Preventing Attackers from Gaining Initial Access to Your Network

Initial Access to Devices_small

There are many reasons black hat hackers attempt to gain unauthorized access to a network. They may want financial gain, steal information, disrupt business operations, or ruin the organization’s reputation. Before the malicious actor gets what they want, they must first gain initial access — the first active step in the kill chain.

Preventing initial access is the most critical aspect of securing your enterprise, as you are to keep attacks from happening before they start. Each time an organization prevents an attacker from gaining access to an application, a device, or a user’s network credentials, they increase the likelihood a malicious actor will cease their attack.

This article covers the latest techniques and strategies that adversaries use to gain initial access, the benefits of stopping attacks before they start, and the steps organizations can take to do so. We will also cover some of the latest technologies that take securing devices to the next level — through prevention. Let’s dive in.

 

Jump to a section…

 

Understanding Initial Access Attacks

Why Defenders Are Failing to Prevent Initial Access

Traditional Approaches to Prevention

What Defenders Are Up Against

Where to Focus Cyberdefense Efforts

Implementation of Zero Trust

Best Practices for Preventing Initial Access

Special Considerations for OT/Internet of Things (IoT) Devices

Prevent Attacks Before They Happen

 

Understanding Initial Access Attacks

At a glance

  • Advanced persistent threats (APT) attacks are part of a multi-stage attack. Initial access is the first step leading into this type of attack.
  • For malicious actors to perform reconnaissance, discovery, and lateral movement, they need as many devices on the network as possible.
  • Malicious actors use stealth techniques to evade detection. Once adversaries gain an initial foothold, they work deeper into the system through credential access and privilege escalation.
  • When the above attempts don’t work, they will will attempts other means, such as sending emails, attempting to log in to applications, accessing files and personal information to learn more about their target, and ransomware.

Initial access is an early step in intrusion in the MITRE ATT&CK framework, following the reconnaissance and resource development phases. Attackers use known vulnerabilities, “zero-days” techniques, and tools to gain initial access various layers in the OSI framework. Some common methods include:

  • Phishing: Social engineering access through fraudulent emails, phone calls, or text messages. The goal is to trick employees into providing credentials or to install malware or other malicious exploits. For example, an attacker could send an email pretending to be a bank, requesting the user to click on a link and enter login credentials — unknowingly providing a login and password directly to the attacker.

  • Vulnerability exploits: These are known flaws (or flaws that have not been published, known as zero-days) in an organization’s security protections, network infrastructure, applications, operating systems and hardware that attackers exploit to gain access.

  • Password cracking: Using stolen credentials, brute force, or dictionary attacks to break into systems.

  • Malware: One of the most common methods of attack where a user unknowingly downloads a compromised file which which uses other techniques, including those mentioned above to gain unauthorized access. Type of malware malware include trojans, viruses, and ransomware.

  • Physical access: Stealing laptops and other devices, accessing devices in public areas, or breaking into private data centers, wiring closets, or offices to gain direct access to networks, wi-fi, or Ethernet ports.

  • Remote access: Accessing exposed and unprotected servers without physical access. Remote access attacks are becoming increasingly common as employees work from home.

  • Supply chain attack: Exploiting the implied trust and access between customers and vendors to gain access.

  • Application attack: Exploiting vulnerabilities in the web or other applications to gain access, both on publicly available websites as well of those inside the perimeter of the network.

Malicious actors use combinations of these methods to gain access, so security teams must remain vigilant and educate employees on data security. Attackers regularly update and change their methods, so staying current on the latest threats and best practices for both preventing and detecting initial access is important. 

 

The Flaws in the Internet and Computers at the Root of Our Security Problems

There are two fundamental flaws in cybersecurity that have been with us since the dawn of the Internet.

  1. Vint Cerf, often called the “Father of the Internet” , has said that if he could do it over again he would have required computers and applications to “trust” before they could communicate.

  2. Microsoft, Apple and other vendors originally built their operating systems with little or no security.  Later, they added security inside their operating systems, which still left them vulnerable.  That approach is no different than storing the key for a lock in the lock.  For a number of reasons, those vendors have not removed the security components from the operating system.  But Byos created a way to do that which is commercially available today.

Contact Byos today to learn more about how Byos’ patented technologies can prevent attacks in ways that no other technology can.  When a device is compromised, hackers can disable, modify or evade the software meant to protect the device. Byos removes the security from vulnerable operating systems, like Windows, to make devices invisible and prevent unauthorized access - preventing attacks before they happen.

To understand how we can combat initial access attacks, we must first explore our current approach to prevention and why these methods are no longer enough.

Initial Access image

Traditional Approaches to Protection

Cybersecurity teams traditionally employ a number of initiatives to prevent initial access:

  • Threat hunting: Instead of waiting for an initial attack to happen, security teams proactively search for compromise indicators using threat intelligence, security analytics, and other tools to identify and allow them to mitigate known vulnerabilities.

  • Deception-based technology: Deceiving attackers with honeypots, decoys, and traps is not recommended as a primary way to prevent attacks, but security-through-obfuscation can provide additional layers of security and flesh out other prevention methods. 

