I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon!
A very common question I get from the field is, “How do threat actors actually get into the network in the first place?” It’s a good question, with some possibly surprising answers, so let’s talk about initial access and how threat actors take that first step.
Initial access is the term used for how a threat actor gains their first entry into a protected environment. This could be your home PC, or a corporate network – whatever they’re eventually attempting to get access to within the target environment itself. Generally, the point of initial access is not the end goal of the threat actor; since it’s highly unlikely they land on the machine or system they actually want to get hold of. More often, initial access happens on a user’s laptop, or a web server, or an application platform instead; and the threat actor then must jump from system to system to get where they want to be. This means that by minimizing initial access points, you also minimize the ability of the threat actor to do what they want to do.
So, how do they accomplish that first step? There are quite a few different ways this can be done, but four of them stand out as being (by far) the most commonly encountered techniques. First, compromise of credentials – the threat actor gains control of legitimate usernames and passwords. Second, compromise of a vulnerable application – where a threat actor is able to exploit a vulnerability. Third is coercion or trickery used to get a user to run a malicious application. Finally, there are initial access brokers that use all of the above to amass initial access that they can sell to the highest bidder.
Credential compromise is the most common technique used. Threat actors use phishing, smsishing (phishing by text message) and a host of other social engineering techniques to get hold of legitimate credentials that they can use to access systems in your organization. Alternately, they could guess or discover credentials without having to phish or otherwise grab them from users directly. Methods such as exploiting weak and/or default passwords, credential stuffing, or even brute-force attacks can get them what they need if other security controls aren’t in place. Weak passwords that are too short (less than 8 characters), too simple (no punctuation/special characters), and/or extremely common (password123) all allow a threat actor to successfully guess in just a few tries. Credential stuffing is trying a list of passwords from one breach to attack a totally different organization that shares users who may have re-used passwords. Brute-force is exactly what it sounds like – threat actors simply try password after password until they find one that works.
In all of these cases of credential compromise, layered defenses can be a huge help in defending the organization. The use of (and enforcement of the use of) multi-factor authentication (MFA) will help to block a threat actor with otherwise valid credentials from actually using them. Enforcing passwords which meet basic complexity rules such as including special characters (?, /, $, !, etc.) and requiring 12 or more characters makes it much more difficult for a threat actor to successfully guess a valid password. Blocking the most common passwords used online outright is also a great method to bring to bear. Troy Hunt (curator of HaveIBeenPwned.com [https://haveibeenpwned.com/ ] has worked with many government and private entities to keep lists of the most common passwords. For example, the National Cyber Security Center of the UK has worked with Troy to produce a list of the top 100 [[https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere ]]. Enforcing restrictions on the number of incorrect entries a user can try before they’re locked out helps derail brute-force attacks. Encouraging users to not re-use passwords by utilizing password managers helps curtail credential stuffing success.
Remember that most usernames are known these days. Users utilize their email address, or some combination of first/last name/initials, so the username is no longer a big secret. Passwords – when well-managed – are still secret, but additional controls are required to ensure that a threat actor can’t walk in the front door. Utilizing complex passwords and MFA, limiting re-use, and blocking commonly known passwords all help to keep the password itself from becoming known and/or useful to a threat actor.
Exploitation of a vulnerability is common in the quest to gain initial access. If a system or platform has a known vulnerability that can be exploited, then a threat actor will not have to gain credentials – they can just take control of the system or platform itself. Defenses here are two-fold, first it is important to patch/upgrade systems with known vulnerabilities; but that’s not always a possibility. If budget doesn’t exist for upgrades, or if the patch or upgrade would significantly impact a business process, it’s unlikely that closing the vulnerability directly will be allowed. Here again, compensating controls can save the organization. If a threat actor gains control of one application, then blocking their ability to move through the network or gain control of additional applications becomes a vital step in limiting damage. Endpoint controls (on servers as well as user systems), restricting network access, and the ability to be alerted on anomalous activity all aid in catching a threat actor attempting to move from an exploited system to others in the environment. Of course, patching or upgrading is the optimal strategy and should be done whenever possible; but additional controls may be required when that patch or upgrade just cannot be applied.
Coercion and trickery are incredibly common in the threat landscape today. While forms of social engineering, they typically do not follow the same path as a phishing or smshing attack. Instead, a user may be tricked into installing malicious software that masquerades as legitimate software the business would regularly use. A common example is a threat actor taking over a mis-spelled domain for a popular software tool, and any user who accidentally goes to the mis-spelled site (which might even be performing search engine optimization to trick the user) downloads and installs the malware instead of the real software. Supply-side compromise – where a threat actor replaces the real software with malware on the vendor’s systems – is also a serious threat. Another common technique is the invocation of authority to coerce a user into installing malware. A threat actor may call or email pretending to be a software vendor, a bank, a government agency, or even your own IT department and pressure a user to download an install malware, spyware, or more. Of course, a user who has been doing things they should not be doing online could also be blackmailed into installing malware on company systems; but while fake attempts at this technique are common (such as “clean up software” emails that try to get a user to install something because they were “caught” on a site they shouldn’t have been on), confirmed real use of this tactic is thankfully rare. Proper security awareness training and periodic testing is the key to derailing this form of initial access attack. When users know what to look for, who to ask for help, and where to go to legitimately get software and updates will keep them from accidentally downloading malware or doing so under duress. Combining these methods with strong endpoint controls (like anti-malware tools) can help to ensure that the fake software is blocked from running. Last, but not least, running software updates in a lab to ensure that they are legitimate before deploying them across the organization – combined with ensuring vendors are following security best-practices – limits damage from supply-side attacks.
Finally, there are entire categories of threat actor groups who perform just initial access attacks, using all of the above methods to accomplish their goals. They curate massive lists of legitimate and validated credentials, previously exploited systems that they still have active access to, automation to perform coercion and trickery on a massive scale, host and deploy malware as valid updates, etc. – but they don’t actually perform other attacks. What they do is sell that information to other threat actors who then use it to perform more extensive attacks like major data theft, ransomware, or disruptive actions. These initial access brokers make good money re-selling the access they gain to the highest bidder, allowing them to gain financial success without having to worry about extorting an actual payoff from a company. Careful monitoring of user activity and network operations to determine if there are anomalies going on can allow you to detect if credentials or systems have become compromised before that access gets sold to another threat actor. Many managed security service providers (MSSPs) can assist with that effort for those organizations who cannot do that kind of monitoring in-house.
Initial access is the first step in a sequence of events that leads to data loss, ransomware payouts, downtime and business loss, and a host of other problems for any organization. Defending against the most common forms of initial access can derail attacks before they get farther than that first step, and help keep your organization safer over time.