External hackers breached 93 percent of organizations’ perimeter networks and on average gained access to internal systems in two days, a recent cyber simulation carried out by Positive Technology’s researchers found.
The study covered 45 attack scenarios in which Positive's clients consented to use of the results and publication of depersonalized data. The penetration testing was carried out in real corporate infrastructure and terminated one step before the occurrence of an unacceptable event without harming business processes, Positive said. It ran from the second half of 2020 through first half of 2021. Events that disrupt technological processes and the provision of services, or result in stolen money and sensitive information, were considered by Positive’s customers to be unacceptable incidents that present the greatest danger.
"In 20 percent of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyber attack,” said Ekaterina Kilyusheva, who heads Positive’s research and analytics. “These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those,” she said. In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events.
Positive’s researchers determined that a cyber invader would need no more than a month to conduct an attack that would lead to the triggering of an unacceptable event, Kilyusheva said. Some of those attacks could unfold “in a matter of days,” she said. Roughly seven in 10 companies (71%) were hit by attacks in which infiltrators exploited poor passwords, including those used for system administration. In 100 percent of use cases insiders could gain full control over the infrastructure. Positive’s researchers said that figure has remained high for many years, an indication of cyber criminals’ ability to to breach almost any corporate infrastructure.
The study spanned financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors. Of note, Positive’s researchers performed actions that would enable them to disrupt a bank’s business processes and alter the quality of services provided. In one instance pentesters gained access to an ATM management system that could allow attackers to steal funds.