10 most common cyber-attack vectors and defence measures

The tactics used by malicious actors seeking to promote cyber attacks vary. They often exploit misconfigurations, weak controls and other cybersecurity malpractices that facilitate unauthorised access to victims’ systems.

A paper co-authored by cyber security officials from the United States, Canada, New Zealand, the Netherlands and the United Kingdom, released by the US Cybersecurity and Infrastructure Agency (CISA), brought together both the main tactics used to breach networks and methods that can be adopted to mitigate the risks of attacks.

The most common exploitation tactics usually seek:

• Systems where multi-factor authentication (MFA) is not applied, especially for remote desktop access. Because Remote Desktop Protocol (RDP) is one of the most common vectors used in ransomware attacks, MFA is essential to mitigate this type of cyber threat.

• Incorrectly applied privileges or permissions and errors in access control lists. This failure can allow unauthorised users or processes to gain improper access to IT assets.

• Software not updated properly. When vulnerable systems are not patched, attackers can exploit vulnerabilities to gain access to sensitive information, launch a denial-of-service (DoS) attack, or take control of systems. This is one of the most commonly encountered cybersecurity malpractices.

• Environments with factory default settings or standardized login usernames and passwords. Many software, hardware, and networking products come with overly permissive factory settings to ease installation and reduce support calls. Leaving them unchanged opens the door to intrusion.

• Remote services without sufficient controls to prevent unauthorised access, such as virtual private networks (VPN).

• Weak password policies, which can be easily cracked by a myriad of methods that exploit leaked or compromised passwords to gain unauthorized access to victim systems. Malicious actors have used these techniques in several initiatives, most notably attacks targeting RDP.

• Unprotected and misconfigured cloud services are common targets for cyber-attacks that seek to steal confidential data and even do cryptocurrency mining.

• Open ports and misconfigured services represent one of the most common vulnerability findings. Hackers use scanning tools to detect open ports and often use them as an initial attack vector to gain initial access and then use other tactics and procedures to compromise exposed and vulnerable IT assets. RDP, Server Message Block (SMB), Telnet and NetBIOS are the highest risk services.

• Environments under phishing protection can be targeted by malicious actors who send emails with links or attachments to promote system infections.

• Poor detection and poor response for endpoints make it easy for PowerShell scripts and attacks to bypass endpoint security controls and initiate attacks on target devices.

In addition to listing these attack vectors, the CISA document also recommends practices that can help strengthen defences against the most exploited weak security controls:

• Adoption of a Zero Trust model that removes implicit trust in any user or IT asset and requires continuous verification through real-time information from multiple sources to determine appropriate access privileges.

• Limiting remote login from the administrator account and preventing access via RDP sessions. Also, use dedicated administrative workstations for privileged user sessions to help limit threat exposure.

• Control of access to data and services. It is recommended that users be given the access rights to data and systems that they actually need for their respective roles. This role-based access control, also known as the principle of least privilege, should apply to both accounts and physical access.

• Strengthening conditional access policies to manage how users connect to networks and cloud services.

• Scanning of machines with RDP ports, including virtual ones in the cloud. You should put any system with an open RDP port behind a firewall and require users to use VPN to access it.

• Implement MFA, in particular, on all VPN connections, external services and privileged accounts. Use phishing-resistant MFA (such as security keys or PIV cards) for critical services. In cases where MFA cannot be implemented, a strong password policy should be applied with other attribute-based information such as device data, access time, user history and geolocation data.

• Change of user identity and passwords from the factory.

• Monitor to detect the use of compromised credentials. Implement controls to prevent the use of compromised or weak passwords.

• Sufficient log information. Log files play a key role in attack detection and incident handling. Maintaining a robust set of logs will ensure sufficient information to investigate incidents and detect the behaviour of attacking agents.

• Use of anti-malware solutions and continuous monitoring of antivirus scanning results. Implementation of security tools for endpoints. Use of intrusion detection and prevention systems to protect networks and devices.

• Performing tests to identify incorrect configurations.

• Vulnerability checking and implementation of patch management processes.

• Use of cloud service provider tools to detect shared storage and monitor abnormal access.

• Ensure secure configurations for services on hosts accessible from the Internet.