Securing your digital perimeter against Initial Access Brokers

Although attack surfaces have expanded dramatically in recent years, this alone doesn’t explain why external facing vulnerabilities and misconfigurations are being increasingly exploited. The threat actors conducting the attacks have also changed, shifting from just ransomware gangs to including initial access brokers.

As initial access broker activity doubled last year alone, including the hack of Uber which used credentials that were sold for just $10. Organizations need a new strategy in order to respond to this new class of adversaries and prevent a breach.

Who are the Initial Access Brokers?

To understand Initial Access Brokers (IAB) we need to understand the threat landscape that they are a part of. Historically, ransomware gangs were one of the most significant cybersecurity threats to an organization. These criminal organizations use sophisticated methods to infiltrate computer systems and encrypt valuable data, demanding a ransom payment in exchange for the decryption key.

A organization chart showing how Initial Access Brokers attack internet facing assets.

Ransomware groups operate like businesses, with well-organized structures and hierarchies. Different teams are responsible for different stages in that attack chain. They use a variety of methods to infiltrate computer systems, including phishing emails, malvertising, and exploiting vulnerabilities in software. Once they gain access to a system, they use encryption to lock down valuable data, demanding payment in exchange for the decryption key.

Operating across the entire attack chain is very time-intensive, which has limited the number of organizations that ransomware gangs can target. Outsourcing parts of the workflow enables ransomware gangs to conduct more attacks on more organizations. IAB are cybercriminals that specialize in the initial stages of the attack chain - obtaining and selling access to compromised systems. The number of organizations that had access to their systems sold was estimated to have doubled last year.

How Initial Access Brokers launch attacks

Initial access brokers sell access to compromised systems on the dark web, with prices regulated based on supply and demand. Credentials with administrator privileges or access to critical infrastructure, such as the Active Directory, fetch higher prices. As a result, IAB is profitable only when they sell large numbers of access information.

Choosing an attack vector that can be used to compromise organizations en masse is key for IAB. This means that targeted attacks, such as spearphishing, are not scalable enough for them. Instead, indiscriminate attacks can be leveraged against multiple targets simultaneously are ideal.

Threat actors have been observed scanning using tools like Shodan for vulnerabilities just 15 minutes after a CVE was announced.

by BleepingComputer, 2022 - Read article

Scanning an organization's internet-facing assets for exploitable vulnerabilities and misconfigurations is extremely common. Threat actors have been observed scanning using tools like Shodan for vulnerabilities just 15 minutes after a CVE was announced. As a result, exploits the most common initial infection vector, accounting for 32% of all attacks, according to Mandiant.

Exploits are being utilized because they are comparatively common and easy to identify. Many organizations have forgotten, poorly configured, and unmanaged assets that can be found on the internet. In fact, according to Forrester, on average organization’s attack surfaces are 30% larger than they expected.

How to protect your attack surface from Initial Access Brokers

Managing the external attack surface is often done as part of an organization’s vulnerability management process. Trends have shown that these processes are often ineffective at discovering all of an organization’s assets. A single missed asset could have an exploitable weakness that could be utilized against them.

Olivier Beg, Head of Hacking at Hadrian, has seen numerous cases where small problems can provide easy wins for threat actors. One particular example is the most recent Godday breach as a result of a compromised password.

"I’ve been doing bug bounties since I was 13 years old. I would find vulnerabilities and report them to those companies, who would then hopefully fix the problem. It didn’t take long for me to find a vulnerability that an adversary could exploit. This approach however, is unscalable and requires an element of luck. What these companies need is a holistic view of their environment, so they can spot the small oversights that would let an attacker in.”

by Olivier Beg, Head of Hacking at Hadrian

Organizations need a robust method to continuously monitor their attack surface for exploitable weaknesses. Analysts at Gartner have identified Continuous Threat Exposure Management (CTEM) as a program that could replace traditional vulnerability management processes. Furthermore, Gartner predicts that by 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.

Many organizations will be at the start of their CTEM journey, either considering or recently deploying external attack surface management solutions. Security leaders should create an action plan to implement CTEM by building upon this initial step. To learn more about exposure management can reduce risks on the edge read our E-book.