, and cross-site scripting findings. These findings are some of the most prevalent methods to compromise applications. High risk

Figure 15: Tech/CSP internal testing results

Medium risk

Relative frequency

Low risk

Encryption File Information flaws permissions disclosure

Insecure Misconfiguration Other protocols

Out-of-date software

Password flaws

Patching

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

25

26 | COALFIRE.COM

d

ct io ro n k se e ss n a io n uth m e an nt ag ica em tio en n C ro t ss -s ite sc rip tin g

B

je

ob In je se ct cu re re fe d re ire nc ct es m is co nf S ig ec ur ur at i t y io n Se ns it ex ive po da M su ta is re si ng f ac un ce cti ss on co - le nt ve ro l l re qu C es ro t ss fo -s rg it vu er e ln y er ab U le c sin om g po kn ne ow nt n s

an

In

Relative frequency

High risk

Figure 16: Tech/CSP application testing results

Vulnerability types

Source: Coalfire’s Penetration Risk Report, 2018

Medium risk Low risk

Through our work with technology/CSPs, we have found they rely heavily on automation of processes and have historically struggled with managing privileged access. Noted in Figure 15, the number of password flaws is likely indicative of the struggles with this. To combat this, we advise companies to implement a defense-in-depth approach to security that includes the development and implementation of secure hardening standards for all assets within their authorization boundary. Poor organizational structure can often be the root cause of security issues in the CSP environment. CSPs often have suboptimal delineation among corporate IT, technology, and product-specific IT/ technology functions. This can lead to insecure technical, process, and personnel dependencies that expose CSP environments to security blind spots that offer the easiest path for an attacker. Security problems, such as corporate access control dependencies, incorrect security boundary definitions, and the inadvertent offloading of live data into test environments by developers, can often be traced back to organizational structure issues. This creates a proliferation of application technologies within these technology/CSP companies that may not be managed in the most secure manner.

27

Healthcare Healthcare organizations, comprising covered entities, such as healthcare delivery organizations, health plans, clearinghouses, and business associates (or service providers), were included in our penetration testing study and contribute to the overall results we present herein. Like other vertical

markets, healthcare often leaves common vulnerabilities unaddressed; yet healthcare overall, particularly within the midsized organization category, often contends with numerous industry-specific challenges that inhibit a strong cybersecurity posture.

Figure 17: Healthcare external testing results

High risk Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure Misconfiguration protocols

Out-of-date software

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

28 | COALFIRE.COM

Password flaws

Patching

Web application

Figure 18: Healthcare internal testing results

High risk Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure protocols

Misconfiguration

Out-of-date software

Password flaws

Patching

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

Similar to other verticals, the most significant findings from our study indicate susceptibility to the internal threat, with a large number of high-risk findings based on insecure protocols, password flaws, and out-of-date software (see Figure 18).

29

Figure 19: Healthcare application testing results

High risk Medium risk

le Us c in om g po kn ne ow nt n s

ue Cr st o s fo s - s rg it er e y

er ab

si

an

d

vu

ln

B

M

is

m

re q

ng

f ac un ce cti ss o n co - le nt ve ro l l

ns it ex ive po da su ta re

Se

fig Se ur cur at i t y io n is

co n

In

je

ct io ro n se ke ss n io au n m the an nt ag ica em tio en n t C ro ss -s ite sc rip tin g

Relative frequency

Low risk

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

Covered entities are widely reputed to be understaffed and underfunded regarding their cybersecurity initiatives.5, 6 From our experience in the industry, this reputation is unfortunately valid. Often, these limitations prevent covered entities from implementing in-depth defensible strategies that limit the proliferation of cyberattacks. Perhaps attributable to restrictive budgets and competing prioritization concerns, healthcare organizations often use antiquated systems that do not support the necessary defenses (such as role-based access control [RBAC], logging, and encryption) to prevent today’s sophisticated cyberattacks. In many cases, these systems contain large quantities of highly valuable, detailed patient

information, which attackers covet. These systems become increasingly vulnerable when they communicate with other high-risk systems, amplifying their threat exposure. Our data supports this attribution based on the large number of findings for password flaws and out-of-date software. Doctors and medical staff are focused primarily on providing quality care. Lacking adequate cybersecurity and IT staff, healthcare organizations, primarily hospitals, commonly have hundreds or even thousands of high-risk devices (i.e., Class 2 and Class 3 medical devices) that are “connected” and, often, legacy devices that are unsupported, unpatched, and without basic security mechanisms (e.g., secure authentication).

