2022 Attack Vectors Report
2022 Attack Vectors Report
2022 Attack Vectors Report
ATTACK
VECTORS
REPORT
TABLE OF CONTENTS
02 Overview
04 Internal Attacks
06 Attack Vectors
20 Maturity Analysis
29 About RSM
30 Acknowledgements
Methodology
We thank you for your interest in this year's report and hope
you find it beneficial for your own personal knowledge and to
better mitigate attacks and reduce risk.
As security professionals, we know that tools may fail. Vendor updates may
not perfectly fix a problem. Users who typically have a high level of security
awareness may make a mistake. Security controls are not perfect. Based on
our observations for how to effectively guard against a compromise,
organizations should take a holistic approach to security that requires them to:
257 183
External Internal
Penetration Tests Penetration Tests
However, the ease of the above attacks should not discount user awareness as a
concern. Employee decisions and actions continue to have a high likelihood of being
exploited. Password spraying is one of the first techniques many attackers rely upon,
because they know that given the option, employees will often choose passwords that
are easy to guess. As the data shows, weak passwords are a major source of
compromise.
Attack Vector Percentages Annually
33%
unauthorized access to a target network
is the relay attack. One third of all internal
compromises achieved by RSM from
2019-2021 used a form of relay attack.
These attacks are so common primarily Of Full Compromises
because they rely on the identification of
Used a Relay Attack
traffic present on a network, a scenario
that is almost certain to be the case for
any network containing sensitive data.
To perform a relay, attackers use the traffic they have identified and
attempt to gain unauthorized access by exploiting this traffic and
intercepting communications to trick machines on the network into
allowing them to authenticate.
In particular, the highly popular Server Message Block (SMB) relay attack
relies on one of the most common authentication protocols available, New
Technology Lan Manager (NTLM). This makes it very apparent why the SMB
relay attack is so common. NTLM is present on most Windows systems, and
attackers who know how to exploit it may go to this attack as a first choice
when attempting to gain unauthorized access to a network.
50%
% of Full Compromises
40%
30%
Annually
20%
10%
0%
2019 2020 2021
1
First, the client requests to authenticate to a particular location on the
network.
Second, the server replies with a challenge that involves the client
2 encrypting a message with a hash.
Finally, the client encrypts the message with its hash and sends the
3 message to the server, which, upon receiving it, decrypts it using the
client hash. As long as the decryption is successful, this will lead to a
successful authentication.
SMB relay attacks seek to exploit this process by capturing the traffic from
the client prior to it being returned to the server. The tester or attacker then
sends the encrypted message to the server, essentially posing as the
client. The server conducts operations as normal and decrypts the
message, but instead of authenticating the client to the server like normal,
the authentication is granted to the individual conducting the attack.
Associated Risk
Business Impact
The impact can differ depending on the user who is being impersonated. If
it is a low-level user, the attacker will have limited access and may only be
able to cause minimal damage. If the user is a privileged account such as
an administrator, the attacker will again have access to whatever that
administrator has access to, possibly sensitive data and other privileged
information. Impersonating a domain administrator could even result in a
full domain compromise.
REMEDIATION
One of the best mitigations for those using NTLM is to ensure that SMB signing is enabled
and required. This means that messages from the client to the server will be validated to
ensure that they were not tampered with. However, the best way to protect yourself from
SMB relay attacks is to use Kerberos as your authentication protocol rather than NTLM.
Password Spraying
32%
technique used by threat actors when
attempting to gain unauthorized access
to a network.
40%
% of Full Compromises
30%
Annually
20%
10%
0%
2019 2020 2021
PAGE 9 | ATTACK VECTORS REPORT 2022
When performing a password spraying
Common attack, an attacker will attempt several weak
Passwords passwords against a large number of users.
Research shows that people often choose
easy-to-guess passwords that contain
Weak passwords
dictionary words and phrases. That is why
often include some
this attack is so prevalent: it preys on the
of the following: tendencies of people. Furthermore, it does
not need to exploit a large mistake that was
"Password" missed by a multitude of employees. In order
Season to gain access to a network via password
Local sports team spraying, an attacker only needs to find one
employee with a weak password.
Company name
"Admin"
Associated Risk
Username
123 The risk associated with password spraying
often relates to the compromised account.
