A joint security advisory by the national cybersecurity agencies of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom has identified the top 10 initial access vectors routinely exploited by threat actors to break into an organization.
Initial access brokers are emerging figures in the cyber criminal ecosystem, and their work is fueling a plethora of targeted ransomware attacks that have characterized the last few months’ cyber attacks. The business model is pretty straightforward: poor security controls are routinely exploited by the initial access brokers and the resulting compromised credentials are sold or outsourced, generating a recurring revenue model. Similarly, buyers can focus their efforts on the execution rather than the initial access. A win-win situation for all the threat actors involved.
According to Alert (AA22-137A), the top routinely exploited weak security controls are:
- Multi-factor authentication (MFA) is not enforced
- Incorrectly applied privileges or permissions and errors within access control lists
- Software is not up to date
- Use of vendor-supplied default configurations or default login usernames and passwords
- Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access
- Strong password policies are not implemented
- Cloud services are unprotected
- Open ports and misconfigured services are exposed to the internet
- Failure to detect or block phishing attempts
- Poor endpoint detection and response
The list is quite extensive and while some of the initial access vectors are quite obvious (such as unpatched software or poor endpoint detection and response), others are typical of the new era driven by cloud services and quickly becoming familiar to us: Unprotected or misconfigured cloud services, open ports exposed to the internet, or even the lack of multi-factor authentication for cloud accounts (a survey conducted in 2020 revealed that 78% of Microsoft365 administrators did not have multi-factor authentication enabled, and it looks like not much has changed since then). Others are more surprising, such as the lack of sufficient controls by traditional VPNs.
The first access control recommendation provided by the advisory is the adoption of a zero trust security model. Other recommendations include the implementation of credential hardening, a centralized log management infrastructure, an effective antivirus architecture, the adoption of tools to detect exploits and vulnerabilities at the endpoint, network, and infrastructure level, and finally a rigorous configuration and patching management program.