  • Regular review and update of security policies: Ensuring security policies are up-to-date and aligned with the latest threats and best practices enables organizations to put their best foot forward when preventing attacks.

While these practices are important, they’ve become so common that adversaries anticipate that you’re doing them and have moved on to more sophisticated types of attacks. As a result, you need to advance with them — otherwise, they will find those exposed gaps in your protection.

Disaster recovery is also not prevention, at least not in any meaningful sense. It may prevent disasters that result from critical assets being exploited or compromised, but they do not prevent the attack. As vendors begin to trumpet their “prevention technologies,” it is crucial to pay close attention anytime vendors make claims that their solutions actually “prevent” attacks.

 

What Defenders Are Up Against

Here are just a few obstacles that prevent defenders from keeping up with the increased threat of initial access attacks:

  • Complexity: The increasing complexity of modern networks and devices makes it difficult for defenders to identify and protect against potential vulnerabilities. 

  • The ever evolving threat landscape: There are new technologies, new vulnerabilities, and new attack methods that make it difficult for defenders to keep up.

  • Increased volume and variety of threats: There are more attacks than ever before, and experts predict that number will continue to grow. Defenders are not keeping up as fast as adversaries producing new tactics, techniques, and procedures (TTPs).

  • Advanced persistent threats: APTs are an attack in which an attacker establishes a long-term presence on a network, using stealthy techniques to evade detection. Prevention will only become more important as it becomes increasingly difficult to detect and respond to APTs in a timely manner.

  • Lack of visibility: Defenders should be aware of every aspect of their network — failure to do so can make responding to threats challenging.

  • Social engineering: People are often the weakest link in cyber security, and attackers will exploit this through trickery to gain login credentials or install malware. Defenders must devise innovative ways to prevent this or minimize the “blast radius” to reduce the impact.

  • Limited budget and resources: CISOs often have to do more with less, increasing the difficulty of implementing the necessary controls.

  • Lack of personnel with the proper skills: Along with the increase in advanced tactics and the sheer volume of incoming attacks, a shortage of cybersecurity professionals further widens the gap between attackers and defenders. This makes prevention even more important than ever — if you can prevent attacks before they happen, you don’t need headcount to detect, analyze, report, and mitigate the attack.

Organizations need to adopt a proactive and comprehensive approach to cybersecurity that focuses primarily on prevention, then round out efforts with improved detection, incident response, and security automation.

 

Where to Focus Cyberdefense Efforts

Preventing initial access into any device on a network is the most effective place to focus, especially for organizations dealing with an increased number of threats on a limited budget. Without a place to start, such as a device inside the network or access to publicly-accessible websites or applications, attackers cannot do any damage to a protected organization. Here are some key strategies to keep in mind:

  • Minimize the attack surface: When attackers cannot gain access to devices, it’s impossible to gain further access to sensitive information and other systems — completely cutting off any further attack. Ideally, you will want to reduce the potential entry points — and thus, the attack surface — to zero. Make your devices invisible.

  • Keep attacks from occurring in the first place: An attack that never occurs requires no people, resources, time, or frustration. Stopping attackers from gaining that initial foothold saves money and resources that organizations now spend on incident response, recovery, investigations and damage control.  You may also reduce the cost of regulatory fines, legal and PR fees, as well as reputational losses.

  • Utilize defense-in-depth strategies: Defense-in-depth implements multiple layers of security controls, ensuring that if one layer fails, another can step up to thwart the attack in its place.

  • Build your security architecture around MITRE ATT&CK framework: This framework is a powerful tool for understanding the tactics, techniques, and procedures used by attackers throughout the entire flow of attacks. By leveraging ATT&CK, organizations can identify the stages of the kill chain where they are most vulnerable and develop the necessary defenses to disrupt the attack at those critical stages.

  • Continuously improve defenses: Preventing initial attack footholds is an ongoing process. Organizations should regularly assess their defenses, keep up to date with the latest threats, and adapt accordingly.

 

Implementation of Zero Trust

Zero Trust strategies are an effective method of prevention but must be handled delicately to ensure maximum efficiency. 

Absolute least privilege is an extension of Zero Trust. Least privilege limits the access rights of users and processes to the minimum necessary to do their job. IT departments oversee the efficacy of Zero Trust through role-based access controls, credential management, and privileged access management.  Zero Trust assumes that all users, devices, and resources are compromised. Before any entity can begin communicating, it must establish trust. 

The difficulty lies in implementing the technologies, administration, and processes that maintain the absolute least privilege. For example, a priority request to add a new system or process on Friday gets implemented as a “quick fix,” with the intent of finishing up on Monday — only to forget, leaving half-baked solutions in place. Without standards in place, it’s easy for these situations to leave you with a mishmash of security policies and conflicting configurations, effectively rendering your Zero Trust implementation toothless.

Also, be wary of Zero Trust networking vendors who claim to prevent lateral movement. While these solutions may keep inexperienced attackers out, for sophisticated attackers, many of these tools are merely road bumps on the path to accessing your devices. If a device is compromised through a series of exploits, malicious actors can gain control of the operating system, and access and network controls can be bypassed and disabled.

