3rd Party Risk Management , Application Security , Cybercrime

Top Initial Attack Vectors: Passwords, Bugs, Trickery

Use of LOLBins, GitHub Tools and Cobalt Strike Also Widespread, Researchers Say
Top Initial Attack Vectors: Passwords, Bugs, Trickery
This shows how attackers gained initial access to a victim's network, as found during Kaspersky's 2020 incident response investigations. Note that in 45% of investigations, the initial access vector could not be identified.

Here are the top three tactics attackers have been using to break into corporate and government networks: brute-forcing passwords, exploiting unpatched vulnerabilities, and social engineering via malicious emails.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

So says security firm Kaspersky, in a new incident response report analyzing investigations it undertook during 2020.

The top-level takeaway is bad news: Attackers are continuing to use previously seen tactics to gain entry to corporate networks, followed by using recognizable tools to reconnoiter and gain high-level access to systems, after which they often unleash ransomware, steal data or pursue another criminal scheme. For ransomware attacks in particular, the time between intrusion and culmination - when files get forcibly encrypted - can be hours, or just a few days.

In many cases, damage has already been done before a victim has had time to investigate. In the report, Kaspersky says that while 53% of the incident response investigations it led were launched after suspicious activity was detected, in 37% of cases, files had already been forcibly encrypted, while 7% of the time data leakage had been discovered, and in 3% of cases, an organization suspected that funds had gone missing.

Luckily for some firms, about 10% of investigations turned out to be false positives - as in, suspicious activity from network sensors, endpoint protection products or suspected data leakage turned out to not be malicious.

Attackers' Top Goals

For the rest, however, one-third of intrusions led to ransomware infections - in a sign of just how prevalent this type of attack has become - while 15% resulted in data leakage, which could potentially also be tied to ransomware attackers stealing data to try and force victims to pay a ransom. In addition, 11% of intrusions resulted in attackers retaining persistent access to a network, meaning they might continue the attack later.

"Ransomware adversaries employ almost all widespread initial access scenarios," Kaspersky says. "Attacks starting with brute force are easy to detect in theory, but in practice only a fraction of them were identified before impact."

Why do criminals target different sectors? Leading motivations, when they could be ascertained, include ransomware (yellow), data leakage (gray), stealing money (green) and generalized "suspicious activity" (orange). "The government sector showing no data leaks is likely due to the fact that governmental personally identifiable information-heavy systems are usually hosted by telecommunications and IT providers," Kaspersky says.

Challenges: Old Logs, Accidental Evidence Destruction

In nearly half of cases, how exactly attackers broke in remained a mystery.

"We identified the initial vector in 55% of cases," Kaspersky says. "Very old incidents, unavailable logs, (un)intentional evidence destruction by the victim organization and supply-chain attacks were among the numerous reasons for failing to identify how adversaries initially gained a foothold in the network."

Kaspersky didn't immediately respond to request for comment about exactly how many incident response and digital forensics investigations it undertook last year.

Talk Tools, Because Attackers Do

Tools seen used in different stages of the MITRE Attack Framework (Source: Kaspersky)

One challenge for security teams is that attackers continue to rely on a number of tools that can be used legitimately by IT teams. In many cases, attackers are also using easily accessible - and very effective - offensive tools that can be obtained for free.

Kaspersky says that "almost half of all incident cases included the use of existing operation system tools like LOLbins" - referring to legitimate OS binaries that attackers could turn to nefarious use - plus "well-known offensive tools from GitHub - e.g., Mimikatz, AdFind, Masscan - and specialized commercial frameworks such as Cobalt Strike."

Essential Defenses: Back to Basics

To block attackers' use of such tools, Kaspersky recommends defenders "implement rules for detection of widespread tools used by adversaries," and whenever possible, "eliminate usage of similar tools by internal IT teams," as well as test the speed and effectiveness with which the organization's security operations center can spot, trace and block the use of such tools.

Another takeaway from the report is that eliminating known vulnerabilities and - wherever possible - locking down access by implementing two-factor authentication appears to drive many attackers to look elsewhere.

Kaspersky says 13% of all incidents it investigated for which the initial intrusion could be identified traced to known vulnerabilities in products that victims had yet to patch. These were the top vulnerabilities exploited in 2020.

"When attackers prepare their malicious campaign, they want to find low-hanging fruit like public servers with well-known vulnerabilities and known exploits," Kaspersky says. "Implementing an appropriate patch management policy alone reduces the likelihood of becoming a victim by 30%, and implementing a robust password policy reduces the likelihood by 60%."

Recommendations that organizations have strong password policies, widespread use of multifactor authentication - especially for accounts with administrative-level access, as well as for remote desktop protocol and VPN connections - and robust vulnerability management programs aren't anything new.

But the widespread lack of these essential information security program attributes is a reminder that to be more effective, many organizations need to get back to basics.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.