According to the Cybersecurity and Infrastructure Security Agency, having account credentials is crucial for threat actors to infiltrate critical infrastructure networks and state and local agencies successfully.
Nearly 90% of infiltrations yearly resulted from compromised valid credentials and spear phishing attacks. The agency's annual risk and vulnerability assessment released on Wednesday revealed that 54% of all studied attacks could be attributed to accounts, including those of former employees who were not removed from the Active Directory and default administrator credentials.
The report also highlighted that 1 in 3 attacks were carried out through spear phishing links—malware-laced emails specifically targeting individuals. These techniques' high success rate emphasizes their effectiveness in accessing targeted systems. As CISA stated in its analysis, gaining network access is the first step toward a successful attack.
Once threat actors have established this access point, they can use privilege escalation techniques to steal valuable information. The following commonly used methods for initial access were spear-phishing attachments and external remote services, each accounting for 3% of attacks.
Exploits of public-facing applications were responsible for just 1% of all attacks studied during the federal government’s fiscal year 2022, which ended Sept. 30.The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard Cyber Command conducted 121 risk and vulnerability assessments across critical infrastructure sectors during this period uncovering similarities in the compromises.
According to their report, numerous organizations in critical infrastructure sectors displayed the same vulnerabilities.
CISA identified a sequence of operations followed by many real-world attacks. The threat actor;
1. Gained initial access
2. Executed code to establish a foothold. Maintain persistence on the network
3. Utilized privilege escalation to acquire rights
4. Employed defense evasion techniques to avoid detection and attempted to steal access
5. Explored networks to assess the situation and identify sensitive data
6. Utilized lateral movement to reach data
7. Collected information
8. Used command and control methods to extract data and potentially retain control after the attack.
Although threat actors frequently change their tools and tactics when initiating attacks, federal cyber authorities highlighted that unauthorized access to the nation's critical networks and systems still relies on these established methods.