Five Eyes Alliance Advises on Top 10 Initial Attack VectorsCybersecurity Companies Weigh in on Pros and Cons of the Latest Alert
Misconfigured or unconfigured security configurations, weak controls and a lack of proper authentication protocols are among the 10 most common initial access vectors "routinely exploited" by threat actors, says Five Eyes, the alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand and Canada.
Initial Access Attack Vectors
Malicious threat actors regularly use techniques such as exploiting public-facing applications, external remote services, phishing and trusted relationships to gain initial access into victims' systems, according to the joint advisory from the Five Eyes alliance. To leverage these techniques, the advisory says, they use the following top 10 initial access vectors:
- Unenforced multifactor authentication: MFA, particularly for remote desktop access, can help prevent account takeovers.
- Incorrectly applied privileges or permissions and errors within access control lists: These mistakes can prevent the enforcement of access control rules and allow unauthorized users or system processes to be granted access to objects.
- Outdated or unpatched software: Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack or take control of a system.
- Use of vendor-supplied default configurations or default login usernames and passwords: Many software and hardware products come out of the box with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service.
- Lack of sufficient controls in remote services: These include virtual private networks, to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services.
- Lack of strong password policies: Malicious cyber actors can use a myriad of methods to exploit weak, leaked or compromised passwords and gain unauthorized access to a target system.
- Unprotected cloud services: Misconfigured cloud services are common targets for threat actors. Poor configurations can allow for sensitive data theft and even attacks such as cryptojacking.
- Internet-facing open ports and misconfigured services: This is one of the most common vulnerability findings. Threat actors use scanning tools to detect open ports and often use them as an initial attack vector.
- Lack of phishing detection and mitigation measures: Threat actors send emails with malicious macros - primarily in Microsoft Word or Excel files - that often go undetected due to inadequate technology adoption.
- Poor endpoint detection and response: Threat actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices.
If organizations are aware of these attack vectors, they can be better prepared to counter the threats and reduce risks.
Rob Joyce, director of cybersecurity at the National Security Agency, says that there is "no need for fancy zero-days when these weak controls and misconfigurations allow adversaries access."
CISA Director Jen Easterly concurs and advises users, via Twitter, to review and act on the Five Eyes advisory.
Malicious cyber actors don’t need to use zero-days to compromise your data—they just need to exploit poor security configs, weak controls & a range of bad cyber practices. Let’s make it A LOT harder on them—check out this CSA to help reduce your risk: https://t.co/ZjOSAdjE5E pic.twitter.com/38upoMN2Nb— Jen Easterly Shields Up! (@CISAJen) May 17, 2022
The mitigation measures offered in the joint advisory include:
- Use of control access: This includes adoption of the zero trust security model and role-based access control.
- Credential hardening: This includes implementation of MFA and changing vendor- or device-specific default passwords.
- Centralized log management: Each application and system should generate sufficient log information. This plays a key role in detecting and dealing with attacks and incidents.
- Employment of antivirus and detection tools: This includes intrusion detection and prevention systems.
- Initiating and maintaining configuration and patch management programs: Always operate services exposed on internet-accessible hosts with secure configurations and implement asset and patch management processes.
Useful Advice - But Tough to Implement
As lists go, this is a very good one and enumerates the most common reasons why organizations fall victim to cyberattacks, says Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel. "By following CISA's recommendations, organizations can drastically improve their security posture and resilience to cyberattack," he says.
But, he adds, many of these recommendations can be difficult to implement, especially at organizations that don't already have a strong cybersecurity culture.
"It's also difficult for an organization without an existing culture to know where to begin. For example, the mitigations list starts with 'Adopt a zero trust security model.' Zero trust can be an incredibly effective approach to network defense, but can also be a significant undertaking to implement," he says.
This is particularly true for organizations with large environments, legacy dependencies or limited resources for staff or budget, Clements tells Information Security Media Group. "It's critical for every organization to adopt a true culture of security to evaluate their individual risk, which best practices can be implemented quickly, and from both a short- and long-term strategy for defense. There should also be a candid assessment of areas where it makes sense to partner with outside organizations for assistance," he says.
"An SOC is a great thing to have in this case, but not all organizations will have the resources to build and staff their own."
Focus on Social Engineering
While it's a good effort, this list, like many others, doesn't acknowledge that phishing and social engineering make up 50% to 90% of the cybersecurity problem, says Roger Grimes, data-driven defense evangelist at KnowBe4.
"Like most warnings, it mentions phishing and social engineering almost in passing," he says. "None of the mitigations mention ... better training employees to recognize and defeat phishing attacks," he adds. Grimes says social engineering is the biggest threat by far, but "no one who is reading the document would know that defeating it is the single best thing you can do."
Preventing social engineering "is better than firewalls, antivirus, MFA, zero trust defenses and everything else added up all together," he says and warns that "if defenders do not concentrate on and do more to defeat social engineering, they just are not going to be successful in keeping hackers and malware out."
Is Passwordless the Future?
The joint advisory also highlights just how frequently weak passwords and user credentials appear in attacker exploits.
Whether it's exploitation of default passwords, phishing, guessing insecure passwords, failure to deploy MFA or use of stolen login credentials, passwords are clearly a key enabler behind many cyberattack scenarios, Mike Newman, CEO of My1Login, tells ISMG.
Organizations need to take action against this threat, and one of the best remedies, Newman tells ISMG, is to remove passwords from the hands of users and enable the transition to passwordless security.
"This limits the chances of passwords being stolen and phished for and also means users are not forced to employ insecure password practices," he says.
Last month, the Five Eyes alliance published a similar list of the most routinely exploited vulnerabilities in the past year, which included CVEs for the Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, Zoho ManageEngine AD SelfService Plus, Atlassian Confluence and VMware vSphere Client vulnerabilities (see: The Top 15 Most Routinely Exploited Vulnerabilities of 2021).