The anatomy of a cyberattack: RSM’s annual Attack Vectors Report

March 24, 2023
Awareness and education are critical elements of an organization’s cybersecurity posture, helping employees understand what controls to focus on and where to direct resources and energy.

Cyberthreats are constantly evolving for middle market businesses, with bad actors looking to exploit any potential vulnerability as soon as it becomes available.

Awareness and education are critical elements of an organization’s cybersecurity posture, helping employees understand what controls to focus on and where to direct resources and energy. RSM US recently released a report that outlines how bad actors are attempting to breach companies, and which specific risks are on the rise.

Gaining insight into vulnerabilities

RSM’s annual Attack Vectors Report is an analysis of the previous year’s penetration test results, providing insight into trending attacks performed by threat actors. The objective of penetration testing is to identify and exploit vulnerabilities to obtain credentials, establish persistence within a targeted network and compromise sensitive data.

In addition to the accumulation of yearly testing data, RSM also investigated the relationship between rate of compromise and the maturity of an organization’s security program.

As such, only reports conducted for clients who engaged RSM for penetration testing and the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) maturity assessments from 2019 through 2022 were included in the data.

RSM’s penetration testing projects typically involve a client engaging RSM to simulate the actions of a real-world attacker. In essence, we become a threat for the sake of identifying client weaknesses, attempting to compromise a network (either external or internal), application or other single-lane technology.

Over the course of the engagement, consultants note any vulnerabilities identified and exploited and assign the vulnerabilities a risk rating that categorizes the exposure by the level of risk they pose to the client environment.

These ratings include factors such as the type of vulnerability, ease of exploitation and severity of the impact if an exploitation is successful. An additional factor that sets penetration tests apart from traditional vulnerability scans is that in penetration tests, the goal is to link exposures together to achieve a deeper level of compromise.

Such examples would include utilizing a compromised user account to take over multiple systems within the target network.

The results

After analyzing the data, RSM established several key conclusions. Perhaps the most important trend determined was the relationship between an organization’s maturity score and rate of penetration test compromise. We were ultimately able to establish a negative correlation between an organization’s maturity score and its likelihood of compromise during a penetration test.

Essentially, as an organization’s maturity score rose, the likelihood that it would be compromised during a penetration test decreased. However, stronger security controls and processes alone do not inoculate organizations against compromise, so this information should simply be seen as correlation rather than causation.

Additionally, RSM was able to establish another trend by reviewing data from 2022 and comparing it to previous years—many of the most common forms of compromise persisted from previous years. The most frequently exploited attack vectors were password spraying and the exploitation of missing patches.

These attacks have proven to be consistently amongst the most successful forms of attack because they rely on human error. A lack of user awareness can lead to the use of weak passwords or mistakes such as forgetting to download the newest security patch.

As such, these attack vectors have remained, and will likely continue to remain, amongst the most frequent cybersecurity threats to organizations.

One trend of interest to RSM was the notable increase in a new attack vector — Misconfigured Active Directory Certificate Services. Though only 2% percent of compromises used this form of attack in the past year, this number is trending upwards. Using this method, an attacker can impersonate virtually any user on a domain.

If the attacker is aware of which users have the necessary privileges to follow a desired attack path, they can simply impersonate that user and achieve their goals, feasibly resulting in full domain compromises and access to all sensitive data present on the domain. We anticipate that this attack vector will be a significant issue for organizations in coming years.

Taking Steps to Address Risks

Having established each of these trends in the current landscape, RSM encourages clients to take the necessary steps to protect themselves against these common risks. This includes conducting all the necessary testing to identify, manage and remediate vulnerabilities before a threat actor could exploit them to compromise the organization’s network.

Recommended services include regular vulnerability scans (monthly or quarterly), annual external and internal penetration testing and web application penetration testing. Mobile application and cloud penetration tests should also be considered where applicable.

Each of these services allows organizations to assess the risks posed to them by attackers. By gaining knowledge of these risks prior to their exploitation, organizations can take the necessary steps to mitigate or neutralize threats.

However, managing vulnerabilities is not enough on its own. Defense as prevention is the best form of protection. Organizations are encouraged to assess what functions need to be fulfilled in the event of a real threat. This can be done in the form of incident response tabletop simulations.

During Red Team engagements, RSM plays the role of the attacker, and the objective switches focus from vulnerability identification to testing response capabilities. In these assessments, RSM attempts to breach the target network and bypass detection by the defenders (the “Blue Team”).

Over the typical course of several weeks, RSM explores a variety of potential vectors which can include everything from technical attacks to social engineering their way into a physical location and plugging into an open network port. Alternatively, Purple Team engagements simulate specific scenarios in a partnership between the attackers (RSM) and defender to build detection capabilities and attack signatures in real time. Any of these measures can and should be taken by organizations to prepare for scenarios that involve real threat actors and attacks.

It is important for organizations to review these common threat trends and the preventive measures that can be taken to combat them. The threat landscape is constantly changing and staying informed is one of the best methods of maintaining awareness.

As the cyber arms race continues, data science is changing detection and response technologies. Therefore, some attack vectors such as phishing have become more difficult to test at a human level. This also means there’s an increased need to continuously tune technologies like security information and event management (SIEM), which makes secure development and technology lifecycles that much more important.

The information presented in the Attack Vectors Report can play a pivotal role in helping organizations take the necessary steps to combat the risks they are faced with, and organizations should employ all the resources at their disposal.

Ken Smith leads RSM US’ cyber testing team. His responsibilities include recruiting and training personnel, identifying and expanding upon business development opportunities and ensuring high quality work and deliverables from a team of over 50 testers. Ken is an experienced offensive security and privacy risk consulting professional who has spent 12 years performing and leading engagements that have included network and physical penetration testing, application assessments as well as wireless security testing. Ken is an accomplished educator and has been developing and teaching infosec coursework at a mid-sized university for nine years. He previously worked for five years as a signals intelligence operator with the U.S. Army, including time served as a member of the Special Operations community. Ken holds several certifications including the offensive security certified professional (OSCP) as well as the offensive security wireless professional (OSWP) certifications. Additionally, he has a master’s in security policy studies from Notre Dame College in Cleveland, Ohio where he is currently based.