Initial access techniques and mitigation

  • Home
  • What is initial access?

The MITRE ATT&CK® framework is an invaluable resource for cybersecurity professionals. Initial access is one of the 14 major enterprise attack tactics that comes under this framework.

Initial access is a set of techniques that exploit different entry vectors to gain the initial foothold in an organization's network. There are nine initial access techniques in total (some of which that have sub-techniques) and they include various social engineering methodologies and exploitation methods of public-facing web servers.

The initial exploitation can be long-term or limited based on the method of entry and reason for exploitation. Once the adversary gets a foothold within the network, the attack execution is carried out, where the adversary tries to run a malicious code, explore the network, or steal confidential data.

What are the different initial access techniques?

  • Drive-by compromise
  • Exploit public-facing application
  • External remote services
  • Hardware additions
  • Phishing
  • Replication through removable media
  • Supply chain compromise
  • Trusted relationship
  • Valid accounts
  •  

Drive-by compromise

With drive-by compromise, a system gets compromised when the user visits a malicious website during normal browsing activity. This technique can be used either for exploitation or to gain the application access token, which is used in token-based authentication to allow an application to access an API.

Imagine a user visits a website thinking it's legitimate, but the site has been completely compromised by an attacker. As the user loads the compromised site, the malicious code executes in the background without the user's knowledge.

Ultimately, the attacker gains access to the user's system, which can be exploited by installing secret plugins or malware.

How do I mitigate this technique?

  • Choose a reliable and up-to-date web browser with built-in security features like sandboxing and anti-malware protection to help mitigate drive-by attacks.
  • Web filtering solutions can block access to known malicious websites and prevent users from accessing potentially compromised websites.
  • Use comprehensive endpoint security solutions that include antivirus, anti-malware, and anti-exploit capabilities to help identify and block malicious code or scripts.

Using a SIEM solution with UEBA capabilities can help identify unusual or suspicious patterns of web browsing activity, such as browsing known malicious websites and visiting websites that are outside of the employee's normal scope of work.

A SIEM solution can also monitor HTTP logs to detect any abnormal behavior, such as multiple requests from a single IP and unexpected response codes that could indicate an attempt to access malicious websites.

Exploit public-facing application

In this type of initial access attack, the attacker leverages the internet-facing open applications using software or a command to gain unauthorized access to create an unanticipated behavior. This initial access serves as a foothold for further exploitation, lateral movement, or data exfiltration.

These public-facing applications are those that are accessible to external users over the internet, like websites or web-based portals and services. These applications often interact with users and process sensitive data.

Consider a login portal of a shopping platform that is open to the internet. The attacker manages to identify a vulnerability in the website's outdated authentication software. The attacker can take advantage of the vulnerability to bypass authentication or gain unauthorized access to the system. Once inside, the attacker may be able to escalate their privileges, access sensitive customer data, or even pivot to other parts of the network.

How do I mitigate this technique?

  • Implement authentication mechanisms, such as multi-factor authentication (MFA) to prevent unauthorized access and role-based access controls (RBAC) to ensure that users only have the privileges required to perform their tasks.
  • By deploying firewalls, network segmentation, and access controls, you can protect the underlying network infrastructure that hosts your public-facing applications by preventing unauthorized access to the network.
  • Keep all software, including operating systems, web browsers, and applications, up to date with the latest security patches. This helps protect against vulnerabilities that attackers may exploit through phishing attacks.

External remote services

In this technique, the attacker takes advantage of the external-facing remote devices that are accessible to the internet like VPN gateway, firewalls, and routers to compromise the target system. Attackers may exploit vulnerabilities or misconfigurations in these external remote devices as a means to gain initial access to the targeted network.

Take a company that allows employees to connect to the organizational network through a VPN remotely. If an attacker can find a vulnerability in the version or configuration of the VPN, they can easily exploit the vulnerability in the VPN to gain initial access to the organization's network. Vulnerabilities can be due to outdated software versions, weak encryption protocols, or poor access control settings.

How do I mitigate this technique?

  • Use secure remote access protocols such as SSH (Secure Shell) to establish encrypted connections between remote users and your organization's network.
  • Implement intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and detect any suspicious or malicious activity. These systems can help identify and block attempts to exploit vulnerabilities in remote services.
  • Use network segmentation to isolate remote services from critical internal systems, which reduces the potential impact of the attack on remote devices.

The Web-filtering feature in Log360 provides visibility into the use of sanctioned, banned, and shadow applications in your network. This can also help you with actively blocking access to banned applications and identifying and blocking shadow applications.

