article featured image


An attacker’s access to the network is often traced back to a succession of events, which network defenders must unravel. This is done by asking specific questions such as: How did the attackers enter the network? How did they gain access to the network? What actions did they take once inside that allowed them to gain more access?

Access-as-a-Service (AaaS) is becoming more common as a means to gain access to networks. Read on to find out what is AaaS and who is behind it.

Image that implies accessibility of access.

What Is Access-as-a-Service (AaaS)?

Access as a Service (AaaS) is a new business model in the underground world of cybercrime, and it could be defined as malicious actors selling access into business networks. The service is part of the overall Cybercrime-as-a-service (CaaS) that encompasses many different models such as Ransomware-as-a-service (RaaS) or Malware-as-a-Service (MaaS).

However, despite the “as-a-service” title, this is not an actual service wherein the criminals continue to provide the service after selling it, but rather a one-time deal. The seller, referred to as an access broker or initial access broker (IAB), sells breached credentials or direct access to organizations to other cybercriminals.

To gain initial access to a system, ransomware attackers no longer need to exploit a vulnerability or spam infectious emails. Instead, they can just buy their way in.

What Is Access Brokerage?

Access brokerage is a type of cybercrime in which an attacker gains unauthorized access to a victim’s computer or network and then sells that access to another party.

Access brokerage is a growing problem as attackers are able to exploit vulnerabilities in systems and applications in order to gain access, which can then be sold on the black market for a profit. As access brokers become more sophisticated, they are able to target larger organizations and even government agencies, making this type of cybercrime a serious threat.

Compromised systems can be very valuable to cybercriminals, as they provide a way to gain unauthorized access to sensitive data or carry out malicious activities without being detected. For this reason, access brokers can charge high prices for their services. The role of an access broker is often difficult to track, as they typically use anonymous payment methods and conduct their business through private messages or encrypted channels.

Access brokers often use stolen credentials to gain access to systems, which they then sell to buyers. However, some brokers may also have direct contact with system administrators who are willing to sell access to their systems.

Types of Access Brokers

There are three main types of IABs:

  1. Opportunistic sellers offer one-off access, advertising their offerings in criminal web-based forums.
  2. Dedicated brokers have access to an array of different companies that they advertise in wider underground networks. Often, this type of IABs They also reach out directly to affiliates.
  3. Online shops usually consist of a group of sellers who offer a variety of data. However, these shops only guarantee access to a single machine, not an entire network.

How Is Data Obtained?

There are multiple ways in which IABs can obtain access to sensitive data:

  • Data breaches and password hash breaking: When companies or websites lose user lists along with password hashes in a data breach, hackers can crack them to obtain credentials.
  • Malware logs: Cloud platforms allow attackers to use botnets to spy on infected users’ internet connections and collect credentials. These are often collected into malware logs, which are then sold to access brokers to expand their credential stocks.
  • Vulnerability exploitation: It is possible for some AaaS brokers to use exploits to attack servers and gain access to user credentials. Common targets include VPN gateways or external web servers.
  • Opportunistic hacking: Typically, small-time hackers will sell one-off access to their target’s system. Phishing operators will also sell the credentials they exfiltrate in bulk.

IAB Operation Step-by-Step

To better understand how access brokers operate, let`s imagine the following scenario:

When a bug or vulnerability is made public, IABs become active. They investigate to try and deploy infostealers, a type of RAT that can acquire keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, clipboard material and so on from a contaminated device. Primarily they propagate to target systems by way of spam as well as phishing campaigns.

Once an infostealer is deployed, the trojan begins to log activities and collect data. These logs are then manually examined for credentials that might be monetized on the dark web. The credentials sought by IABs include access to virtual private networks (VPNs), remote desktop protocols (RDP), web applications, and corporate webmail servers that are instrumental in committing CEO fraud.

The IABs openly list and advertise their prized, high-value corporate targets on underground marketplaces where they broker for these stolen credentials. Pricing varies based on company size and level of privilege within the compromised network.

AaaS Defense Strategies for Organizations

A cybersecurity defense strategy that focuses on detecting and preventing the initial breach of access is crucial for CISOs and security teams. When you detect the initial access of an attack, you are more likely to prevent the subsequent components of the attack lifecycle, such as ransomware. Here are other components to consider when creating an effective security strategy:

  • Set up two-factor authentication (2FA) to prevent malicious actors gaining access via leaked credentials.
  • Make sure incident response (IR) teams understand the multi-attacker scenario and know where to focus their efforts.
  • Apply a Zero Trust approach to continually verify and monitor users and ensure only those who should be accessing your network are doing so.
  • Use a unified cybersecurity platform with XDR capabilities to help consolidate all correlated user activity and data for more visibility.
  • Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilizing virtual patching.
  • Leverage trusted frameworks such as the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA).

How Can Heimdal® Help?

As we pointed out previously, XDR is a crucial asset when it comes to building a security strategy. It keeps the position of overseer, gathering data from throughout your environment to predict cyberattacks and plotting courses of action based on genuine, real-time data.

Heimdal’s Extended Detection and Response team monitors your devices, alerts you on infection or attack, validates policy checking for maximum compliance, and employs rapid and decisive responses to attacks.

Furthermore, the Zero-Trust security model is also decisive in keeping your organization safe. The Zero- Trust execution process within the Heimdal`s Privileged Access Management allows you to safeguard your environment from zero-hour threats. This can be enabled or disabled from the Endpoint Detection -> Next-Gen Antivirus module as well as the Privileges & App Control -> Application Control module.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal® Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.


The availability of Access-as-a-service has simplified attackers’ endeavors by providing direct access to target networks. Threat actors can now spend more time finding servers with the most sensitive, thus valuable, data inside the network. IABs are a stark indication that cybercrime is already an organized industry.

The ever-evolving threat landscape places enormous pressure on CISOs and security teams. Preparedness increases your chances of defense, response, and recovery. Protect your organization against organized cybercrime by investing in cybersecurity tools, training, and awareness.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo