40% of tested environments allowed attack paths that lead to domain admin access, according to Picus Security.
Achieving domain admin access is particularly concerning because it is the highest level of access within an organization’s IT infrastructure, and is like giving attackers a master key. The report was based on a worldwide comprehensive analysis of more than 136 million cyber attacks simulated by the Picus Security Validation Platform.
Threat exposure gaps enable automated lateral movement in enterprise networks
The report reveals that, on average, organizations prevent 7 out of 10 of attacks, but are still at risk of major cyber incidents because of gaps in threat exposure management that can permit attackers using automation to move laterally through enterprise networks. Of all attacks simulated, only 56% were logged by organizations’ detection tools, and only 12% triggered an alert.
“Like a cascade of falling dominoes that starts with a single push, small gaps in cybersecurity can lead to big breaches,” said Dr. Suleyman Ozarslan, Picus co-founder and VP of Picus Labs.
“It’s clear that organizations are still experiencing challenges when it comes to threat exposure management and balancing priorities. Small gaps that lead to attackers obtaining domain admin access are not isolated incidents, they are widespread. Last year, the attack on MGM used domain admin privileges and super admin accounts. It stopped slot machines, shut down virtually all systems, and blocked a multi-billion dollar company from doing business for days.”
40% of environments have weaknesses that allow attackers with initial access to a network to achieve domain admin privileges. Once they have these privileges they can manage user accounts or modify security settings. A compromised domain admin account can lead to full control of the network, allowing attackers to conduct data exfiltration, deploy malware, or disrupt business operations.
While organizations have improved the data layer, detection engineering remains deficient, highlighting the urgency for security teams to enhance alert mechanisms to ensure they’re quickly identifying and responding to potential threats.
Organizations should adopt an “assume breach” mindset to bridge these gaps in their cybersecurity strategy. This approach emphasizes the importance of not only relying on your organization’s preventive controls but also ensuring that your detection and response mechanisms are strong enough to manage breaches when they occur.
Proactive measures, continuous monitoring, and regular evaluations of both logging and alerting systems are vital to achieving higher levels of threat exposure management and solidifying organization’s security posture.
Endpoint security gaps
The report also highlights that macOS endpoints are far more likely to be misconfigured or allowed to operate without Endpoint Detection and Response (EDR). macOS endpoints only prevented 23% of simulated attacks, compared to 62% and 65% for Windows and Linux. This highlights a potential gap in IT and security team skill sets and approach in securing macOS environments.
“While we have found Macs are less vulnerable to start, the reality today is that security teams are not putting adequate resources into securing macOS systems,” said Volkan Ertürk, Picus Security CTO. “Our recent Blue Report research shows that security teams need to validate their macOS systems to surface configuration issues. Threat repositories, like the Picus Threat Library, are armed with the latest and most prominent macOS specific threats to help organizations streamline their validation and mitigation efforts.