Hardware additions

Hardware additions occur when the adversary gains initial access to a network by physically adding or installing malicious hardware components. Rather than merely using removable storage, these hardware tools introduce new features or functionalities that can be exploited. These tactics, though not commonly seen in public threats, are often used by red teams and penetration testers. Devices can range from network taps to keystroke injectors and wireless access enablers.

Consider this scenario: An attacker aims to infiltrate an institution's network to steal sensitive data. An employee receives a brand new, seemingly legitimate USB keyboard as a gift from a vendor. Unknown to the employee, the keyboard contains a hidden micro-controller designed to inject malicious keystrokes when connected to a computer. Once the employee connects the keyboard, it covertly downloads malware onto the company's system, giving the attacker a backdoor into the network.

How do I mitigate this technique?

  • Maintain strict physical security controls to prevent unauthorized access to sensitive areas where hardware modifications could occur. This includes employing security cameras, access controls, and monitoring systems to restrict entry and detect any suspicious activities.
  • Conduct periodic hardware audits using cryptographic measures to verify the authenticity of firmware or hardware components.
  • Keep firmware and software up to date with the latest security patches and updates provided by manufacturers.

A SIEM solution like Log360 allows you to configure specific actions to be triggered when a security alert related to unauthorized hardware addition is raised. You can automate immediate responsive actions to counteract this specific threat, such as shutting down the affected devices or disabling USB ports to prevent unauthorized hardware access and reduce potential security risks.

Phishing

Phishing is one of the most common social engineering attack methods employed in the corporate setting. In a phishing attack, the adversary targets a person or an organization and electronically delivers an email containing malware. Once the victim unknowingly loads the malware onto the system, it then becomes easy for the attackers to get access to the organizational network. The user's engagement is crucial for the execution of this attack.

Sub-techniques

Phishing sub-techniques differ depending on the type of malicious content that is sent with the email. It can either be a spearphishing attachment, a link, or a service where the adversaries indirectly send spearfishing messages via third-party services in an attempt to gain access to victim systems.

For instance, the attacker might pose as a trusted business partner providing an attachment or link that supposedly contains important information. This email will contain a malicious payload, such as a malicious attachment or a link to a website hosting malware. The goal is to entice the target to open the attachment or click the link, thereby compromising their system or providing the attacker with initial access to the network.

If the victim falls for the spearphishing email and takes the intended action, the attacker gains a foothold within the company's network.

How do I mitigate this technique?

  • Unsolicited emails and mail attachments are the main source of phishing social engineering attacks, and organizations need to be extra vigilant about them. Employees should strictly refrain from opening anything without verifying the credibility of the sender.
  • Keep all software, including operating systems, web browsers, and applications, up to date with the latest security patches. This helps protect against vulnerabilities that attackers may exploit through phishing attacks.
  • Use web filtering solutions to block access to known malicious websites and prevent users from visiting potentially dangerous sites that may host phishing pages.

SIEM tools like Log360 constantly monitor network activity and log data from various sources like servers, firewalls, and antivirus software. If any suspicious activity or data pattern indicative of a phishing attack is detected, such as multiple failed login attempts, suspicious email attachments, or unusual network traffic, SIEM systems will trigger an alert.

Log360 combats phishing attacks by integrating with threat feeds like STIX, TAXII, and AlienVault OTX, enabling real-time detection of malicious IPs and compromised websites. Its advanced threat intelligence capabilities allow for swift identification and response to potential phishing threats, and the solution offers automatic alerts and delegation to security teams to proactively prevent phishing-induced security breaches.

Replication through removable media

This type of attack happens in disconnected or air-gapped systems that use removable media. Attackers use portable storage devices, such as USB drives, external hard drives, or optical discs, and copy or transfer malicious files or content from one device to another by leveraging the auto-run features of the system through these removable media.

A real-life example of an initial access attack using replication through removable media was the spread of the infamous Conficker worm, also known as Downadup, in 2008. The attackers exploited a vulnerability in the Windows operating system, specifically targeting a flaw in the Windows Server service. The worm was spread through various channels, including infected websites, network shares, and removable media such as USB drives.

How do I mitigate this technique?

  • Disable the AutoRun feature on systems to prevent the automatic execution of files or programs when removable media is inserted. This reduces the risk of malware being launched automatically.
  • Use up-to-date antivirus and antimalware solutions to scan and automatically check removable media for malware before allowing access to your systems.
  • Encrypt all the data in removable media devices, including USB drives or external hard drives. This serves as an additional layer of protection.

Supply chain compromise

In this technique, the attacker manipulates an application software, hardware, or any services provided by a third-party vendor. For example, compromise through supply chain can leverage the trust relationship between an organization and its suppliers to gain unauthorized initial access or introduce malicious components into the supply chain.

