Common initial attack vectors

How attackers are most apt to get into target companies’ infrastructure.

Other companies frequently call in our experts for emergency assistance with incident response, to conduct (or help conduct) investigations, or to analyze cybercriminals’ tools. Throughout 2020, we collected a wealth of data for a view on the modern threat landscape that helps us predict the most likely attack scenarios — including the most common initial attack vectors — and choose the best defensive tactics.

When we investigate a cyberincident, we always pay special attention to the initial attack vector. Simply put, the way in is a weak point, and to avoid recurrence, identifying defense systems’ weak spots is crucial.

Unfortunately, that is not always possible. In some cases, too much time has elapsed between the incident and its detection; in others, the victim did not keep logs or destroyed the traces (accidentally or intentionally).

Complicating matters, when cybercriminals attack through the supply chain — an increasingly prevalent method — the initial vector falls not under the end victim’s purview, but rather that of a third-party program developer or service provider. However, in more than half of all incidents, our experts were able to determine the initial attack vector precisely.

First and second place: Brute force and exploitation of publicly accessible applications

Brute-force attacks and exploitation of vulnerabilities in applications and systems accessible from outside the corporate perimeter share the top two spots. Each served as the initial vector of penetration in 31.58% of cases.

As we observed in previous years, no other method is as effective for launching an attack as the exploitation of vulnerabilities. A more detailed analysis of the exploited vulnerabilities suggests that is attributable primarily to companies’ failure to install updates promptly; at the time of the attacks, patches were available for every single vulnerability. Simply applying them would have protected the victims.

Companies’ mass transition to remote work and the use of remote-access services account for the uptick in brute-force-attack popularity. In making the transition, many organizations failed to address security matters adequately, and, as a result, the number of attacks on remote connections shot up practically overnight. For example, the period of March to December 2020 saw a 242% increase in RDP-based brute-force attacks.

Third place: Malicious e-mail

In 23.68% of cases, the initial attack vector was malicious e-mail, either with malware attached or in the form of phishing. Targeted attack operators and mass mailers alike have long used both types of malicious messaging.

Fourth place: Drive-by compromise

Sometimes attackers try to gain access to the system using a website that the victim visits periodically or lands on by chance. To use such a tactic, which we’ve seen in some complex APT attacks, cybercriminals either furnish the site with scripts that exploit a browser vulnerability to run malicious code on the victim’s computer or trick the victim into downloading and installing the malware. In 2020, it was the initial attack vector in 7.89% of cases.

Fifth and sixth place: Portable drives and insiders

The use of USB drives to infiltrate company systems has become rare. In addition to flash-drive-infecting viruses largely being a thing of the past, the tactic of slipping someone a harmful USB stick is not very reliable. Nevertheless, this method accounted for 2.63% of initial network penetrations.

Insiders caused the same proportion (2.63%) of incidents. That’s employees who, for whatever reason, wanted to harm their own companies.

How to minimize the likelihood of a cyberincident and its consequences

Most of the incidents our experts analyzed were preventable. Based on their findings, they recommend:

  • Introducing a strict password policy and enforcing the use of multifactor authentication;
  • Prohibiting the use of publicly accessible remote management services;
  • Installing software updates as quickly as practicable;
  • Protecting mail servers with antiphishing and antimalware tools;
  • Raising employee awareness about modern cyberthreats on a regular basis.

In addition, remember to configure all auditing and logging systems and to back up your data regularly — not only to facilitate investigations, but also to minimize damage from cyberincidents.

Of course, the statistics above represent just a small portion of the useful information our experts have to offer here. You’ll find the full text of our Incident Response Analyst Report 2021 here.