 

Best Practices for Preventing Initial Access

Now that we understand the importance of prevention, we can begin to implement solutions that place prevention as the focus of our security profile. Organizations must adopt a multi-layered security approach that includes microsegmentation, intrusion prevention systems (IPS), and Zero Trust frameworks to prevent unauthorized access to your network.

Adhere to these 11 best practices to make prevention as effective as possible:

  • Defense-in-Depth Security: In addition to the items below, cloaking devices, microsegmentation, and other elements of zero trust make devices undiscoverable and inaccessible.  Bad actors can’t break into what they can’t find.
  • Edge Security
    • Block all east/west peer traffic.
    • Allow access only to the ports necessary for north/south traffic (between clients and servers)
    • Block all broadcasts and multicasts coming from endpoints.
    • Remove communication security stack from the O/S to prevent compromised systems from bypassing/replacing/disabling endpoint protections and evading detection.
    • Implement port-level deny-by-default access rules.  Plan and deploy a zero-trust framework, meaning the principle of “absolute least privilege”, giving only the minimum amount of access required for the role and work to be performed.

(To learn how you can get the same Byos technology that a national security agency has selected Byos as the cornerstone for some of their most important cybersecurity initiatives, schedule a conversation HERE.)

  • Implement passwordless and FIDO2 authentication:Multi-factor authentication tools are outdated and broken. Passwordless authentication systems like HYPR and Auth0 add an extra layer of prevention security to logins and help to prevent unauthorized access to sensitive systems.
  • Implement browser isolation: This technology removes the processing of browsers outside ofthe computer. Solutions like Menlo Security prevent all web traffic from having access to the computer on which it is running. 
  • User Awareness: IT departments must keep employees educated about recognizing phishing emails and social engineering tactics, as well as following security best practices. 
  • Monitor network activity: This can help identify potential security threats and give security teams notice to investigate suspicious activity.
  • Perform regular audits: Audits identify vulnerabilities and misconfigurations that attackers can exploit. Security assessments, like this free Network Security Assessment tool help you insure your technology and practices are at the proper level.
  • Perform regular backups: Regular backups, along with a disaster recovery plan, can help you quickly recover from a successful attack.
  • Keep up-to-date with the latest threat intelligence: Staying informed can help organizations keep one step ahead of the latest attack methods and better protect themselves.
  • Update outdated operating system, device drivers, and software: Regularly updating applications and operating systems to their latest versions will help fix known vulnerabilities and exploits.
  • Implement secure software development practices: Incorporating code reviews and threat modeling into the software development process can prevent security vulnerabilities from being introduced into systems and applications.

New call-to-action

Special Considerations for OT/IoT Devices 

IoT devices lack processing power, memory, and storage capabilities, often running on custom or embedded operating systems. As a result, it is difficult to implement traditional IT security controls, which leaves them vulnerable to various attacks. Here are some methods attackers use to gain initial access to IoT devices:

  • Physical access: IoT devices are often small and portable, making them especially vulnerable to physical attacks. Attackers can gain access through physical tampering or theft.

  • Weak credentials: Many IoT devices come with weak default username and password credentials that are easy to guess. Attackers can use these credentials to log in and gain access.

  • Unpatched operating systems: IoT devices often run on custom or embedded operating systems that may have vulnerabilities that need to be patched. Attackers can exploit these vulnerabilities to gain access to the device.

  • Exploitable remote interfaces: Many IoT devices have remote management interfaces accessible via the web or telnet that malicious actors can easily exploit.

  • Side-channel attacks: Attackers can use information obtained from the device’s power consumption or electromagnetic emissions to extract sensitive information.

To secure IoT devices against initial access attacks, network security professionals should:

  • Implement absolute-least-privilege access controls for all IoT devices and remote any devices that access them. Further, minimize the port level access to devices.

  • Encrypt data-in-motion and data-at-rest to prevent attackers from accessing sensitive information.

  • Change the default username and password and monitor reversions to the default credentials. Phosphorus and Axonius are effective tools for tracking changes to credentials and configurations.

  • Regularly monitor new CVEs and update known vulnerabilities.

  • Disable remote management interfaces that are not used or needed.

  • Implement physical security controls, such as locks and enclosures, to protect IoT devices from physical attacks.

  • Use IoT-specific security features for additional protection.

IoT devices present unique challenges for stopping initial access. Be aware of these challenges and the methods attackers use to attack them. Losing access to medical devices, industrial and environmental controls, sensors, and other systems can be devastating, leading to production downtime, damage to infrastructure, and even loss of life. 

 

Prevent Attacks Before They Happen

Preventing initial access attacks is the most critical aspect of ensuring an organization's security. Organizations must understand attackers' methods to gain initial access and take proactive measures to prevent them. 

For further research, organizations should begin with the MITRE ATT&CK framework, which covers attackers' methods to gain initial access.

To learn more about implementing technological solutions that protect and contain initial access attacks, contact Byos today.

 

New call-to-action

Limiting the Blast Radius - Preventing Lateral Movement is Absolutely Critical

Turning the Tables on Bad Actors' Reconnaissance & Discovery Practices