The Five Eyes cybersecurity agencies from the United States, United Kingdom, Canada, Australia, and New Zealand have issued a security alert sharing the top five techniques used by cyber threat actors to gain initial access to corporate networks. The agencies also list 10 weak security controls and poor security practices that are commonly exploited in cyberattacks and provide suggested mitigations for hardening security to prevent attacks.
The most common attack vectors are exploiting vulnerabilities in public-facing applications, using external remote services, phishing, exploiting trusted relationships with partners such as MSPs, and the use of stolen credentials for valid accounts. These attack methods are usually made possible due to poor security configurations, weak controls, and the failure to follow cyber hygiene best practices.
There are many examples of poor security practices that can be exploited to gain access to networks, the most common of which are detailed below:
- Failure to enforce multifactor authentication – MFA should be enabled on all user accounts, especially accounts with admin-level privileges and for remote desktop access. RDP is one of the main vectors in ransomware attacks.
- Incorrect privileges/permissions and errors within access control lists – Errors such as these can stop the enforcement of access control rules, which can allow cyber threat actors or system processes to be granted access to objects.
- Failure to update software and operating systems – The failure to update software and operating systems promptly when patches/updates are released can allow threat actors to exploit the flaws to gain access to systems and sensitive data. Slow patching is one of the most common poor security practices.
- Failure to change default configurations and login credentials – Default configurations and usernames/passwords are often in the public domain and the default configurations of many products and services are often overly permissible, which can provide an avenue for threat actors to exploit.
- Failure to implement appropriate controls on remote services such as VPNs – Remote services such as virtual private networks are extensively targeted by cyber threat actors. controls that can improve security include MFA, a boundary firewall in front of a VPN, and intrusion detection system/intrusion prevention system sensors.
- Failure to enforce the use of strong passwords – Weak passwords are vulnerable to brute force attacks and are commonly exploited in attacks on RDP.
- Leaving cloud services unprotected – Poor security configurations and misconfigurations can easily be exploited to gain access to sensitive data and for cryptojacking
- Leaving ports open and misconfiguring Internet-facing services – Scanning tools are used to identify open ports that can be compromised to gain initial access to networks. The failure to close unused ports is one of the most commonly identified poor security practices.
- Failure to detect and block phishing attacks – The failure to implement security measures to block phishing attempts and provide security awareness training to employees leaves companies at risk of credential theft and malware infections.
- Poor endpoint detection and response – Antivirus software can detect known malware but cyber threat actors commonly used obfuscated malicious scripts and PowerShell attacks to bypass weak endpoint security controls and launch attacks on target devices.
By avoiding these poor security practices, businesses can significantly improve their security posture and make it much harder for cyber threat actors to gain access to their networks. The Five Eyes agencies have provided a list of mitigations that include controlling access, hardening credentials, establishing centralized log management, employing antivirus programs, endpoint detection tools, configuration management programs, and patch management programs in the alert – https://www.cisa.gov/uscert/ncas/alerts/aa22-137a