Beth Kutscher. “Healthcare underspends on cybersecurity as attacks accelerate.” Modern Healthcare, March 3, 2016. http://www.modernhealthcare.com/article/20160303/NEWS/160309922 5

“Healthcare Cybersecurity a Massive Concern as Spending Set to Reach Only US $10 Billion by 2020.” ABIresearch, February 25, 2015. https://www.abiresearch.com/press/healthcare-cybersecurity-a-massive-concern-as-spen/

6

30 | COALFIRE.COM

Sometimes, the equipment is unpatchable, not built at its inception with adequate lifecycle management in mind. Patching, replacing, and upgrading equipment can be seen as disruptive to continuity of patient care, and consequently, these activities are often neglected. Since many hospitals are not robust enough to have an isolated or segmented medical device network, the compromise of one device could spread to other devices, and ultimately, the network. Furthermore, considering these devices are used to deliver patient care, a successful attack on a device could allow the attacker to modify device configurations, leading to inaccurate dosages and possible death. While the inability to patch can contribute to the presence of exploitable vulnerabilities, our data shows a greater impact from these legacy systems reflected in insecure protocols. Covered entities often struggle with limiting their electronic protected health information (ePHI) footprint to only necessary and secure systems. Thus, we often see highly confidential patient information in email, file and print servers, voice recordings, AccessÂŽ databases, and document libraries

(like SharePointÂŽ). Because this data is unstructured and/or not accounted for in inventory, it often is not properly restricted or protected. Organizations should limit ePHI only to necessary systems that can support strong security controls. Out of our four industries, healthcare showed the greatest number of findings based on misconfiguration of security parameters. Healthcare organizations also have expanded their digital reach to patient communities, offering online platforms for accessing medical records, lab results, and online interactions, as well as digital interaction and data sharing with other medical practitioners. While this digital expansion has increased their applications and supporting infrastructure, staffing and expertise for security support have not evolved in tandem with other technology-based industries. For healthcare organizations that struggle with technical talent, budget restrictions, and the ability to prioritize tasks, we recommend engaging a third-party expert to assist with a risk assessment and development and implementation of security programs based on the current state of risk. 31

Financial services Cybersecurity is of increasing concern to financial organizations, attributable to a number of internal and external pressures. Financial services have become digital businesses, and will continue to move toward end-to-end digitization. Because of the value of the data and digital assets

that these organizations maintain (making them appealing targets for malicious actors), their security posture receives significant scrutiny from customers as well as oversight, compliance, and regulatory bodies. Many financial institutions still rely on the same information security model that they

Figure 20: Financial services external testing results

High risk Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure Misconfiguration protocols

Out-of-date software

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

32 | COALFIRE.COM

Password flaws

Patching

Web application

Figure 21: Financial services internal testing results

High risk Medium risk

Relative frequency

Low risk

Encryption flaws

Information disclosure

Insecure Misconfiguration protocols

Other

Out-of-date software

Password flaws

Patching

Vulnerability types Source: Coalfire’s Penetration Risk Report, 2018

have used for years: one that is controls- and compliance-based, perimeter-oriented, and aimed at securing data and the back office. But information security risks have evolved dramatically over the past few decades, and the approach that many financial institutions use to manage them has not kept pace. Our

data drawn from engagements with financial institutions reflects this in that it does not vary widely from the other industries. The highest risk to financial industries is similar to other industries: an internal security environment that fails to protect against common threats (see Figure 21).

33

Source: Coalfire’s Penetration Risk Report, 2018

34 | COALFIRE.COM

d

vu

an

ln

Vulnerability types

le Us c in om g po kn ne ow nt n s

ue Cr st os fo s - s rg it er e y

f ac un ce cti ss on co - le nt ve ro l l

ng

it ex ive po da su ta re

ns

fig Se ur cur at i t y io n

Se

co n

re q

si

is

is

er ab

M

m

je

ct io ro n se ke ss n io au n m the an nt ag ica em tio en n t C ro ss -s ite sc rip tin g B

In

Relative frequency

Figure 22: Financial services application testing results Medium risk

High risk Low risk

From a macro lens, U.S. regulatory pressure is likely to increase, forcing banks to focus more on regulatory compliance. Compliance alone is rarely sufficient to protect an organization. Will this move the needle on securing financial institutions? Do not hold your breath. Security in the digital world depends on robust cybersecurity managed to meet risk and hold off threats that are coming from multiple directions.

Financial institutions that have not recently had their security environments assessed may wish to consider doing so to understand their current security postures. Our data indicates that the “hardened perimeter” and “vulnerable inside” still remain issues that must be addressed.

35

Methodology STANDARDIZED PEN TESTING APPROACH AND METHODOLOGY Coalfire leverages a cyclical approach to penetration testing so new information is incorporated into subsequent attacks on the environment. This process is applied to both network penetration testing as well as web application penetration testing. Figure 23 is a visual representation of our overall penetration testing process.

