A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks, as well as the techniques they use to gain access.
The advisory cites five techniques used to gain leverage:
- Public facing applications. Anything internet-facing can be a threat if not properly patched and updated. Whether a glitch, bug, or design, a poorly secured website or database can be the launchpad for an exploit.
- External remote services. Theft of valid accounts is often combined with remote corporate services like VPNs or other access mechanisms. This allows attackers to infiltrate and persist on a network.
- Phishing. A mainstay of business-centric attacks, everything from spear phishing to CEO fraud and Business Email Compromise (BEC) lies in wait for unwary admins.
- Trusted relationships. Attackers will map out relationships between organisations. Third-party trusted access from one organisation to the target will itself become a target, used to gain access to otherwise unreachable internal networks.
- Valid accounts. These may be obtained by phishing, social engineering, insider threats, or carelessly handed data.
There’s some degree of overlap between most of these techniques, with some following on naturally from another. The advisory lists ten different areas for concern, which you can see below. If you recognise some as potential weak points, or your organisation has no policy on the issues raised, it may be time to take this bull by the horns.
10 ways attackers gain access to networks
1. Multifactor authentication (MFA) is not enforced
MFA is especially useful when bad actors have such a heavy focus on techniques like phishing, trusted relationships, and valid accounts. Any of these approaches could have serious long-term impacts on an affected organisation. It’s not just how they get in, but what they get up to afterwards.
A company struck down with ransomware and data exfiltration may have experienced several stages of attack to reach this point. Imagine if all of them had never taken place because the initial point of entry, a phished password, had been protected with MFA. An absolutely invaluable tool for all users, and especially for administrators or people with elevated privileges.
2. Incorrectly applied privileges or permissions and errors within access control lists
Users should only be able to access resources necessary for any given purpose. Someone accidentally granted admin level controls on a corporate website may cause chaos if their account is compromised, or they leave the business and nobody revokes access. On a similar note, Access Control Lists (ACLs) used to filter network traffic and/or grant certain users file access can go bad quickly if users are granted the wrong access permissions.
3. Software is not up to date
Asset and patch management will help keep operating systems and other key software up to date. Vulnerability scans are valuable for assessing which software is unsupported, in an end-of-life state, or another category which means continuous updating may be difficult. Outdated software ripe for attack via exploits is one of the most common bad practices leading to network compromise.
4. Use of vendor-supplied default configurations or default usernames and passwords
Off the shelf hardware using default setups are a no go for business. There’s a very good chance default username/passwords are easily available online, on everything from access dumps to generic questions on help sites. Not changing defaults on both hardware and software is going to be one of the number one ways an organisation is breached without knowing about it.
Depending on where you live, default passwords may be a major point of concern not just in a business sense but in a very legal one too. Default configurations are now running the risk of bans and fines.
5. Remote services—such as a virtual private network (VPN)—lack sufficient controls to prevent unauthorized access
Additional security and privacy tools require care to be taken with regard setup and configuration. A poorly-designed workplace VPN may be easily accessed by an attacker, and could also help mask exploration and exploitation of the network. MFA is useful here, as is monitoring connection times for abnormal use patterns such as suddenly connecting to the VPN outside of work time.
6. Strong password policies are not implemented
Insufficient and weak passwords are a key way to gain a foothold on the network. Poor Remote Desktop Protocol (RDP) setups are hit particularly hard by bad password practices. It’s a common way ransomware attacks begin life on a corporate network.
Password guessing tools will keep trying until they guess a weak password and enable entry into the target organisation. One way to combat this is limit the amount of login attempts via RDP before locking the user out.
7. Cloud services are unprotected
Unprotected cloud services are a permanent feature of security breach stories. Default passwords, and in some cases no passwords, allows for easy access to both corporate and client data. Aside from the actual harm of people’s data left lying around, the reputational damage for those responsible can be immense. It’s much better to not end up in this scenario in the first place.
8. Open ports and misconfigured services are exposed to the Internet
Criminals use scanning tools to discover open ports and leverage them as attack vectors. Compromising a host in this way can give rise to the possibility of multiple attacks after gaining initial access. RDP, NetBios, and Telnet are all potentially high-risk for an insecure network.
9. Failure to detect or block phishing attempts
Malicious macros in Word documents or Excel files are a key feature of business-centric phishing attacks. They may be a little closer to being ushered through the exit, thanks to recent permission changes in Office products which makes it harder to run them.
Even without the threat of bogus attachments, phishing is still a huge problem for administrators. No scanning of mails coming into the network, or checking message content from internal senders for signs of compromised accounts, will add to this issue. This internal threat is another area where MFA will help greatly. A policy for swift disabling and deletion of accounts for departed employees should also be considered.
10. Poor endpoint detection and response
Cybercriminals frequently make it as hard as possible to identify the attacks they use. Malware is packed in certain ways to avoid detection and identification. Malicious scripts uploaded to websites are obfuscated so it’s difficult to figure out exactly what they’re doing.
Is your website playing host to a card skimmer or SEO poisoning and spam redirection? Without the right tools and analysis, it may take much longer to figure out and your business will suffer for the duration.
Best practices to protect your systems
The advisory includes a helpful list of ways to combat some of these issues:
- Control access: Rigorously policing who can access what, when, and how is important. Allow local logins only for administrators, barring them from RDP unless absolutely necessary. Consider dedicated admin workstations if feasible. Everyone should only have access to what is required to do their job effectively, with a proper business flow required to authorise requested additional permissions. If employees change roles or leave the organisation, revoke their access immediately.
- Harden Credentials: MFA across all areas of the organisation is again key here. Consider physical hardware tokens for those with access to business critical services. If MFA is not available for certain employees, make use of other security techniques to minimise unauthorised logins. A rigorous password policy combined with checking devices used, time of day, location data, and user history can help piece together a picture of what could reasonably be described as a legitimate employee.
- Establish centralized log management: Log generation and retention are essential tools for many aspects of security. Data from intrusion detection tools help shape a picture of potentially malicious activity, where it comes from, which time of day, and so on. Determine which logs you require. Do you need a full picture of cloud activity? Is system logging important? Are you able to capture activity on the network? Decide on a retention period. Too short a timeframe and you may have to refer back to logs which no longer exist. Too long, and there may be privacy issues around what what you’ve captured and retained. Safe storage is also important, as you don’t want attackers tampering with the data you’ve collected.
- Use antivirus solutions: Workstations require security solutions capable of dealing with exploits that require no user interaction and attacks reliant on social engineering. Desktop hijacks, malvertising, and bogus attachments are just some of the threats to consider. Routine monitoring of scan results will assist with figuring out weak spots in your security perimeter.
- Employ detection tools: An Intrusion Detection System (IDS) helps sniff out malicious network activity and protects from dubious activity. Penetration testing can expose misconfigurations with services listed above such as cloud, VPNs, and more. Cloud service provider tools will aid in pinpointing overshared storage and irregular or abnormal access.
Stay safe out there!