Date: 8 May 2024
When investigating a security breach, one question always arises: “How was the network initially compromised?” Companies with extensive digital infrastructures have numerous assets that malicious actors can target, and identifying the initial point of entry is essential to safeguarding the infrastructure from future attacks.
The X-Force Threat Intelligence Index report highlights three primary initial attack vectors observed in 2022 and 2023:
In this article, we will explore these techniques and provide tips on how to detect them during a cyber security investigation.
Phishing Techniques
Phishing remains one of the most common initial attack vectors used by cybercriminals. It typically starts with an email from an address posing as a popular service, senior colleague, or other legal entity. The email urgently requests the recipient to open an attachment or follow a provided link. Following this request usually leads to compromising login credentials or installing malware.
To prevent phishing attacks, organisations must implement email filtering solutions and conduct regular employee cybersecurity training on recognising phishing emails.
However, what if the damage has already been done? In some cases, individuals who fall victim to phishing tricks do not immediately realize what has happened and fail to report the incident promptly. This delay gives bad actors time to scale their attack and cover the tracks of the initial access vector.
When the attack is discovered, the cybersecurity team must quickly determine its origins. To identify whether the bad actor gained access through a phishing email, they should examine as much pertinent data as possible:
- Uncover and analyse desktop mailboxes
- Search for webmail traces in browser cache, volatile memory, and other system components
- Look for attachments in emails and analyse Windows Jump Lists to identify if users opened them
- Look for file-sharing service links distributed via emails
- Carve data to recover the emails and files deleted by the intruder
When working on such tasks, investigators can use digital forensics software. Built specifically for the collection and analysis of data on digital devices, such tools help cybersecurity professionals quickly discover cyber incident-related artifacts and effectively navigate hefty data sets of corporate computers.
Valid Account Abuse
As listings of compromised yet valid credentials keep emerging on the dark web, attackers increasingly use valid accounts to establish a foothold in the networks. In 2023, this initial attack vector moved from the third to the first place.
Intrusions made with valid accounts are not that easy to detect since they often require a single login attempt to access network assets and typically do not raise flags in the monitoring systems. Once inside the network, attackers can elevate the compromised user’s privileges, create new users, and move laterally.
To prevent such attacks, cybersecurity teams can implement password rotation and multi-factor authentication policies, but those are only part of the plan. Detecting unauthorised access through valid accounts requires advanced monitoring and anomaly detection mechanisms. Security teams should surveil user account activity for any signs of unusual behaviour, such as logins from unfamiliar locations or at unusual timeframes.
When investigating a cyber attack involving valid accounts, it is important to identify the compromised account and the time when it was first abused. Examining the following artifacts can help to accomplish these tasks:
- Windows event logs:
- TerminalServices-RemoteConnectionManager Event ID 1149 that indicates a successful RDP connection to a machine on the network and can help detect abnormal connection sources
- Security log, particularly Event ID 4624 that provides logon details, including the accounts used for authentication
- TerminalServices-LocalSessionManager Event IDs 21 and 22 that include the information on RDP logon sessions
- Outgoing Remote Desktop Protocol (RDP) connections and other lateral movement artifacts
Cyber incident response tools can retrieve this information from affected machines and summarize it for easier and faster analysis. They help cybersecurity professionals define compromised accounts, the attack timeline, and other assets compromised by intruders.
Public-Facing Application Exploits
Bad actors often target public-facing applications that are typically based on web servers due to their accessibility from the internet. Such applications can include databases (for example, SQL), standard services like the Server Message Block (SMB) and Secure Shell (SSH) protocols, and other systems with open sockets. Attackers exploit vulnerabilities in these applications to gain initial access to a network.
To reduce the risk of such attacks, the cyber security team should conduct regular security assessments and patch management for public-facing applications. Additionally, implementing web application firewalls (WAFs) can help detect and block malicious traffic targeting these applications.
When investigating incidents involving public-facing application exploits, cyber security professionals can focus on the following artifacts:
-
Access logs which help identify the IP addresses that communicated with the server and the techniques (for example, SQL injections) bad actors used to gain initial access to the server
-
Volatile memory that helps detect suspicious processes
-
Persistence artifacts such as new user creation in Windows Registry
- The file system may contain suspicious files, such as malware executables or scripts, used in the exploit
Conclusion
Protecting digital infrastructures from the top initial attack vectors in 2024 is a multifaceted challenge that requires a combination of preventative, monitoring, and investigative measures. When a security breach is detected, identifying the attack vector is crucial for responding effectively and preventing future incidents. Digital forensics tools play a vital role in accelerating cyber incident response and investigations by providing comprehensive features for the acquisition and analysis of data.