Figure 23: Coalfire’s penetration testing process

36 | COALFIRE.COM

Source: Coalfire’s Penetration Risk Report, 2018

We utilize a series of automated tools along with manual exploitation methods to identify security vulnerabilities and perform tests to actively exploit them in a non-harmful manner. In addition to the process described in Figure 23, every penetration test is approached with varying amounts of prior knowledge about the environment to meet varying goals and replicate numerous different scenarios; these approaches can be black-box, white-box, or grey-box. Black-box testing: Simulates a malicious attacker with limited information about the network or application being tested. In black-box testing, more time is spent on reconnaissance and discovery through publicly accessible information. In addition, Coalfire’s source IP addresses will not be whitelisted. Grey-box testing: Involves limited information about the environment obtained through interviews with the client. This approach allows Coalfire to target specific systems in scope to produce better results rather than spending resources on discovery and reconnaissance and helps simulate an attacker with knowledge of the systems. Grey-box testing can include whitelisting but it is not required. White-box testing: Simulates an internal attack from an authenticated user such as a disgruntled employee or customer. Hence, the client can provide Coalfire with user credentials to gain access and perform indepth testing activities to identify issues an authenticated user could identify and exploit.

SOCIAL ENGINEERING METHODOLOGY As technical approaches to security become more sophisticated and effective, social engineering is often the easiest way to gain access to a company’s information assets. Social engineering relies on human interaction and involves “tricking” other people to break normal security procedures. A person using social engineering frequently tries to gain the confidence of someone with access to a network, and then get him or her to reveal information that compromises the security measures put in place. Given enough time, effort, and resources, most people can be tricked into revealing confidential information. Coalfire keeps social engineering tests cost-effective and relevant by focusing on awareness issues. We do not encourage targeting a specific person or department with social engineering attacks. Although our tests may trick certain individuals, it is more a statement of general company awareness and training than an individual’s failing. Our social engineering tests assess whether the organization as a whole: • Understands and adheres to policies on giving out information • Understands that individual employees have access to valuable information • Understands that social engineers exist

37

RISK RATING SCALE The risk rating assigned to each finding is translated into a high-, medium-, and lowrisk rating to simplify reporting, analysis, and remediation planning. Often, an attacker may leverage a combination of vulnerabilities to exploit

and gain remote unauthorized access to applications and data. If the penetration tester was able to chain vulnerabilities in this manner, it may alter the risk rating of a specific individual vulnerability accordingly.

Figure 24: Risk rating scale

Source: Coalfire’s Penetration Risk Report, 2018

38 | COALFIRE.COM

About Coalfire Labs The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organizations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades defenses, and hunts for active breaches in clients’ environment, and then helps clients understand the risk and impact to their organization.

About Coalfire Coalfire is the trusted cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe. Coalfire.com

39

Appendix: Cyber kill chain The “cyber kill chain” refers to the linear stages malicious cyber attackers use to execute an attack, from reconnaissance (identifying targets/assets and looking for the path of least resistance to wage an attack) through the exfiltration of data (getting the data they want out). While this may seem to be academic to some readers, the important takeaway from this discussion is that, because attacks progress linearly,

they can be stopped anywhere throughout this chain. This means that securing all parts of the network is critical to thwarting attacks. Many customers focus only on external network testing, owing to a higher degree of concern over internet-based attacks. Yet, as the kill chain demonstrates, once an attacker penetrates the external defenses (as a determined attacker is usually able to do), internal network vulnerabilities

Potential actions

Goal

Cyber kill chain Figure 25: Cyber kill chain

Reconnaissance

Infiltration

Discovery

Capture

Exfiltrate

Identify potential targets (employees, systems, connected third parties, and other assets) and best attack vectors

Deliver malicious payload to target and take position inside the organization

Use internal position to learn more about environment and systems / vulnerabilities

Spread access, make detailed asset maps, and secure desired data

Take the prize; remove the data

• Data mine infiltrated resource for local files, wikis network shares, browser history, SharePoint, and intranet portals

• Map company’s network and security controls, and spread access privileges to systems with the desired data assets

• Search for IP address ranges, administrative users, passwords, critical applications, databases, and server and software vulnerabilities

• Note employee patterns or any other information that may impede exfiltration

• Scan company’s public-facing systems, applications, and websites • Identify and search organization’s and employees’ social media accounts • Use third-party information sites (i.e., Shodan, ARIN) for more information • Use these vehicles to learn about company events, technologies, processes, vendors, and partners, and identify the best method to exploit

