Getting initial access is the initial goal for attackers attempting to compromise an organization. Since every network is unique, the path for hackers to take will also be unique. Both attackers and defenders have to stay up to date with the latest information and techniques to remain competitive in the constantly changing cyber-landscape. Although the specifics may vary with each network, the basic concepts remain the same, and there are usually two main ways of getting initial access: Technical Exploitation and Social Engineering.
Technical Exploitation is when an attacker exploits either a severe misconfiguration in the network or poorly designed code. This type of exploitation is less common than Social Engineering but is far more dangerous since it often requires no user interaction. This covers a fairly wide umbrella of potential attacks, ranging from default credentials on an exposed device to complex attack chains to get through to the back end.
An example of an attack that arises from code flaws would be the recent vulnerability in Fortigate VPN panels, CVE-2023-27997. This vulnerability allowed for remote code execution on the affected devices. The vulnerability is said to be exploitable pre-authentication, making it an easy attack for a dedicated hacker. An official patch has been released that remediates the vulnerability, but it is still up to defenders to keep all software up to date to mitigate vulnerabilities such as this.
Weak or default credentials are also extremely prevalent. While not quite the same as exploiting code flaws, misconfigurations can often have the same impact. Staying on the theme of VPN exploits, a good example might be the credentials admin:admin working and allowing access to the internal network. Even if the device is fully patched with the latest security, this will give an attacker the same level of access as the more advanced exploit mentioned above. Blue Goat can help you identify dangerous attack paths that malicious hackers could exploit for initial access with our External and Web App Penetration Tests.
Social Engineering is the most common way for attackers to get initial access. This involves manipulating employees of an organization to get them to disclose sensitive information that can aid an attacker. Bad guys will reach out to employees through email, phone, fake resumes, etc. with crafted messages, often posing as someone that they are not. The recent attack against MGM Resorts happened because of Social Engineering. The hacking group targeting them called the help desk posing as an employee with information that was found on the open internet. All they had to do was simply ask for the employee’s password to be reset and they were in.
No matter how secure the physical components of a network are, your organization can still be vulnerable to attack. Equally as important as keeping the network hardened is keeping employees well-trained and equipped to spot attacks. This should be done through Social Engineering simulations and regular training sessions on the dangers of phishing attacks. Blue Goat can help to test your organization’s employees’ security awareness with our Social Engineering Campaigns.
Choosing a Target
Hackers rarely want to fight an uphill battle against extremely secure companies to try and gain access to their data. Almost always, the best target is the easiest one. The Fortigate example from earlier applies well here. When there is a major vulnerability such as that, and a hacking group knows how to perform the attack, they might seek out any exposed Fortigate panels that are below the patched version. This can be done with tools such as shodan.io that index any internet-connected device.
Social Engineering works similarly. If a bad guy is met with resistance when performing their campaign, they will most likely just move on to the next target. Having properly trained staff that quickly spot these attempts will go to great lengths in preventing phishing attacks from working. People can often be thought of as the weakest link in an organization, so keeping them well-trained is vital for security.
Stopping Attacks Before They Happen
Security is a complex topic, and much has to be done to stay secure in the modern world. There is, unfortunately, no one-stop shop to meet all security needs and harden your organization from attack. At Blue Goat, we can work with you to find the best solutions for you to keep your company secure from cyber attacks. Contact us to find out more.