A successful attack will grant
A access to everything the compromised
employee can access. If the employee is a low-level user and does not
have many privileges on the network, the result may not be catastrophic.
However, if the account belongs to a privileged user with an elevated level
of access, the attacker will likely be able to cause a far more significant
amount of harm.
Business Impact
The impact this type of attack has on a business can vary. If a low-level
account is compromised, an attacker may be able to obtain some
damage, but a majority of the harm may be reputational. However, if the
attacker gains access to a privileged account, sensitive data and all other
information could be at risk, potentially resulting in a full compromise.
REMEDIATION
The best way to ensure that your organization is not compromised by this attack is to
require users to set strong passwords. If users are given the option, they will often choose
short, weak passwords. In addition to setting strong password requirements via policy,
organizations should educate allP Aemployees,
G E 1 7 | Aespecially
TTACK V E C T with
those O R Shigh-level
R E P O R Taccess,
2 0 2 2 on
how to create strong passwords.
Kerberoasting
18%
risks inherent in cybersecurity may
assume that these risks are mostly reliant
on hackers who can exploit software or
hardware vulnerabilities to break through
Of Full Compromises standard defenses. However, there are
Leveraged Kerberoasting serious risks inherent even to properly
working network systems if they are not
fully configured for the highest security.
25%
% of Full Compromises
20%
15%
Annually
10%
5%
0%
2019 2020 2021
Associated Risk
Business Impact
REMEDIATION
To prevent a successful Kerberoasting attack, remove SPNs from all domain
administrator accounts; instead, create a dedicated nonhuman account with a long and
P A G E necessary
complex password with the minimum 13
7 | A T Tprivileges
A C K V EtoC Trun
O Rthe
S R EPORT 2022
service.
Missing OS Patches
Associated Risk
The risk associated with missing patches varies depending on the patch.
Most critical patches have published exploits accessible to anyone with an
internet connection.
25%
% of Full Compromises
20%
15%
Annually
10%
5%
0%
2019 2020 2021
REMEDIATION
Preventing missing patches requires an organization to maintain a robust patch
management program. Patch management is considered one of the most basic forms
of protecting systems. This is because without a formalized patch management process
and by not patching systems with PPAAGcritical
GEE 1 5
9
3
7 |security
A T T A patches,
C K V E Ceven
T O Rthe
S Rmost
EPOR T 2022
rudimentary
hackers can gain full access to devices within a network.
MitM Attacks
There are many types of MitM attacks, but two we often see are related to
outdated (Link-Local Multicast Name Resolution [LLMNR]/NetBIOS Name
Service [NBT-NS]) and misconfigured (Internet Protocol version 6 [IPv6])
traffic types.
LLMNR/NBT-NS
20%
% of Full Compromises
15%
Annually
10%
5%
0%
2019 2020 2021
PAGE 15 | ATTACK VECTORS REPORT 2022
IPv6
WIFI EAVESDROPPING
EMAIL HIJACKING
IP SPOOFING
DOMAIN NAME SYSTEM (DNS) SPOOFING
SSL STRIPPING AND HIJACKING
SESSION HIJACKING AND COOKIE THEFT
Associated Risk
Business Impact
REMEDIATION
To prevent common MitM attacks, the best step is often to disable unnecessary network
communication protocols where possible. This is best accomplished via Group Policy
Object (GPO).
Misconfigured AD CS
At a high level, clients generate a public-private key pair, and the public
key is placed in a certificate signing request (CSR) message along with
other details such as the subject of the certificate and the certificate
template name. Clients then send the CSR to the Enterprise CA server. The
CA server checks whether the client can request certificates. If so, it
determines whether it will issue a certificate by looking up the certificate
template AD object specified in the CSR.
The CA signs the certificate using its private key and then returns it to the
client. The CAs issue certificates with settings defined by AD objects known
as certificate templates. These templates are collections of enrollment
policies and predefined certificate settings which address questions
including:
REMEDIATION
Organizations should remove AD CS HTTP endpoints if they are not required. This includes
Certificate Authority Web Enrollment and Certificate Enrollment Web Service. If the AD CS HTTP
endpoints are needed, disable NTLM authentication at the host and IIS level or enforce HTTPS
PAGE 15
and Extended Protection for Authentication.
