Report
November 28, 2023
In this report, Kovrr collected and analyzed data to better understand one of the most common initial access vectors (1) - the use of compromised credentials (Valid Accounts - T1078) (2) to access internet-exposed assets (External Remote Services - T113) (3). The toxic combination of these two initial access vectors can allow malicious actors to gain a foothold in company networks before moving on to the next stage of their attack, which can be data theft, ransomware, denial of service, or any other action. There are numerous examples of breaches perpetrated by many attack groups that have occurred using this combination, for example, breaches by Lapsus (4) and APT39 (5), among others.
This report seeks to demonstrate which industries and company sizes have the highest percentage of compromised credentials and number of internet-exposed assets and face a higher risk of having their networks breached by the toxic combination of the initial access vectors mentioned above.
It should be noted that having an asset exposed to the internet does not inherently pose a risk or indicate that a company has poor security. In our highly digitized world, companies are required to expose services to the internet so their services can be accessed by customers, vendors, and remote employees. These services include VPN servers, SaaS applications developed by the company, databases, and shared storage units. However, there are some common cases when having an asset exposed to the internet can be extremely risky, for example:
To limit unnecessary internet exposure, companies should employ the following possible mitigations:
The following are the main findings from the collected data:
The data for this research was collected as follows:
However, as password reuse is extremely common among users, with a recent survey showing 84% of users reuse passwords(8) and an older survey finding that 64% of Fortune 1000 employees reuse their passwords (9), it is likely that a compromised corporate identity will be reused for more than one corporate asset, and thus enable attackers to access exposed corporate assets.
The purpose of this report is not to uncover specific internet-exposed assets which are easy to exploit but rather to understand which types of companies face a higher risk from having both compromised credentials and internet-exposed assets. An opportunistic attacker might use some of the compromised credentials, which could be used for an internal company service, to gain access to external company services.
The findings from the collected data are presented in the following section. We first analyzed the results based on industry, followed by company size. In each analysis, we show relative risk broken down by several firmographic elements to reveal which company profiles have the highest relative risk of loss triggered by the toxic combination of compromised credentials and internet-exposed assets.
The first finding presented in the report is the percentage of compromised credentials per industry. Industries were classified according to SIC divisions.
Figure 1 shows the distribution of compromised credentials by the SIC division. (10)
The Services industry (Division I) is by far the most exposed industry, with included companies having the highest percentage of compromised credentials. The second riskiest industry by a wide margin is Division E (Transportation, Communications, Electric, Gas, and Sanitary Services), followed by Division D (Manufacturing). The prominence of compromised credentials within the Services industry could be explained by a high reliance on providing services to third parties and being a heavy user of cloud infrastructure and other online services.
Within these industries, we also collected data on the SIC Major Groups with the highest share of compromised credentials. Major Groups offer a more granular overview of the riskiest industries, as each SIC Division contains several SIC Major Groups.
The top two groups by a large margin are Business Services (Major Group 73) and Educational Services (Major Group 82). Both of these industries have a high number of external third-party clients, especially in the Education industry, where each company provides services to many students. Therefore, it is much more challenging to monitor the security and exposure of these clients due to their larger attack surface. The Education industry also has a greater amount of decentralized administration, especially in Higher-Ed institutions, where research programs often go unmonitored by central IT and security teams.
In addition to the data above, the average number of internet-exposed devices per SIC division was also examined. It can be seen in Figure 2 that the industry with the most devices exposed on average per company is Public Administration, with 61.55 devices, while the second most exposed industry is Wholesale Trade, with 55 devices per company.
By combining the two sources of data, we gain a more concrete understanding of the riskiest industries, which are those that have both a high share in the ratio of compromised credentials and a relatively high number of internet-exposed assets per company.
While the Services industry has an extremely high share of compromised credentials, the average number of exposed assets per company is relatively low, signifying that attackers have fewer exposed assets to target with these credentials, potentially decreasing the chances of a successful attack. On the other hand, while the Public Administration industry has a very low share of compromised credentials, an average company in the industry has a relatively high number of exposed assets, increasing its attack surface.
Another factor that determines the risk of a company is its size. Company size is often determined by its revenue, number of employees, or both. The next section will overview company exposure by company size, presenting data for both company revenue, and employee range.
Figure 3 shows the percentage of compromised credentials by company revenue.
The revenue range with the highest percentage of compromised credentials is $1M-$10M, followed by $10M-$50M, then >$1B. This trend could be because companies with a lower revenue range, while in general having fewer assets and employees than companies with a higher revenue range, have a lower level of security expertise and security investment compared to large enterprises. Thus, they are ill-equipped to prevent or monitor their exposure as efficiently as larger companies.
We also collected data on the number of internet-exposed devices per revenue range, which can be seen in Figure 4.
In general, the larger the company’s revenue range, the higher the number of exposed assets. This finding is expected, given that a company’s revenue range highly correlates with its size.
Data on the percentage of compromised credentials by the number of employees was also evaluated. As the revenue data reveals, companies with fewer employees also have a higher share of compromised credentials.
Additionally, the average number of internet-exposed assets also increases along with the number of employees in a company.
In July 2023, Kovrr released the Ransomware Threat Landscape Report for H1-2023 (11). In the report, we analyzed the exposure of various industries and company sizes to ransomware attacks.
The report identified Services (42% of attacks), Manufacturing (18%), and Wholesale Trade (8.5%) as the industries most targeted by ransomware in the first half of 2023. Though the exact numbers differ, the trend seen in the current report is very similar. The industry with the most compromised credentials is the Services industry, followed by Transportation, Communications, Electric, Gas, and Sanitary Services (the 4th most ransomware-targeted industry), and Manufacturing. Although outside the scope of the current report, it can be assumed that the higher amount of compromised credentials is one of the reasons why ransomware actors target these industries.
The Ransomware report also identified small companies with a revenue range of $1M-$50M as the most common ransomware targets (targeted in 59% of all attacks during this period). The ratio of compromised credentials for this revenue range within the current report is also very similar, with around 43% of companies with compromised credentials having a revenue range of $1M-$50M.
One key difference between the two reports is that companies with the largest revenue range (>$1B) are not common ransomware targets (8% of attacks) but nevertheless have a large share of compromised credentials, just over 18%. This could be due to a simple reason: Companies with a larger revenue are generally bigger companies with more employees. Therefore, they are more likely to have at least one of their credentials compromised than smaller companies.