The MITRE ATT&CK® framework is an invaluable resource for cybersecurity professionals. Initial access is one of the 14 major enterprise attack tactics that comes under this framework.
Initial access is a set of techniques that exploit different entry vectors to gain the initial foothold in an organization's network. There are nine initial access techniques in total (some of which that have sub-techniques) and they include various social engineering methodologies and exploitation methods of public-facing web servers.
The initial exploitation can be long-term or limited based on the method of entry and reason for exploitation. Once the adversary gets a foothold within the network, the attack execution is carried out, where the adversary tries to run a malicious code, explore the network, or steal confidential data.
With drive-by compromise, a system gets compromised when the user visits a malicious website during normal browsing activity. This technique can be used either for exploitation or to gain the application access token, which is used in token-based authentication to allow an application to access an API.
Imagine a user visits a website thinking it's legitimate, but the site has been completely compromised by an attacker. As the user loads the compromised site, the malicious code executes in the background without the user's knowledge.
Ultimately, the attacker gains access to the user's system, which can be exploited by installing secret plugins or malware.
Using a SIEM solution with UEBA capabilities can help identify unusual or suspicious patterns of web browsing activity, such as browsing known malicious websites and visiting websites that are outside of the employee's normal scope of work.
A SIEM solution can also monitor HTTP logs to detect any abnormal behavior, such as multiple requests from a single IP and unexpected response codes that could indicate an attempt to access malicious websites.
In this type of initial access attack, the attacker leverages the internet-facing open applications using software or a command to gain unauthorized access to create an unanticipated behavior. This initial access serves as a foothold for further exploitation, lateral movement, or data exfiltration.
These public-facing applications are those that are accessible to external users over the internet, like websites or web-based portals and services. These applications often interact with users and process sensitive data.
Consider a login portal of a shopping platform that is open to the internet. The attacker manages to identify a vulnerability in the website's outdated authentication software. The attacker can take advantage of the vulnerability to bypass authentication or gain unauthorized access to the system. Once inside, the attacker may be able to escalate their privileges, access sensitive customer data, or even pivot to other parts of the network.
In this technique, the attacker takes advantage of the external-facing remote devices that are accessible to the internet like VPN gateway, firewalls, and routers to compromise the target system. Attackers may exploit vulnerabilities or misconfigurations in these external remote devices as a means to gain initial access to the targeted network.
Take a company that allows employees to connect to the organizational network through a VPN remotely. If an attacker can find a vulnerability in the version or configuration of the VPN, they can easily exploit the vulnerability in the VPN to gain initial access to the organization's network. Vulnerabilities can be due to outdated software versions, weak encryption protocols, or poor access control settings.
The Web-filtering feature in Log360 provides visibility into the use of sanctioned, banned, and shadow applications in your network. This can also help you with actively blocking access to banned applications and identifying and blocking shadow applications.
Hardware additions occur when the adversary gains initial access to a network by physically adding or installing malicious hardware components. Rather than merely using removable storage, these hardware tools introduce new features or functionalities that can be exploited. These tactics, though not commonly seen in public threats, are often used by red teams and penetration testers. Devices can range from network taps to keystroke injectors and wireless access enablers.
Consider this scenario: An attacker aims to infiltrate an institution's network to steal sensitive data. An employee receives a brand new, seemingly legitimate USB keyboard as a gift from a vendor. Unknown to the employee, the keyboard contains a hidden micro-controller designed to inject malicious keystrokes when connected to a computer. Once the employee connects the keyboard, it covertly downloads malware onto the company's system, giving the attacker a backdoor into the network.
A SIEM solution like Log360 allows you to configure specific actions to be triggered when a security alert related to unauthorized hardware addition is raised. You can automate immediate responsive actions to counteract this specific threat, such as shutting down the affected devices or disabling USB ports to prevent unauthorized hardware access and reduce potential security risks.
Phishing is one of the most common social engineering attack methods employed in the corporate setting. In a phishing attack, the adversary targets a person or an organization and electronically delivers an email containing malware. Once the victim unknowingly loads the malware onto the system, it then becomes easy for the attackers to get access to the organizational network. The user's engagement is crucial for the execution of this attack.
Phishing sub-techniques differ depending on the type of malicious content that is sent with the email. It can either be a spearphishing attachment, a link, or a service where the adversaries indirectly send spearfishing messages via third-party services in an attempt to gain access to victim systems.
