A new analysis of data collected from assessments at federal executive branch agencies and some private sector companies in fiscal year 2022 shows that more than 50 percent of successful intrusions at those organizations began with the use of a valid account for initial access.
The data comes from risk and vulnerability analyses conducted by the Cybersecurity and Infrastructure Security Agency during the last fiscal year and backs up what many in the security community have asserted for many years: The simplest attack vectors often are the most effective.
“Valid accounts can be former employee accounts that have not been removed from the active directory or default administrator accounts. When organizations do not change default passwords, threat actors can compromise a valid administrator account. In many cases, this attack technique is possible because the valid account allowed unauthorized users to install or execute insecure software (such as unpatched or out- of-date software) on a system or network,” the CISA analysis says.
“In many ways, successful entry is the first cataloged achievement for a malicious actor. With internal access, attackers are privy to private systems and information. The next step of the attack, whether it be code execution, mission disruption, or gaining increased privileges, may not be possible without initial access.”
CISA is the lead cybersecurity agency for the federal government and is responsible for maintaining the overall defensive posture of civilian agencies. The agency offers proactive and reactive security services and also works with private sector companies in the same capacities when they request help.
In addition to the 54 percent of successful intrusion attempts that used valid accounts, CISA’s data shows that 33 percent of spearphishing attempts were successful. Spearphishing has been a go-to tactic for cybercrime groups as well as APT teams for many years and it has stayed in the rotation for one simple reason: it works. A reasonably well-crafted phishing email with proper targeting will snare quite a few victims in even well-trained and security aware organizations.
“Successful spearphishing requires an attacker’s malicious email to pass through network border protections and deliver malware to execute on the local host. Host-level protection stops spearphishing attempts as they pass through network perimeter protection. At the network border level, CISA observed 13% of spearphishing attempts blocked. At the host or endpoint level, CISA observed 78% of links or attachments blocked, preventing the execution of a malicious activity,” the CISA analysis says.
Defending against phishing attacks and the abuse of valid user accounts may not be the most technically challenging operations, but taking care of the basics often can go quite a long way.