Initial Access Trends for 2023
CrowdStrike has released their 2024 Global Threat Report which covers a variety of metrics in the cyber security space that were measured across all of 2023. We will cover a few high level takeaways from the report and discuss what you can do to help protect your organization as we continue into 2024.
The biggest call out is the increase in malware-less breaches. In 2022 it was estimated that 71% of all breaches were the result of some form of identity based attack, i.e. phishing, social engineering or an initial access broker. By the end of 2023 that number is now estimated to be close to 75% which shows threat actors are continuing to evolve towards a trend of attacking what is commonly regarded as the weakest link in security. If you look back further to 2019 breaches that were not the result of malware were estimated to only be 40% of all breaches. Given the steep increase in just 5 years this trend is likely to continue through 2024.
Sticking with the theme of initial access, the second item of note is the continued rise of initial access brokers. An Initial Access Broker (IAB) is a cyber criminal or group that specializes in breaching a target's defenses to gain initial access, which is then sold to other threat actors, such as ransomware gangs or espionage groups, to conduct further malicious activities. These brokers play a pivotal role in the cyber crime ecosystem by enabling attackers to bypass the time-consuming and complex initial compromise stage, streamlining the process of launching sophisticated cyberattacks. The number of known Access Broker advertisements increased in 2023 by 20% compared to the number seen the prior year. The total number of known Access Broker postings for 2023 was a staggering 2,992.
So what can you do to help protect your organization?
Security Awareness Training
The first stop is looking at your organizations User Security Awareness program. Many organizations look at Security Awareness training as a checkbox for compliance or they see their firewall as their first line of defense. The upward trend in social engineering and phishing attacks is showing that this is a very outdated way of looking at the situation. In the modern cyber landscape the end user has shown to be the most likely target for a cyber criminal, so equipping them with the knowledge and tools necessary to protect themselves online through effective Security Awareness training is increasingly paramount.
Phishing Training
The most common form of Security Awareness training is teaching a user how to identify a malicious email. The average phishing training is often underwhelming, very easy to spot, usually lacking a focus or fails to employ an approach a real attacker might use. Some platforms such as KnowBe4 implement a custom email header like X-PHISH-TEST, which indicates that a email is a test and would get spotted by any curious user whose learned to look for it. This type of phishing awareness training is great for teaching users the basics and getting them prepared for the bare minimum. But have you ever considered the things it does not effectively prepare the user for? Are your users prepared for an email coming from a look-alike domain, what about a phishing URL that not only looks real but is using a valid TLS certificate and HTTPS? The modern attacker is not sitting idly by watching security evolve, they are pushing the boundary for what it takes to be secure as an organization. Email security has seen the implementation of DMARC, DKIM, SPF and even rejecting emails from recently registered domains to try and cut down on phishing attacks. Attackers have acknowledged these advancements and have learned to circumvent them. Does your security team have the skill set to identify a phishing email or domain that has been marked as clean by your email security tools? If you are not sure how to answer any of the questions I have posed, consider bringing in someone who specializes in adversarial tactics to conduct an advanced assessment of your environment. Valkyrie Operations offers an advanced phishing awareness training for both end-users and security personal so you can have peace of mind in your organizations security prowess. A good phishing assessment should also be a test of your email security tools and security personnel. Every time a new assessment is conducted consider using this as an opportunity to update your email security rules and your Standard Operating Procedure (SOP) around handling phishing incidents.
Social Engineering
In the same boat as phishing awareness training is social engineering awareness. Social engineering is a bit harder to prepare a user for. When done well a user will never know it happened. People occasionally liken social engineering to that of an act of a mentalism performance. While social engineering does borrow some of the same concepts, mentalism is often based around making generalized observations and reading a persons reactions for cues on how to continue. When it comes to social engineering in the cyber security space, most practitioners will often employ the use of Open Source Intelligence (OSINT) to create a targeted approach that is specific to an individual or organization. Rachel Tobac the CEO of SocialProof has given several talks/demonstrations of how powerful social engineering and OSINT can be when combined. If your organization is not currently performing an annual social engineering awareness training, you should consider adding it to your security repertoire.
Password Security
The last stop on our discussion around User Security Awareness training is password security. Depending on who you ask, frequent password rotation might no longer be considered good advice. This advice change came about with the realization that users were not practicing good password hygiene when updating their password. A great example being password2021 becoming password2022. While users not practicing good hygiene is a valid concern, I still fall on the side of the fence that passwords should be rotated. When it comes to user education about passwords the simplest solution might be to introduce a password manager. Password managers can help generate random gibberish for strong passwords to important applications while limiting the the user to only needing to remember a single password; which then reduces the likelihood of using poor password practices. Other considerations would be a PAM solution like CyberArk to manage passwords for highly privileged accounts like a Domain Admin.
If you are interested in reading the full CrowdStrike Global Threat Report for 2024 you can find it here: https://www.crowdstrike.com/global-threat-report/ . If your organization's security is a concern for you, reach out to us at Valkyrie Operations to see which one of our services could help improve your security posture. Remember, the end user is a businesses’ most important asset; do what it takes to help them stay safe online.