Contents:
Various national cybersecurity authorities have recently published a joint advisory that discloses what are the top 10 attack vectors most exploited by cybercriminals.
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.
The List of Top 10 Attack Vectors Most Exploited
#1 Lack of Multi-Factor Authentication (MFA)
Account takeover can be prevented by enabling MFA. As the advisory reads, MFA is crucial in the fight against cybercrime, since Remote Desktop Protocol (RDP) is regarded as the most popular infection vector for ransomware.
#2 Privileges Not Properly Managed and Access Control Lists Packed with Errors
Without these practices properly implemented, access control rules cannot be enabled correctly and unauthorized entities (be it, users, or system processes) can achieve unauthorized access.
#3 Lack of Updates in the Software
Unpatched software may be a path for threat actors to abuse vulnerabilities that let them gain access to sensitive information. This can lead, for instance, to a denial-of-service attack.
#4 Default Configurations and Credentials
Factory-default configurations and default credentials are not secure and can let open doors to hackers.
These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.
#5 Lack of Enough Security Controls in Remote Services
Remote service compromise can be prevented through access control mechanisms, boundary firewalls, and employing intrusion detection system/intrusion prevention system sensors that have the role of identifying suspicious behavior on the network.
#6 Lack of Strong Password Policies
Hackers find methods to target weak passwords and accomplish unauthorized access to a system.
#7 Unprotected Cloud Services
Misconfiguration in cloud services can further lead to sensitive data theft and cryptojacking.
#8 Exposed Open Ports and Misconfigured Services
Threat actors employ scanning tools to look for open ports and leverage them as initial attack vectors. Besides, they can also compromise a service on a host to achieve initial access and further extend to compromising vulnerable entities. Some examples of high-risk services would be RDP, Server Message Block (SMB), Telnet, and NetBIOS.
#9 Phishing Is Not Blocked or Identified
A common technique among threat actors is to send phishing emails that are embedded with malicious macros, so the initial vector might be when the user opens the document within the email letting this way the infection process start.
#10 Ineffective Endpoint Detection & Response
Obfuscated malicious scripts, as well as PowerShell attacks, are used by threat actors to evade endpoint security controls and conduct their cyberattacks.
How to Reduce Breach Risks
The joint advisory further shares guidelines on how to safeguard networks that are vulnerable to the mentioned top ten attack vectors involving misconfigurations, poor security practices as well as weak security controls. These are:
- implementing control accesses that involve a zero-trust model, restriction on local admin accounts, control over who has access to data and resources, ensuring that are no open RDP ports on machines, etc.;
- enforcing credentials hardening which means implementing MFA, changing or disabling vendor-supplied default credentials, and monitoring systems for compromised credentials;
- establishing centralized log management;
- employing antivirus;
- using EDR (Endpoint Detection & Response) tools for higher visibility into endpoints’ status;
- implementing strict configuration management programs;
- using software and patch management tools.
How Can Heimdal™ Help?
Heimdal has all the cybersec solutions you need to protect your critical data and ensure a fully protected ecosystem. Visit our home page and choose from Privileged Access Management to manage privileged access and deescalate user permissions on threat detection, Patch & Asset Management to automate your patching deployment process to Endpoint Detection and Response (EDR) that offers exceptional prevention, threat-hunting, and remediation capabilities. Or choose them all for complete protection against cyber threats!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.