3
7 | ATTACK VECTORS REPORT 2022
MATURITY ANALYSIS
NIST CSF
Maturity Analysis
As we have already discussed, analyzing attack vectors helps us understand trends and
identify the low-hanging fruit that attackers seek to exploit. This is important because each
compromise and attack vector we have discussed represents potentially devastating
impacts to a business: Data breaches. Loss of availability of critical applications. Halt to
business operations. Disrupted revenue streams. Regulatory fines and penalties. Tarnished
reputation. Loss of public trust. Our analysis, therefore, helps us understand the specific
mitigations organizations can take to directly reduce their risk of compromise through these
common attack vectors.
However, it is important to note that addressing these specific attack vectors is not enough.
In fact, perhaps the most prominent takeaway from our Attack Vectors Reports over the
years is that a dedicated attacker will infiltrate a target network eventually. Tactical fixes are
important, but protecting your environment requires much more than applying a patch,
disabling a protocol or adjusting an account’s access privileges. Tactical fixes act only as
temporary band-aids if they are not embedded in strategic initiatives that provide a means
of continuous improvement, oversight and support.
That’s why this year, we wanted to take a deeper dive into an organization’s potential for
compromise in relation to the overall strength of its security program. To this end, we looked
at organizations where we performed both penetration testing and cybersecurity maturity
assessments to see if we could identify strategic ways that organizations can reduce their
potential for compromise—or to reduce the impact, should an attack occur.
Maturity Scores
Identify
Our cybersecurity maturity assessments
leverage the National Institute of Standards
and Technology (NIST) Cybersecurity Protect
Framework (CSF) to determine the overall
maturity of a security program. During
these assessments, we assess the Detect
governance and implementation of the
NIST CSF controls within an organization’s
Respond
environment. This approach provides
insight into the organization’s ability to
identify, protect, detect, respond to and Recover
recover from a cyber event, which are the
five functions of the NIST CSF. 0% 20% 40% 60%
23% of the organizations we reviewed fell into the top tier of overall average
maturity scores (between 66% and 100%).
of the organizations we reviewed fell into the middle tier of overall average
43% maturity scores (between 33% and 65.9%).
34% of the organizations we reviewed fell into the bottom tier of overall average
maturity scores (between 0% and 32.9%).
Maturity Trends
Not surprisingly, the vast majority of organizations have implemented security controls in
their environment to some degree. Very few organizations have done nothing from a
security perspective, even if security was more of an afterthought, or if only rudimentary
controls were in place. Most organizations (including those in the bottom tier) have baseline
tools and processes in place to cover fundamental areas of network security. But whether
these tools and processes were married to a comprehensive risk management strategy—
one that takes into consideration business objectives, data management, digital
transformation and the user experience—is another story.
It should be noted that it is not appropriate or feasible for all organizations to aim for top
maturity scores in all areas. Rather, security efforts should be focused on areas of greatest
risk and aligned to the organization’s risk tolerance. Still, important lessons can be gleaned
by examining trends between tiers, especially when we compare the potential for
compromise within each tier.
IDENTIFY PROTECT DETECT RESPOND RECOVER
Moreover, their security objectives and expectations were well known throughout the
organization and reinforced through robust security awareness training. Furthermore, top tier
organizations tended to have some mechanisms to regularly measure, report on and
improve their security controls so that they could remain proactive in their security stance.
Notably, top tier organizations had relatively even scores across all functions in the NIST CSF
(all functions averaged between 70% and 79%). In contrast, there were much bigger
disparities between each function in the bottom tier (compare the 31% average Protect
score to the 16% Recover score in the bottom tier).
This suggests that the most mature organizations take a “defense in depth” approach and
have a more comprehensive security strategy. They also adequately prepare for the very
real possibility that a cyber attack or business interruption will occur. As we discuss later,
these efforts made top tier organizations less likely to experience a compromise during a
penetration test.
In middle tier organizations, cybersecurity efforts were not always united under a cohesive
security governance and risk management strategy, and/or there was no formal process to
ensure that all aspects of security were continually improving.
Still, the fact that Respond and Recover scored the lowest suggests that many organizations
struggle to prioritize their incident response, disaster recovery and business continuity
procedures, and they could pay a big price for being ill-prepared when an incident occurs.
Furthermore, many of these organizations suffered from resource restraints. Often, they
simply did not have the personnel to perform security tasks and manage security projects,
hence an over-reliance on tools and technologies that were not actually very effective.
