The United States (CISA, NSA, DOJ), Canada, United Kingdom, Netherlands, and New Zealand have released a seven page cybersecurity alert (Alert AA22-137A, Weak Security Controls and Practices Routinely Exploited for Initial Access) detailing the techniques cyber actors use to routinely “gain initial access or as part of other tactics to compromise a victim’s system”.
Adversaries are constantly scanning for these common mistakes and misconfigurations. If an organization hardens these areas, most attackers will move along if they can’t gain initial access in a reasonable amount of time. Take a look at these common initial access techniques and mitigations, and see how you can improve your company’s security posture today.
Listed below from the report are common techniques attackers use to obtain initial access to a victim’s systems:
Exploit Public-Facing Applications
Attackers use vulnerabilities (think OWASP Top Ten) to intrude upon any internet facing system, application, or service (SMB, SSH, etc.). After gaining this initial access, an attacker will look for ways to create persistence within the system or network.
External Remote Services
Adversaries attack remote services like VPNs, Citrix, Windows Remote Management, VNC, and other remote access tools as a method to connect remotely to an organization’s internal network. This can also include containerized environments that lack authentication or exposed APIs.
Phishing
I hope that we’re all familiar with what phishing is at this point of our journey through the cyber realm. This is a common method that attackers use to steal credentials from unwitting users. This can be done through e-mail, text messaging, social media, over the phone, or any method through which you can transmit information. Most commonly, attackers use e-mail to send fake messages from seemingly trusted sources, and then direct users to a counterfeit log-in page that steals the credentials and sends them to the attacker.
Trusted Relationship
To get into an intended target, an attacker may compromise a partner or vendor that's trusted by the target. It’s not uncommon for partners or contractors to have elevated privileges on client’s networks or systems, and if an attacker can breach them to get to you, they will make that extra hop. This can also play into social engineering and phishing attacks where adversaries impersonate businesses you trust, such as HVAC, ISPs, cleaning services, etc.
Valid Accounts
Adversaries sometimes use valid accounts as a way to traverse networks and systems without being detected. Instead of using malware or vulnerabilities which can typically be identified, attackers leverage stolen credentials for valid, trusted accounts on a system or network. In some cases, this allows escalated privileges to certain parts of a network that contain critical information.
Don’t make the bad guys' job easy. Attackers tend to first try known weaknesses and common vulnerabilities before they get fancy. If organizations take the time to monitor and verify that they’re not making these common mistakes, the likelihood of a persistent attack diminishes greatly. Invest in security personnel and train them. Create strong password policies. Collect logs and monitor them. Patch your software. Train your employees on phishing and social engineering techniques. If you want to be secure, empower your people, and do the little things right.