Valid Credentials Most Common Initial Access Vector in Cyberattacks on Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published the results of an analysis of risk and vulnerability assessments (RVAs) at federal civilian executive branch (FCEB) agencies, state, local, tribal, and territorial (SLTT) stakeholders, and high-priority private and public critical infrastructure operators. The report provides insights into the most common vulnerabilities and attack paths cyber threat actors use to access internal networks.
Malicious actors use a variety of methods to breach networks; however, the most common attack path involves valid accounts, which were used in 41% of successful attacks. RVA analyses revealed cracking password hashes was common and was successful in 89% of assessments conducted by the U.S. Coast Guard (USCG) to access Domain Administrator accounts. Accounts may be accessed that are internal or external to the network, often by using default credentials, brute forcing weak passwords, or by using stolen administrator accounts, including valid administrative credentials that have been purchased from initial access brokers.
It was also common for accounts of former employees to be compromised that had not been removed from the active directory. Many of these attacks were possible because the accounts permitted the installation or execution of insecure software, such as software with known vulnerabilities that could be exploited. While this method of initial access remains the most common year-over-year, attacks involving valid accounts have decreased significantly from 2022, when more than half of successful attacks on critical infrastructure involved abuse of valid accounts.
The second most common attack path was the use of phishing or spear phishing to obtain sensitive information or credentials that could be used to gain access to the network. These attacks often involved the impersonation of a trusted individual such as a colleague, vendor, organization, or acquaintance. The success rate of these attacks depends on the protections in place for detecting malicious emails, including spam filters, web filters, and antivirus software, along with network boundary protection mechanisms, and the perceived authenticity of the email content. The exploitation of vulnerabilities accounted for a relatively small number of successful attacks on critical infrastructure – just 6% of all successful attacks in 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CISA recommends adhering to the practices and protections detailed in its Cross-Sector Cybersecurity Performance Goals that were developed by CISA and the National Institute of Standards and Technology (NIST), and for healthcare organizations, to adopt the HPH Sector Cybersecurity Performance Goals. These include implementing a secure password policy, which should include strong and unique passwords for all accounts, protecting accounts with phishing-resistant multifactor authentication, ensuring unnecessary and inactive accounts are revoked, and separating user and privileged accounts.
Robust anti-phishing measures should be implemented to block malicious emails, including filters with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to prevent spoofed or modified emails. Phishing targets individuals, so security awareness training should be provided to help with the identification and avoidance of phishing attacks. Employees should also be provided with an easy way to report suspected phishing attempts to their security team. Secure configuration baselines should also be established for user systems, such as ensuring that macros are disabled by default.
Software should be kept up to date with patches applied promptly, and logs of successful and unsuccessful login attempts should be created and be regularly checked by the security team. Policies should also be implemented to disable logins following a certain number of failures to resist brute force attacks.
