The Top Ten Initial Access Attack Vectors, According to the Experts

partially closed laptop with lights on

As the old saying goes, an ounce of prevention is worth a pound of cure. And in a landscape where whether or not you’ll be targeted by a cyberattack is more a question of when than one of if, you want to have as much prevention as possible. With that in mind, the Cybersecurity & Infrastructure Agency recently released an advisory detailing the exploits and tactics typically used by threat actors in the early stages of an attack.

The result of a joint collaboration between cybersecurity agencies in Canada, New Zealand, the Netherlands, and the United States, the report identifies the following as the top five strategies leveraged by threat actors: 

  • Phishing and spear phishing
  • Exploiting trusted relationships between businesses
  • Targeting public-facing applications
  • Compromising valid accounts
  • Attacking access mechanisms such as VPNs

Want to know even more types of cyberattacks? Check out our post on last years most common types of cyberattacks.

Alongside these strategies, threat actors tend to exploit one or more of the following vulnerabilities for initial access: 

  1. Lack of multifactor authentication
  2. Incorrect privileges or permission
  3. Outdated or unpatched software
  4. Default usernames, passwords, and/or configurations
  5. Insufficient authorization controls on remote access tools
  6. Weak passwords/absence of a strong password policy
  7. Misconfigured or unsecured cloud services
  8. Misconfigured network services or devices
  9. No preventative measures for phishing attacks  
  10. Poor or no endpoint detection and response (EDR)
lock sits on laptop keyboard

Recommended best practices for addressing the risks above include embracing zero trust network access, applying least privilege, centralizing management of security solutions and logs, and deploying the proper security software. 

CISA’s report essentially confirms what we already knew—or at least suspected. That when it comes down to it, most threat actors are not going to employ highly sophisticated tactics like those seen in last year’s Solarwinds breach. Instead, they will simply follow the path of least resistance.

They’ll look for misconfigurations and obvious or unpatched vulnerabilities to exploit. They’ll seek out businesses with poor security hygiene or a complete lack of cybersecurity awareness training. They’re not looking for a challenge.

They’re looking for an easy target. 

Consequently, this means that your best defense against the vast majority of threats facing your business is a strong security posture. The idea isn’t to prevent attacks entirely. The sheer quantity of threat actors makes that a near impossibility.

Instead, hygiene and posture are meant to make your business as inconvenient a target as possible. Eventually, most will decide you aren’t worth the effort and move on to easier, less secure targets. And for those rare few that don’t—for the rare occasion when you’re unlucky enough to be targeted by a sophisticated threat actor or organization? 

That’s where your security software comes in. With adequate threat intelligence, analytics, threat hunting, and mitigation tools, you can ensure that you have both the security to prevent the majority of attacks and the resilience to mitigate those that cannot be prevented.