Sub-techniques

Attackers may manipulate different areas, which may include a software, application, or a hardware component in the product or the software dependencies and development tools to infiltrate consumers' networks once the product is in use.

For instance, a company might contract a third-party firm for custom software development. But an adversary has infiltrated the third-party's development environment and embeds a backdoor into the software. The company, trusting the third-party, deploys the software across its infrastructure. The hidden backdoor acts as the medium to allow the adversary to access confidential company data without detection.

How do I mitigate this technique?

  • Evaluate the security practices and controls of your suppliers, including their software development processes and security certifications.
  • Participate in threat intelligence sharing communities or organizations to gain insights into emerging threats and attack techniques in the supply chain.
  • Establish secure development practices and standards for software vendors, including secure coding practices, vulnerability scanning, and code reviews.

Trusted relationship

This technique refers to adversaries leveraging the trusted relationship between entities to gain unauthorized access to their intended victims. Instead of tampering with products, they leverage legitimate credentials or permissions. Their deceptive tactics bypass standard security checks by exploiting pre-existing partnerships.

Take a major retail corporation that partners with an IT services company for system maintenance. The IT company has network access to manage and update systems. A cybercriminal identifies this connection and hacks into the IT company's less-secured systems. Using this access, they then infiltrate the retail corporation's network, gaining unauthorized access to sensitive customer data.

How do I mitigate this technique?

  • Require all third-party vendors and service providers to use MFA when accessing your systems or network.
  • Conduct regular security assessments of trusted partners to ensure adequate security measures are in place in their systems.
  • Employ robust email filtering and detection mechanisms and enforce strict access controls to limit lateral movement within networks.

Valid accounts

In this act, adversaries obtain and exploit credentials of existing accounts like default, domain, cloud, or user accounts that have privileges within a targeted system or network. Compromised credentials might grant an adversary increased privilege to specific systems that normal users don't have access to.

Sub-techniques

The four sub-techniques vary depending on the type of account targeted. It can either be a default account, a domain account, a cloud account, or a local account.

One real-life example of a valid account attack is the 2014 breach of Sony Pictures Entertainment, when a group of hackers known as Guardians of Peace gained unauthorized access to Sony's internal network through an employee account.

The attackers first obtained valid user credentials, including usernames and passwords of Sony Pictures employees. It is believed that they accomplished this by conducting a spearphishing campaign targeting Sony employees, tricking them into revealing their login credentials.

How do I mitigate this technique?

  • Continuously monitor user accounts for suspicious activity, such as unusual login locations, multiple failed login attempts, or simultaneous logins from different locations.
  • Regularly remind users to update their passwords and avoid reusing passwords across multiple accounts.
  • Conduct regular reviews of user accounts to identify and revoke accounts that are no longer needed or associated with former employees or contractors.

Real-time session monitoring allows organizations to track user activities in real time, from login to logoff. It can flag unusual login locations, detect multiple failed login attempts, or identify simultaneous logins from different locations, all of which could indicate potential security threats, along with providing comprehensive reports on these events. By creating custom alert profiles, organizations can choose to get alerts for any suspicious activities.

How can you protect your organization from these attacks?

  • Maintain proper authentication and access control etiquette.
  • Schedule regular software updates and monitor system patches periodically to fix them instantly.
  • Implement strong network segmentation.
  • Deploy necessary software like a firewall analyzer, intrusion detection systems, and other advanced security technologies.
  • Analyze and manage the network traffic and make sure to have a strong compliance management solution.
  • Have a solid incident and threat response plan in action.
  • Make sure your employees are aware of the social engineering methodologies and organize regular security awareness and training programs.

How can Log360 help you combat initial access attacks?

 

Threat Intelligence

With the integration of international threat feeds like STIX/TAXII and AlienVault OTX, receive a prompt alerts for any interaction with malicious IP addresses and domains.

 
 

Monitor suspicious user behavior

Leverage the UEBA module to help you identify suspicious user behavior by analyzing user activity across multiple dimensions, such as logins, applications accessed, files accessed, and network traffic.

 
 

Continuous network monitoring

Continuously gather logs and other data from various sources like servers, applications, databases, network devices, and more. Besides capturing event logs, get system, application, and security logs to ensure comprehensive data collection.

 
 

Real-time event correlation

Correlate seemingly unrelated yet suspicious events across your IT environment to detect complex attack patterns.

 

Get the latest content delivered
right to your inbox!

 

SIEM Basics

     
     

  Zoho Corporation Pvt. Ltd. All rights reserved.