Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations

According to a recent security advisory issued by the Five Eyes Cybersecurity agencies in the US, UK, Canada, Australia, and New Zealand, the most common attack vectors used by cyber threat actors for initial access to networks are exploits of public-facing applications, external remote services, trusted relationships, phishing, and compromised credentials for valid user accounts.

These attack methods often succeed due to poor security practices, bad cyber hygiene, weak controls, and poor security configurations. The security advisory details the most commonly exploited controls and practices and provides recommendations for mitigations to strengthen security and block these attack vectors.

Top 10 Security Weaknesses Exploited by Hackers

The top ten security weaknesses exploited by hackers consist of poor security practices, weak security controls, and misconfigurations and unsecured systems, which allow the most common attack vectors to be used.

Slow software updates and patching

The failure to update software promptly and apply patches for known vulnerabilities gives attackers a window of opportunity for exploiting the vulnerabilities. Exploits for vulnerabilities are often released publicly within days or weeks. Vulnerabilities can be exploited to gain access to sensitive information, conduct denial-of-service attacks, or take full control of vulnerable systems. Slow patching is one of the commonest poor security practices.

Open ports and misconfigurations that expose services to the Internet

Another commonly identified vulnerability is the failure to close open ports. Hackers continuously scan for open ports and misconfigured services that expose systems to the Internet. The compromising of these services can provide attackers with initial access. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.

Failure to enforce multifactor authentication

Multifactor authentication should be enforced on all accounts to block attempts to use stolen credentials. This is especially important for Remote Desktop Protocol, other remote services, and accounts with administrative privileges. The lack of multifactor authentication for RDP is commonly exploited in ransomware attacks.

Use of default credentials and configurations

The failure to change default credentials provides attackers with easy access, as default credentials are often in the public domain. Default configurations are typically excessively permissible to ensure they are user-friendly, and the failure to change configurations can give attackers an avenue for exploitation.

Insufficient controls for remote access

Remote services are commonly targeted by threat actors who exploit a lack of sufficient authentication controls, such as no multifactor authentication. In addition to enforcing MFA, network defenders should consider implementing a boundary firewall in front of a VPN and IDS/IPS sensors to detect anomalous activity.

Incorrectly applied privileges or permissions, and errors within access control lists

Incorrectly applied privileges or permissions can prevent access control rules from being enforced, which could allow system processes or unauthorized users to be granted access to objects.

Poor password policies

Many different methods can be used to exploit weak, leaked, or compromised passwords to access victims’ systems. Policies should be set and enforced requiring strong, unique passwords to be used. Weak RDP passwords are commonly exploited.

Unprotected cloud services

Misconfigurations and poor security configurations can leave cloud services unprotected, giving threat actors easy access to sensitive data and permitting cryptojacking using cloud servers.

Insufficient phishing defenses

Phishing is one of the leading ways that threat actors gain a foothold in networks. Email security solutions should be used that have strong antivirus controls, use behavioral analysis to identify malware, and have the capability to scan embedded links. Security awareness training should be regularly provided to the workforce.

Poor endpoint detection and response

Endpoint detection solutions should be implemented that go beyond signature-based detection methods as threat actors commonly use obfuscated malicious scripts and PowerShell to bypass endpoint security solutions such as antivirus software.

Suggested Mitigations

The security alert includes several mitigations that can help network defenders strengthen security and protect against these commonly exploited weak security controls and practices. The suggested mitigations are concerned with controlling access, credential hardening, establishing centralized log management, deploying antivirus and other detection tools, conducting vulnerability scans, establishing a robust patch management program, and maintaining a rigorous configuration management program.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.