Alessandra Peters

20/08/2022

MITRE ATT&CK Initial Access Techniques: How Attackers Gain Access to Corporate Networks

From months-long APT campaigns against multinational companies to opportunistic hacks, every cyberattack starts with a threat actor gaining initial access. 

As a guide for helping defenders map out how an attack on their organisation might start, the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is an unrivalled resource. Within this security knowledge base, initial access techniques are covered in the TA0001 section. Here, MITRE outlines nine techniques that, based on real-world observations, many initial access attempts will have in common. 

By automatically mapping suspicious behaviour to the ATT&CK matrix initial access techniques, SenseOn is designed to help defenders put MITRE into practice. Below is a rundown of the nine techniques that MITRE and SenseOn see attackers using for initial access and why it’s never been more important for security teams to take note.

MITRE ATT&CK Initial Access Techniques 

Distilling initial access compromises into nine key types, MITRE ATT&CK is a powerful guide to today’s threat landscape. 

Drive-by compromise

In a drive-by-compromise (T1189 in MITRE) attack (also known as drive-by-download or watering hole attack), threat actors weaponise websites their target is likely to visit. 

When a target visits a compromised website, malware scans the target’s web browser for vulnerable versions of a popular browser or plugin. If a vulnerable version is found, exploit code is executed, starting the attack chain. 

In some cases, users don’t need to take any action to allow the download of malicious code. In other instances, a malicious download may be prompted with a popup ad, for example, when the target clicks the “x” button to close it. 

Exploit public-facing applications

This technique (T1190) involves adversaries taking advantage of known bugs, vulnerabilities, and glitches in internet/public-facing applications. 

Earlier in 2022, a joint multinational cybersecurity advisory listed public-facing application exploits as an increasingly common technique for gaining initial access to business networks. This is not surprising, considering that organisations continuously fail or are slow to patch vulnerabilities. 

According to a report from F-Secure, more than half of the security vulnerabilities that currently exist in corporate environments were already known in 2016 and have patches available. Overall, unpatched vulnerabilities are the primary ransomware attack vector

External remote services

Cloud and remote access technologies have put countless organisations at increased risk of cyberattacks. 

MITRE outlines the threat from cybercriminals leveraging Virtual Private Networks (VPNs), Active Directory (AD), Remote Desktop Protocols (RDPs), and similar external remote services in T1130. Essentially this covers anything that lets users connect to internal enterprise networks from external locations. 

Partly due to the pandemic and the shift to remote work, the UK’s National Cyber Security Centre cited RDP compromise as the most common attack vector used by threat actors last year.

These attacks are usually very difficult to spot because they tend to use valid credentials to gain initial access. In 2021, researchers were able to extract 1.3 million current and historically compromised RDP credentials from UAS (Ultimate Anonymity Services), a hacker marketplace. 

Hardware additions

Not every attack comes from the internet. Threat actors can also go to the trouble of physically introducing compromised hardware additions (T1200), i.e., computers, computer accessories, network appliances, and other devices, into a corporate environment as a means of gaining access. 

Although examples of attackers employing this technique in the wild are rare, it does happen. Several years ago, a financially motivated threat actor called DarkVishnya used this exact technique to target financial institutions in Eastern Europe, causing tens of millions of pounds in damage. 

According to Kaspersky Lab, the attacks were initiated with threat actors sneaking into buildings disguised as couriers, job seekers, etc., and connecting devices (Raspberry PI computers, netbooks, cheap laptops, or a tool for USB attacks known as Bash Bunny) to targeted organisations’ networks. After compromising devices within their target network, the group tried to access web servers and shared folders to harvest information they needed to run RDP on a target computer and seize data or funds.

Phishing

Phishing (T1566) is a social engineering scam where a threat actor sends a fraudulent message to their target. These messages typically include a malicious link or attachment that, when clicked on, executes malicious code on a target’s system. 

However, phishing emails can also be designed to trick victims into disclosing their credentials, for example, by pretending to come from a legitimate institution or colleague. 

