Cybersecurity Authorities Issue Advisory on Common Initial Access Tactics

May 17, 2022 - Cybersecurity authorities from the US, the UK, Canada, the Netherlands, and New Zealand issued an advisory detailing initial access tactics that threat actors frequently use to infiltrate victim networks.

“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” the advisory began.

The statement highlighted a simple truth—threat actors do not necessarily need elaborate and sophisticated tactics to successfully take advantage of victims. Basic misconfigurations and poor cyber hygiene often give threat actors the leverage they need to exploit their victims.

Addressing common security weaknesses and implementing a robust security architecture can help organizations effectively mitigate cyber risk.

Specifically, the authorities identified the following five commonly used techniques: phishing, exploiting public-facing applications, manipulating external remote services, gaining access to valid accounts, and leveraging trusted relationships.

Each tactic enables threat actors to take advantage of security weaknesses and work their way into the victim’s network. The advisory also provided a list of common weak security controls, poor security practices, and poor configurations that organizations should remain aware of and work to mitigate.

The advisory stressed the importance of multifactor authentication (MFA) to prevent account takeovers.

“With Remote Desktop Protocol (RDP) as one of the most common infection vectors for ransomware, MFA is a critical tool in mitigating malicious cyber activity,” the advisory noted.

“Do not exclude any user, particularly administrators, from an MFA requirement.”

Other weak security controls include out-of-date software, incorrectly applied privileges or permissions, and a lack of strong password policies. The advisory emphasized the importance of addressing unpatched software and devices, as they often serve as network entry points.

The cybersecurity authorities also called attention to unprotected cloud services, failure to detect or block phishing attempts, poor endpoint detection and response measures, and the use fo vendor-supplied default configurations.

To mitigate these risks, the advisory recommended that organizations adopt a zero trust security model and harden conditional access policies.

“Give personnel access only to the data, rights, and systems they need to perform their job. This role-based access control, also known as the principle of least privilege, should apply to both accounts and physical access,” the advisory recommended.

“If a malicious cyber actor gains access, access control can limit the actions malicious actors can take and can reduce the impact of misconfigurations and user errors. Network defenders should also use this role-based access control to limit the access of service, machine, and functional accounts, as well as the use of management privileges, to what is necessary.”

Employing antivirus programs, conducting regular penetration testing, and establishing centralized log management are some of the many ways in which organizations can enhance their security postures against commonly exploited initial access vectors.