How Attackers Gain Access to Your Networks

Stopping attackers from getting into an organization is always preferable to catching them once they are inside.  It goes without saying the prevention is better than detection.  Effective prevention requires an understanding of how attackers attempt to get inside.  But attack vectors rise and fall in popularity.  Understanding current trends is critical.

The question of how attackers gain access to organizations’ networks is one every victim of a cyber attack wants answered. However, it can often be difficult to determine how exactly an attacker gains initial access to compromised networks. Symantec, as a division of Broadcom Software, continues to actively monitor the infection vectors attackers are using to keep our customers’ organizations and networks safe.  Recent finding have been published in a new white paper.

Some of the main findings in this paper include:

• The exploitation of vulnerabilities in public-facing applications was a popular attack vector during the last 18 months. While zero-day vulnerabilities, most notably the Microsoft Exchange Server bugs, were still being used by attackers, it was mostly known vulnerabilities that attackers were attempting to exploit. Even though these bugs had patches available they may not have been patched quickly enough to avoid an attack. Evidence indicates that attackers start exploiting vulnerabilities as soon as they become public knowledge.
• Botnets have become a key threat distributor for ransomware gangs in recent times, with major botnets like Trickbot, Dridex, and IcedID now all associated with ransomware campaigns. However, other botnets are also still actively distributing crypto mining malware and are being used to carry out distributed-denial-of- service (DDoS) attacks, and the threats posed by these kinds of botnets should not be forgotten in the recent increased focus on ransomware.
• The use of exploit kits by cyber criminals appears to be declining, with one exploit kit, RIG, dominating the landscape over the last 18 months, according to Symantec’s data. However, just because exploit kits appear to have dipped in popularity among cyber criminals recently doesn’t mean they won’t make a comeback, and they are still a vector that organizations need to be aware of and guard against.
• Email remains a consistently popular attack vector. Social engineering is a key component of many of the scams carried out via email, particularly business email compromise (BEC) scams, which remain one of the most costly scams on the cyber-crime landscape. We also saw examples of malicious actors incorporating social media into email scams - making initial contact on a platform such as LinkedIn or Twitter to ultimately deliver a threat to a target via email. Targeted ransomware actors also use email as a delivery method.
• The COVID-19 pandemic also had an impact over the last 18 months, and was used as a lure in many phishing campaigns.
• Looking to the future, one new threat that could have an impact over the coming years is “the corporate insider.” Some ransomware gangs have advertised for insiders who may be willing to work with them to give them access to a corporate network they have access to, with these gangs offering significant rewards to those willing to cooperate with them. While a targeted ransomware attack involving an insider is not something we have seen yet, the fact that ransomware gangs are publicly pursuing this kind of tactic means it is something organizations and defenders need to be aware of.

For more information, read the new whitepaper here.