In some cases, bad actors may personalise phishing messages to make them more believable and entice the target to carry out the desired action. This is known as spearphishing. MITRE lists three sub-techniques under phishing: spearphishing attachment (T1566.001), spearphishing link (T1566.002), and spearphishing via service (T1566.003). Spearphishing via service refers to attackers using third parties, like social media platforms, to phish victims. 

A 2022 IBM report found that close to half (41%) of all attacks in 2021 leveraged phishing as an initial access vector. Phishing campaigns were particularly popular among ransomware groups. The Russia-based ransomware-as-a-service operation REvil started many of its attacks in 2021 with a QakBot phishing email. Most of these emails tend to have a short body of text and frequently reference outstanding invoices. 

Removable media

This kind of initial access, defined as replication through removable media (T1091) by MITRE, involves attackers copying malware to a removable drive and then relying on autorun features available on most systems to execute rogue code. 

Although these types of attacks were prevalent in the past, cybercriminals are now turning to USB-based attacks once again. 

In 2021, more than 6 in 10 organisations experienced a USB-based attack. In the UK, 18% of organisations saw 50+ malicious USB drops. And in the US, the FBI has recently warned that FIN7, the group behind DarkMatter and Darkside ransomware operations, has been mailing malicious USB devices to companies. 

Supply chain compromise

In a supply chain compromise (T1195), threat actors infiltrate a target through an outside partner or provider. They usually do this by manipulating products, i.e., software or devices or product delivery mechanisms, before they make their way to the consumer. 

MITRE lists three sub-techniques under supply chain compromise: compromise software dependencies and development tools (T1195.001), compromise software supply chain (T1195.002), and compromise hardware supply chain (T1195.003).

Between 2020 and 2021, supply chain compromise attacks increased by a whopping 300%, impacting organisations like SolarWinds, Codecov, and Kaseya, as well as thousands of their customers. The SolarWinds hack alone gave attackers access to government agencies, private sector organisations, and critical infrastructure entities in the US, Europe, Middle East, and Asia. 

Trusted relationship 

In a trusted relationship (T1199) attack, bad actors take advantage of the relationship between a target and a trusted third party (like an IT contractor, infrastructure service contractor, and managed service/security provider) that might have access to an otherwise unreachable target network. 

For example, threat group GOLD SOUTHFIELD has recently been observed breaching several managed service providers to distribute Revil ransomware to their customers. 

Valid accounts

If a criminal can get their hands on valid accounts (T1078), i.e., a user’s credentials at a target organisation, they can circumvent access management systems protecting the network and system resources. 

There are many ways cybercriminals can gain credential access, including purchasing them on the dark web or through phishing campaigns. 

Adversaries don’t necessarily have to use the credentials of existing employees, either. Inactive user accounts can be just as valuable as the original account holder will not be there to detect and flag any anomalous behaviour. 

ATT&CK lists four sub-techniques under valid accounts: default accounts (T1078.001), domain accounts (T1078.002), local accounts (T1078.003), and cloud accounts (T1078.004).

Stopping Cyberattacks with SenseOn

The phrase “it’s not a matter of if an attack will happen, but when” has become a cliche in the cybersecurity world. Looking at the number of organisations that get hacked every year—some of them repeatedly—it’s obvious that, cliche or not, this statement is true. 

As attackers continue to infiltrate systems unnoticed, the MITRE ATT&CK framework and its section on initial access adversarial tactics serve as a useful reminder of the types of techniques threat actors use to get into networks, how to detect them, and what mitigation steps to take.

To help analysts gain a richer source of context around security alerts and speed up remediation, SenseOn has built ATT&CK techniques into the core of the SenseOn platform. This means that every observation of abnormal behaviour spotted by SenseOn links back to the corresponding adversary technique in the ATT&CK framework. By making it easier to detect and prevent initial foothold by hackers, SenseOn can also help stop privilege escalation, lateral movement, and exfiltration. 

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.