Penetration testing is a critical best practice for virtually any organization’s cybersecurity posture. By putting defenses to the test against trained offensively-minded professionals, organizations can gain deep insights into how they’ll fare against real attackers. Often, the challenge is that the results are not what you would have hoped. When pen testers are able to carve through your defenses at will, it can be discouraging and hard to know where to start.
This is something we see quite a bit at Preempt, so in this blog we wanted to share a solid recipe for how to reduce your attack surface. For more in-depth steps into how you can not only reduce your attack surface but also implement adaptive controls and gain insight into hacker’s tools, download our whitepaper on this topic.
How to Reduce Your Attack Surface
One of the key benefits of a penetration test is that it forces you to think like an attacker. Attackers or pen testers need to find that first victim user or account in the network. With that foothold, the goal is to try and gain the privileges of a network administrator. We naturally want to make this as difficult as possible. The steps below will give you a good start. Of course, the Preempt Platform performs all of these functions continuously.
- Find Stale Accounts - The simplest way to reduce your attack surface is to make sure you don’t have any stale unused accounts. This is especially true for Admin accounts. Check to find accounts that haven’t been used in the past few months and delete any unneeded accounts.
- Track New Admin Accounts - Becoming a network admin is the end goal for most attackers and pen testers, so it’s critical to keep an eye on the creation of any new accounts on a daily basis. Any new unexpected admin accounts is cause for serious concern.
- Find Password Weaknesses - Weak credentials are the gateway to most breaches, and attackers have dictionaries of common passwords and passwords stolen during other breaches. Test your network to find if any of your users are using passwords in common dictionaries. Find if users or devices are sharing the same passwords, or if service accounts are using exposed passwords. As always, any of the above are especially risky for an account with admin privileges.
- Detect Reconnaissance - Since we know that attackers will try common passwords, we should be on the lookout for signs of attackers testing passwords. Thus its important to monitor Active Directory for signs of attackers testing credentials for an account or testing common passwords for multiple accounts.
- Cloned or Shared Admin Passwords - If devices share the same admin passwords attackers can easily jump from device to device using pass-the-hash techniques. Sometimes admins share the same passwords on multiple devices, or sometimes local admin passwords when user laptops are cloned from the same image. Check your environment for devices that share admin passwords and remediate appropriately.
- Find Stealthy Administrators - As soon as an attacker gains any access to the network, he will be on the hunt for an administrator. Tools like BloodHound let attackers find the fastest path to those administrators, and finding “stealthy administrators” is often easiest path. Stealthy admins are users outside of the official Admins group in AD who have high privileges or often have control over an admin account. It is critical to find these accounts and then either reduce privileges or apply more aggressive controls.