Actions to Take to Defeat Initial Access Brokers

We Keep you Connected

Actions to Take to Defeat Initial Access Brokers

Tech News and Analysis
Access-as-a-service (AaaS), a new business model in the underground world of cybercrime, refers to threat actors selling methods for accessing networks for a one-time fee. We have one group of criminals, referred to as an access broker or initial access broker (IAB), stealing enterprise user credentials to sell to other attack groups. The buyers then use ransomware-as-a-service (RaaS) or malware-as-a-service (MaaS) to exfiltrate confidential data from the targeted enterprise. The service is part of the overall cybercrime-as-a-service (CaaS) trend.
Let us look at a common scenario for AaaS: As soon as the details of a vulnerability are made public, IABs deploy infostealers to acquire keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device. Once an infostealer is in place, the remote access Trojan (RAT) begins to log activities and collect data in raw logs. These logs are then manually examined for usernames and passwords that might be monetized and sold on the Dark Web. The credentials that IABs seek include access to virtual private networks (VPNs), remote desktop protocol (RDP), Web applications, and email servers that are instrumental in committing spear phishing and business email compromise (BEC).
Some brokers may have direct contact with system administrators or end users who are willing to sell access to their systems. In recent months, threat groups have actually advertised (on the Dark Web) for administrators and end users who are willing to share credentials for a few minutes in return for large cryptocurrency payments. In some cases, threat groups have asked for employees from specific organizations who are willing to share access for bigger payments.
Due to the ease of IABs using infostealers to harvest and sell stolen credentials, developing and using countermeasures is paramount to understanding your risk profile. Open source intelligence (OSINT) can provide a thorough report of what is available for sale on the Dark Web or World Wide Web. Cybersecurity companies can collect this information and provide reports detailing the results.
Here are some examples of potential security holes that OSINT analysis can find, along with an example of a countermeasure that could prevent damage from the information.
An attacker’s access to the network is often traced back to a succession of events, which cybersecurity professionals must unravel. This is done by asking specific questions, such as: How did attackers enter the network? How did they gain access to the network? What actions did they take once inside that allowed them to gain more access? Currently, misconfigurations in active directories have led to threat actors being able to rapidly elevate credentials, sometimes all the way to domain admin.
OSINT reports detailing this critical information can provide everything needed to build a defense around credential loss and IABs. With the information obtained from the Dark Web, cybersecurity teams can build countermeasures for the loss of credentials or other brand information.
The real risks stem from not knowing about what’s available on the Dark Web. To build a good defense, you must have good intelligence. Threat intelligence is often an overlooked aspect of building cybersecurity layers. While there is no magic layer of defense that removes all risks, OSINT can dramatically reduce the risks associated with this new and innovative type of threat group.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.