For instance, the attacker might pose as a trusted business partner providing an attachment or link that supposedly contains important information. This email will contain a malicious payload, such as a malicious attachment or a link to a website hosting malware. The goal is to entice the target to open the attachment or click the link, thereby compromising their system or providing the attacker with initial access to the network.
If the victim falls for the spearphishing email and takes the intended action, the attacker gains a foothold within the company's network.
SIEM tools like Log360 constantly monitor network activity and log data from various sources like servers, firewalls, and antivirus software. If any suspicious activity or data pattern indicative of a phishing attack is detected, such as multiple failed login attempts, suspicious email attachments, or unusual network traffic, SIEM systems will trigger an alert.
Log360 combats phishing attacks by integrating with threat feeds like STIX, TAXII, and AlienVault OTX, enabling real-time detection of malicious IPs and compromised websites. Its advanced threat intelligence capabilities allow for swift identification and response to potential phishing threats, and the solution offers automatic alerts and delegation to security teams to proactively prevent phishing-induced security breaches.
This type of attack happens in disconnected or air-gapped systems that use removable media. Attackers use portable storage devices, such as USB drives, external hard drives, or optical discs, and copy or transfer malicious files or content from one device to another by leveraging the auto-run features of the system through these removable media.
A real-life example of an initial access attack using replication through removable media was the spread of the infamous Conficker worm, also known as Downadup, in 2008. The attackers exploited a vulnerability in the Windows operating system, specifically targeting a flaw in the Windows Server service. The worm was spread through various channels, including infected websites, network shares, and removable media such as USB drives.
In this technique, the attacker manipulates an application software, hardware, or any services provided by a third-party vendor. For example, compromise through supply chain can leverage the trust relationship between an organization and its suppliers to gain unauthorized initial access or introduce malicious components into the supply chain.
Attackers may manipulate different areas, which may include a software, application, or a hardware component in the product or the software dependencies and development tools to infiltrate consumers' networks once the product is in use.
For instance, a company might contract a third-party firm for custom software development. But an adversary has infiltrated the third-party's development environment and embeds a backdoor into the software. The company, trusting the third-party, deploys the software across its infrastructure. The hidden backdoor acts as the medium to allow the adversary to access confidential company data without detection.
This technique refers to adversaries leveraging the trusted relationship between entities to gain unauthorized access to their intended victims. Instead of tampering with products, they leverage legitimate credentials or permissions. Their deceptive tactics bypass standard security checks by exploiting pre-existing partnerships.
Take a major retail corporation that partners with an IT services company for system maintenance. The IT company has network access to manage and update systems. A cybercriminal identifies this connection and hacks into the IT company's less-secured systems. Using this access, they then infiltrate the retail corporation's network, gaining unauthorized access to sensitive customer data.
In this act, adversaries obtain and exploit credentials of existing accounts like default, domain, cloud, or user accounts that have privileges within a targeted system or network. Compromised credentials might grant an adversary increased privilege to specific systems that normal users don't have access to.
The four sub-techniques vary depending on the type of account targeted. It can either be a default account, a domain account, a cloud account, or a local account.
One real-life example of a valid account attack is the 2014 breach of Sony Pictures Entertainment, when a group of hackers known as Guardians of Peace gained unauthorized access to Sony's internal network through an employee account.
The attackers first obtained valid user credentials, including usernames and passwords of Sony Pictures employees. It is believed that they accomplished this by conducting a spearphishing campaign targeting Sony employees, tricking them into revealing their login credentials.
Real-time session monitoring allows organizations to track user activities in real time, from login to logoff. It can flag unusual login locations, detect multiple failed login attempts, or identify simultaneous logins from different locations, all of which could indicate potential security threats, along with providing comprehensive reports on these events. By creating custom alert profiles, organizations can choose to get alerts for any suspicious activities.
With the integration of international threat feeds like STIX/TAXII and AlienVault OTX, receive a prompt alerts for any interaction with malicious IP addresses and domains.
Leverage the UEBA module to help you identify suspicious user behavior by analyzing user activity across multiple dimensions, such as logins, applications accessed, files accessed, and network traffic.
Zoho Corporation Pvt. Ltd. All rights reserved.
