A joint multi-national cybersecurity advisory has revealed the top ten attackers vectors most exploited by cybercriminals in order to gain access to organisation networks, as well as the techniques they use to gain access.
The advisory cites five techniques used to gain leverage:
- Exploit Public-Facing Application -Attemptt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.
- External Remote Services -Leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
- Phishing – Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
- Trusted Relationship- Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
- Valid Accounts – Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop
Following are the 10 ways attackers gain access to networks
1. Multifactor authentication (MFA) is not enforced
MFA is especially useful when bad actors have such a heavy focus on techniques like phishing, trusted relationships, and valid accounts. Any of these approaches could have serious long-term impacts on an affected organisation. It’s not just how they get in, but what they get up to afterwards.
2. Incorrectly applied privileges or permissions and errors within access control lists
Users should only be able to access resources necessary for any given purpose. Someone accidentally granted admin level controls on a corporate website may cause chaos if their account is compromised, or they leave the business and nobody revokes access.
3. Software is not up to date
Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
4. Use of vendor-supplied default configurations or default usernames and passwords
Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet.
5. Remote services—such as a virtual private network (VPN)—lack sufficient controls to prevent unauthorized access
Additional security and privacy tools require care to be taken with regard setup and configuration. A poorly-designed workplace VPN may be easily accessed by an attacker, and could also help mask exploration and exploitation of the network. MFA is useful here, as is monitoring connection times for abnormal use patterns such as suddenly connecting to the VPN outside of work time.
6. Strong password policies are not implemented
An effective password policy is a set of rules that govern password creation and prevent sensitive data from being stolen. Strong passwords are the first line of defense in protecting your business data and customer information. But many companies have weak or non-existent password policies, putting them at a heightened risk for data hacking.
7. Cloud services are unprotected
Unprotected cloud services are a permanent feature of security breach. Default passwords, and in some cases no passwords, allows for easy access to both corporate and client data.
8. Open ports and misconfigured services are exposed to the Internet
Attackers use scanning tools to discover open ports and leverage them as attack vectors. Compromising a host in this way can give rise to the possibility of multiple attacks after gaining initial access. RDP, NetBios, and Telnet are all potentially high-risk for an insecure network.
9. Failure to detect or block phishing attempts
Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
10. Poor endpoint detection and response
Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.
Mitigations to prevent from attackers
- Limiting the access
- Strong password protection
- Adopt Zero trust security model
- Harden conditional access policies.
- Implement MFA
- Use antivirus solutions
- Employ detection tools
- Maintain Rigorous Configuration Management Programs