Evolving Cyber Threat Landscape: Initial Access and Rising Trends

/ / Blog

In recent years, we’ve observed substantial changes in the strategies deployed by threat actors to compromise major companies and organizations, regardless of the preventative security measures in place. This blog post, the first in a forthcoming series, explores the evolving tactics and innovations of these threat actors, with a spotlight on recent trends.

Today, our focus is the ‘Initial Access’ phase, or ‘TA0001’ in MITRE parlance.

Adversaries have honed their precision in victim targeting, noticeably diminishing their reliance on malware for initial footholds. Indeed, the dependence on malware has dropped to 29% from a stark 61% back in 2018. In contrast, interactive intrusion campaigns have doubled since 2022, heralding a shift towards more sophisticated, adaptable attack techniques.

Exploiting Public-Facing Applications (T1190) is one of the significant techniques that came to the forefront in the cyber threat landscape of the first quarter of 2023. Cisco Talos Incident Response (Talos IR) found that the use of web shells, in particular, emerged as the leading initial access vector, being observed in 22% of their engagements. This trend has even surpassed ransomware, making web shells the most frequently observed threat. The unique aspect of these web shells is their individual set of basic functions. However, threat actors are not limiting themselves to the use of a single web shell; instead, they are creatively chaining multiple web shells together, thus assembling a flexible and versatile toolkit that enables widespread network access.

A significant example of this is the extensive use of known CVEs, such as Log4j, identified as the preferred choice for adversaries seeking initial access in the first quarter of 2022.

Another technique that is on the rise is phishing (T1566), we’ve observed a significant rise in the deployment of sophisticated, elusive phishing campaigns, with a 25% spike reported by CERT-GIB in 2022. This trend indicates a potential shift towards these campaigns as the dominant method for obtaining initial access – a hypothesis corroborated by data from the Cisco Talos Incident Response (CTIR), which identified phishing as the primary initial access method in the second quarter of 2022.

It’s important to note that this doesn’t imply a reduction in malware incidents.

On the contrary, approximately 71% of companies worldwide suffered some form of malware attack -notably ransomware – marking a roughly 10% increase from the previous year. With the emergence of ‘malware-as-a-service’ offerings in our hyper-connected global landscape, we predict an even greater prevalence of malware attacks in the future.

Significantly, the focus of modern malware has shifted from destruction and denial of service to data theft and extortion, as evidenced in the rise of ransomware attacks. Increasingly, cybercriminals are leveraging ransomware to exfiltrate data, often threatening to leak sensitive information unless a ransom is paid.

Such large-scale data breaches have led to another disturbing technique: Initial Access via Valid Account credentials (T1078). In fact, this method became the top infection vector in the third quarter of 2022. As these dynamics continue to evolve, it’s clear that understanding and countering these tactics is more critical than ever.

We are also noticing a significant surge in the compromise of cloud infrastructure. Specifically, activities of what are termed as “Cloud-Conscious Adversaries” have amplified by a staggering 288%, and incidents involving cloud exploitation have risen by 95% in comparison to the previous year. However, this does not imply a lack of security within cloud infrastructure. In fact, cloud solutions are inherently secure when initially deployed. The root of the problem lies predominantly in critical misconfigurations tied to substandard identity and entitlement practices, accounting for nearly half of all cloud security incidents. Further, in 43% of reported incidents, adversaries gained initial access via legitimate account credentials (T1078.004). Given the complexity and significance of cloud-related threats, it would be worthwhile to explore this topic in further depth in a subsequent article.

How do we fortify our defenses against these emerging trends and techniques? This crucial question will form the crux of our ensuing article.