Cybersecurity agencies reveal top initial access attack vectors

A joint security advisory issued by multiple national cybersecurity authorities revealed today the top 10 attack vectors most exploited by threat actors for breaching networks.

The advisory, jointly released by agencies from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom, includes guidance to mitigate these routinely exploited weak security controls, poor security configurations, and bad practices.

"Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system," the joint advisory reads.

Attackers also have a few favorite techniques they regularly use to gain initial access to their victims' networks, including the exploitation of Internet exposed applications, leveraging external-facing remote services, phishing, abusing orgs' trust in their partners, and using stolen credentials.

The complete list of the top 10 initial access vectors targeted by malicious actors while employing the above network breaching techniques includes:

• Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. 
• Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects. 
• Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system.
• Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service.
• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services.
• Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. 
• Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
• Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector.
• Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. 
• Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices.

Best practices to reduce breach risks

The joint advisory also contains a shortlist of best practices to help protect networks against attacks targeting the above weak security controls, poor configurations, and poor security practices.

It includes the use of control access, hardened credentials (including MFA and changing default passwords), centralized log management, and antivirus and detection tools (including intrusion detection and prevention systems).

Organizations are also advised always to ensure that public-facing services use secure configurations and that software is kept updated via a patch management program.

Last month, in partnership with the NSA and the FBI, Five Eyes cybersecurity authorities also released a list of the top 15 vulnerabilities routinely exploited by attackers during 2021.

CISA and the FBI have also published a list of the topmost exploited security flaws between 2016 and 2019 and one with the top targeted bugs in 2020 in collaboration.

Last but not least, in November, MITRE shared a list of the most dangerous programming, design, and architecture security flaws plaguing hardware in 2021 and one with the top 25 most common and dangerous weaknesses plaguing software throughout 2019 and 2020.