Learn about the most common initial attack vectors and their protection recommendations.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) published an advisory on May 17, 2022, on inadequate security controls and practices that are often exploited by cybercriminals to gain initial access to their targets. According to the advisory, attackers often use phishing or exploit publicly available applications or external remote services to gain access to networks.
This article first discusses the most common initial attack vectors, followed by recommendations for protecting against these attacks.
Initial Attack Vectors
Phishing is one of the most common gateways. If the phishing email is convincingly crafted, the recipient will, as intended by the attacker, click on a link that downloads malware or open the attachment that contains and directly executes malware, be it an archive file, a PDF document or an Office document with embedded macros. This leads to the infection of the affected systems if the email is not detected as phishing in advance or blocked.
If strict password policies are not implemented, attackers can use various techniques to exploit weak, compromised, or leaked passwords to gain unauthorized access to a system. Remote access services such as VPN (Virtual Private Network) or RDP (Remote Desktop Protocol) are popular targets. In addition, multi-factor authentication (MFA) is often not enforced. If an account’s credentials are known, and MFA is not enabled, accounts can be hijacked (including those of administrators). Attackers can thus continue to penetrate the network unnoticed.
Exposed Ports and Services
Attackers also often use scanning tools, such as Shodan or Censys, to identify open ports and misconfigured services exposed on the Internet. These services are then exploited to gain an initial foothold in the network, after which, an attacker can compromise further vulnerable systems. RDP, Server Message Block (SMB), Telnet, and NetBIOS are among the high-risk services here.
Unpatched systems are also among the most frequently used attack vectors. New vulnerabilities are constantly being discovered, and the patches released to fix them are often not applied in a timely manner. By successfully using publicly known exploits, attackers can, amongst other things, gain control of a system or access to sensitive information. This was the case, for example, with ProxyLogon and log4j. Attackers can also compromise third parties in the supply chain and abuse trust relationships (so-called supply chain attacks) – for example, the Sunburst Hack.
Another common technique, which is not part of CISA’s advisory but is still worth mentioning from Oneconsult’s point of view, is the use of removable media, for example, infected USB sticks. However, this method requires physical interaction with the victim. If the victim discovers a USB stick, he may plug it into his computer to see what it contains and to whom it might belong. The attackers thus rely on curiosity to achieve their goal.
9 Recommendations for Protection Against Cyber Attacks
The follow mitigations are recommended to protect against the aforementioned attacks.
Patch and Vulnerability Management
As a matter of principle, all software and systems should always be kept up-to-date and promptly updated to the latest versions, either manually or with the help of centralized management tools. For this purpose, it is recommended to introduce patch and vulnerability management. This provides an overview of the entire IT infrastructure and the software in use (and their versions). Based on this information, systems and software can be prioritized and patched in the vulnerability management process.
In addition, all systems should be equipped with protection software (an antivirus solution, Endpoint Detection Response (EDR), Extended Detection and Response (XDR), etc.) that can be centrally managed. The program and its signatures should also be kept up to date. Alerts must be logged and checked regularly.
Password Policy and MFA
Likewise, a password policy should be implemented and enforced. Long, random and unique passwords can be generated and managed using a password manager. It is also recommended to monitor credentials for their possible disclosure, for example using “Have I Been Pwned“. In addition, multi-factor authentication (MFA) should be used especially for critical applications, VPN connections, Internet-accessible services, and accounts with high privileges or access to sensitive information.
Principle of Least Privilege
In addition, the Principle of Least Privilege should be applied so that users do not have too many privileges. Users should only have access to the data and systems they need to perform their tasks.
Networks should also be segmented to separate critical environments and isolate critical systems such as backups into separate zones from exposed areas. In addition, services running on hosts with Internet access should be run with secure configurations. Segmenting the network helps protect against payload delivery and, in particular, lateral movement.
Hardening The Email and Web Infrastructure
The email infrastructure should block phishing emails and malicious attachments, in particular by blocking specific file extensions. The list provided by GovCERT can be used for this purpose. In addition, SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) can prevent the forgery (“spoofing”) of source email addresses; they should therefore be set up accordingly. In addition, the web infrastructure, including browsers, should be hardened to ensure that all systems pass traffic through a web proxy before connecting to websites so that connections to malicious domains can be blocked or at least logged.
Preventing The Use of Removable Media
The use of removable media should be prevented via group policies. Execution can be blocked via Application Control using AppLocker since Windows 7 and Windows Defender Application Control (see Microsoft) since Windows 10 and Windows Server 2016. It is also possible to disable AutoPlay (see Microsoft) via the registry. AutoPlay issues a notification when an external disk is inserted and offers a menu of choices when the user clicks on the notification. Here, one of the best protective measures is to promote awareness among employees. They should be trained not to plug external media such as USB sticks or unknown cables directly into their computers. Attacks involving technology such as BadUSB, USBHarpoon (see MG) and Rubber Ducky (see GitHub) can be prevented by doing this.
Raising User Awareness
End users, in general, should be made aware of the issue of security. They are often referred to as the weakest link in cybersecurity, but they are the main target of attacks. Therefore, they need to be educated about potential attacks and risks so that they can detect and prevent them. For more information on how to identify a malicious email, see the article “Emails as a popular gateway for attackers”.
Defence in Depth
Attackers often find a way to circumvent the measures in place, which is why a so-called “Defence in Depth” is just as important, i.e., a multi-layered security strategy. In addition, it must be possible to identify cases for which there are no special protective measures. Therefore, it should be ensured that logs on workstations, servers, and network devices are created, centrally collected, monitored, and evaluated. Since workstations are often the first point of entry into the network, their logs should be enhanced, for example, by enabling Script Block Logging (see Microsoft) to capture the contents of all PowerShell script blocks or by using Sysmon (see Microsoft), Microsoft’s Sysinternals suite.
The attacks mentioned in the CISA advisory, such as phishing and the exploitation of vulnerabilities or services exposed on the Internet, can be prevented by simple measures such as blocking malicious attachments, implementing patch management and a password policy, and activating multi-factor authentication. In addition, the training of all employees in the area of cyber security is of central importance.
Do you still have questions or would you like our support on cybersecurity issues? We look forward to hearing from you!
About the Author
Nadia Meichtry studied forensic sciences at the University of Lausanne and graduated with a Master in Digital Forensics in summer 2020. She is a certified GIAC Certified Forensic Analyst (GCFA) and GIAC Reverse Engineering Malware (GREM), and certified OSSTMM Professional Security Tester (OPST). Nadia joined Oneconsult in August 2020 as a Digital Forensics & Incident Response Specialist.