Adversaries are constantly scanning for these common mistakes and misconfigurations. If an organization hardens these areas, most attackers will move along if they can’t gain initial access in a reasonable amount of time. Take a look at these common initial access techniques and mitigations, and see how you can improve your company’s security posture today.
Listed below from the report are common techniques attackers use to obtain initial access to a victim’s systems:
Exploit Public-Facing Applications
Attackers use vulnerabilities (think OWASP Top Ten) to intrude upon any internet facing system, application, or service (SMB, SSH, etc.). After gaining this initial access, an attacker will look for ways to create persistence within the system or network.
External Remote Services
Adversaries attack remote services like VPNs, Citrix, Windows Remote Management, VNC, and other remote access tools as a method to connect remotely to an organization’s internal network. This can also include containerized environments that lack authentication or exposed APIs.
I hope that we’re all familiar with what phishing is at this point of our journey through the cyber realm. This is a common method that attackers use to steal credentials from unwitting users. This can be done through e-mail, text messaging, social media, over the phone, or any method through which you can transmit information. Most commonly, attackers use e-mail to send fake messages from seemingly trusted sources, and then direct users to a counterfeit log-in page that steals the credentials and sends them to the attacker.
To get into an intended target, an attacker may compromise a partner or vendor that's trusted by the target. It’s not uncommon for partners or contractors to have elevated privileges on client’s networks or systems, and if an attacker can breach them to get to you, they will make that extra hop. This can also play into social engineering and phishing attacks where adversaries impersonate businesses you trust, such as HVAC, ISPs, cleaning services, etc.
Adversaries sometimes use valid accounts as a way to traverse networks and systems without being detected. Instead of using malware or vulnerabilities which can typically be identified, attackers leverage stolen credentials for valid, trusted accounts on a system or network. In some cases, this allows escalated privileges to certain parts of a network that contain critical information.
Common controls, configurations, and practices that adversaries look to exploit
No Multi-Factor Authentication
Misaligned privileges or permissions in Access Control Lists
Lack of authentication for remote services
Lack of strong password policies
Unprotected cloud services
Open ports and misconfigured internet-facing services
Failure to detect phishing attempts
Poor endpoint detection and response
Zero-trust security model
Limit remote admin privileges
Control data access and services
Control data access
Harden conditional access policies
Verify RDP isn’t open, and if it is, put it behind a firewall
Change default credentials
Detect compromised credentials
Generate sufficient logs
Deploy anti-malware solutions and monitor them
Implement endpoint and detection response tools
Conduct regular penetration tests and vulnerability scanning
Don’t make the bad guys' job easy. Attackers tend to first try known weaknesses and common vulnerabilities before they get fancy. If organizations take the time to monitor and verify that they’re not making these common mistakes, the likelihood of a persistent attack diminishes greatly. Invest in security personnel and train them. Create strong password policies. Collect logs and monitor them. Patch your software. Train your employees on phishing and social engineering techniques. If you want to be secure, empower your people, and do the little things right.