• Exploit identified external vulnerabilities, and establish persistence in external systems • Penetrate physical perimeters to place leave behinds for internal network access • Create custom malware (or use existing) to be delivered to target via phishing, possibly pretext calling to increase credibility, USB drives, websites

• Remove data to a remote server • Remove logs and other evidence identifying intrusion and remote servers utilized • Monetize stolen assets or maintain network access for use in future operations

• Disable host and network’s security controls, and escalate privileges

Source: Coalfire’s Penetration Risk Report, 2018 40 | COALFIRE.COM

become the organization’s Achilles’ heel and enable the attack to progress to the loss of data assets. In our data set, we completed 148 client engagements, and only conducted 61 internal network tests. We counsel customers to consider testing their holistic environments to avoid breaches starting or progressing throughout the kill chain. There are many different versions and descriptions of the kill chain. For the purpose of this report, we will use a simplified version as represented in Figure 25.

RECONNAISSANCE The first step in the cyber kill chain is reconnaissance, or data gathering, for the purposes of selecting the most vulnerable target and best method of attack. Reconnaissance includes both passive and active techniques. In passive reconnaissance, attackers gather as much information as possible about the company, its partners, vendors, security solutions, systems, and employees, usually leveraging public resources that do not cause alerts to the organization. Company websites; LinkedIn, Facebook and other social media sites; open job postings; and other resources give up information about company events, employees and their interests, security and software solutions in use, etc., that can be used to better target a social engineering attack. Active reconnaissance is a deeper layer of reconnaissance, which can include such “noisy” activities as port scanning with tools like Nmap, vulnerability scanning with tools such as Nessus and OpenVAS, and other activities that reveal more information about open ports, active systems, mail servers, and software/system vulnerabilities.

INFILTRATION Infiltration includes creating and/or delivering the malicious payload to the asset and taking position inside the organization. Attackers can use pre-existing malware or create new, typically leveraging automated tools; volumes could be written on attack vector types, development, and their evolution over time. This topic is out of scope for this research report. For good additional reading on malware, see Symantec’s 2017 Internet Security Threat Report. Social engineering is one of the most common methods of breaching an enterprise; see the social engineering section on page 12 for our research data and recommendations on protecting the enterprise. The commonality of social engineering in introducing attack vectors into the enterprise supports the assertion that humans are the weakest link in our security chain – a link that must be addressed to secure the organization.

DISCOVERY Once an attacker has taken control of a user’s machine or a compromised web server, established a web shell or a persistent backdoor providing remote access, they are now, effectively, an insider. They will have all the same access as an employee, with one key difference: In the absence of a strong security posture, they will have both the malicious intent and skills to discover information and expand their access to critical systems and data. Their goal is to use this internal position to survey the local computing resource for security software (and disable it), files, permissions, passwords and IP addresses; execute discovery of network shares, systems, applications, 41

registry, remote systems; and look for software vulnerabilities. They will work to then escalate this account’s privileges to as many systems as possible. Customers often pay less attention and attribute less penetration testing budget to this area of their networking domain, yet as our data suggests (see page 8), it is here that most organizations experience their primary areas of high-risk vulnerabilities, particularly large enterprises.

CAPTURE Attackers will likely want to expand their access to other systems to capture and exfiltrate anything they can monetize or that meets their original intent. To achieve this goal, attackers will typically spread across the network, starting from the pivot point gained in the infiltration phase. Using the information on the internal network gained during discovery, additional breach points are created through vulnerability exploitation and the installation of various payloads, including backdoors and other malicious toolsets. This is how attackers ensure they can remain in the network for extended periods of time, even if the initial breach point was detected. Attackers will then scour the systems of an internal network, looking for critical data such as credit cards and other personally identifiable information (PII), or setting up the tools and scripts needed for other goals, such as destruction of data.

42 | COALFIRE.COM

EXFILTRATION More than likely, if the attacker has been able to come this far, they will encounter no insurmountable barriers to exfiltrating the data using a variety of methods. Additionally, if it appears that detection of the attacks has not occurred, the attackers will continue to remain in the network and establish stronger holds in the target environment, repeating the last four steps of the kill chain until detection and removal has occurred.

43

Copyright Š 2014-2018 Coalfire. All Rights Reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI DSS et.al). Consequently, any has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. Microsoft, Windows, Access, SharePoint, and Office 365 are trademarks or registered trademarks of the Microsoft Corporation.

Reduce risk and simplify compliance with trusted insight from the cybersecurity experts. 877.224.8077 | Coalfire.com 44 | COALFIRE.COM

RR_Q2_062018

forward-looking statements are not predictions and are subject to change without notice. While Coalfire