This is reflected in higher Protect scores for the bottom tier, with notably low Respond and
Recover scores. As we will discuss next, the bottom tier was also the group that was most
likely to be compromised during a penetration test. Therefore, the lack of formal response
and recovery procedures could exacerbate the impact of a compromise, as these
organizations may not have a process to eradicate the threat or restore data and systems if
(when) their protective technologies fail.
It is equally important to note, however, that higher maturity scores were not a warranty
against compromise. Though organizations with higher maturity scores were less likely to be
compromised, they were still vulnerable. There is no panacea for all security issues, threats
and attacks, and we need to remember that given enough time and resources, an attacker
will find a way.
So what should organizations do? How can they reduce the likelihood and impact of a
compromise, both from the attack vectors listed in this report as well as other attack vectors
that might be more applicable to their environment?
In the short term, we recommend addressing any low-hanging fruit related to the attack
vectors described earlier. As discussed above, there are often tactical ways that can reduce
your potential for compromise from these attack vectors.
From a more strategic perspective, we recommend ensuring that you have a well-rounded
approach to security. Using the NIST CSF functions can provide an outline of the basic
elements that should be part of your security strategy.
Protect
Implement targeted control improvements. Based on a risk assessment, seek to
enhance protective safeguards where they will have the biggest risk mitigation.
Use research such as this Attack Vectors Report and other cyber threat
intelligence to ensure your network and system protections can mitigate attacker
techniques.
Don’t mistake tools for security. There is a plethora of security tools and
technologies out there, but too often, organizations install new technologies
without building the processes around them to ensure they can be managed
effectively. Seek to optimize the tools you already have, and make targeted
investments in technologies that will have a measurable impact to your security
posture.
Train your users. Year after year, we see that many of our most common attack
vectors continue to exploit weaknesses in user behavior. This year is no
exception, as password attacks were the second most common attack vector,
and weak passwords can play a role in the success of other attack vectors as
well. Despite all the advances that have been made in authentication
mechanisms and email protections, users continue to choose easily guessable
passwords, click on phishing links and store sensitive data in insecure locations.
Effective training can not only reduce this risk but also empower your users to
proactively identify and report suspicious activities.
Support your tools with formal processes. Often, organizations implement tools
to log events and detect anomalous activity but do not have a process to review
logs or respond to alerts and continuously tune/improve them. Your detection
capabilities are only as strong as what you do once events are detected.
Investigate use of a managed security services provider (MSSP). Many
organizations who do not have the bandwidth to handle monitoring in-house
have found a great return on investment by offloading these tasks to a third
party. If this is the case, ensure that roles and responsibilities between you and
your provider are clearly articulated.
Respond
Formalize and test incident response procedures. Attacks will happen, and
inadequate response efforts can greatly expand the scope and impact of an
attack. Therefore, it is imperative to have a procedure that outlines guidance for
triage, containment, mitigation, prioritization, escalation, notification and
communications regarding the incident.
Recover
RSM’s security and risk professionals are more than technology specialists—
we’re also experienced business analysts. We have in-depth knowledge of
current security and risk issues and trends as well as insight into your
specific industry and business processes. Our professionals will take the time
to understand your business and create strategies to ease the burden of
compliance while engaging the business to identify and manage risk. This
will help move your security program to the next level, enabling effective
identification and strategic decision-making for cybersecurity risk, alignment
with enterprise risk efforts, efficient management of controls for risk reduction
and proactive management of regulatory, contractual and legal
requirements as part of day-to-day business.
Ken Smith, who sponsored this report and has championed the
work of the Technical Writing team
Mitch Johnson, who assisted with the collection and aggregation
of our testing data
The following individuals, who provided the first phase of data
analysis:
Nic Draves
Shahram Farhadi
Sabah Mawj
Nino McGowan
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global
network of independent audit, tax and consulting firms. The member firms of RSM International
collaborate to provide services to global clients, but are separate and distinct legal entities that
cannot obligate each other. Each member firm is
responsible only for its own acts and omissions, and not those of any other party. Visit
rsmus.com/aboutus for more information regarding RSM US LLP and RSM
International.
RSM, the RSM logo and the power of being understood are registered trademarks of RSM
International Association.