Layale Hachem, senior solutions engineer at BeyondTrust explains how businesses can defend against IABs by enforcing least privilege, enhancing multi-factor authentication, redefining remote access, and eliminating dormant accounts.
When the Arab Gulf region began its mass cloud migration in 2020, the technology landscape changed. And, reacting swiftly as it always does, the cyberthreat landscape changed in parallel. Today, cybercrime is an industry. We see B2B suppliers and customers. We see cloud offerings like ransomware-as-a-service (RaaS). The lone-wolf threat actor has been replaced by a workforce of specialists each playing their part in nefarious operations.
Legitimate businesses, beware. One such specialism that is rising in prominence is that of the initial access broker (IAB). As the name may suggest, IABs concern themselves with establishing a foothold within a corporate IT environment and selling that foothold. They use a range of methods, like spam and phishing, to steal credentials. They often bypass multifactor authentication (MFA). From there, it is off to the dark-Web market to make easy cash by selling their wares to others looking to make easy cash, from RansomOps gangs to supply-chain attackers.
If we take RaaS providers as an example, IABs can help them speed up campaigns and have greater impact on a target. Remember, cybercrime now operates as a business, which implies that each “firm” will be looking to shave costs where it can. The IAB represents ad hoc outsourcing for the initial steps of a campaign workflow, so a ransomware group can immediately begin encrypting files and extracting payment.
You do you
The IAB model allows threat gangs to bridge skills gaps. An IAB may have assembled a team that is very good at establishing access. They will be skilled in social engineering and all the techniques involved in harvesting login details. They may not be so skilled in using these privileges to perform lateral movement. They may know little about how to build a ransomware payload. Those that are skilled in these latter areas may either not have the social-engineering skills to score credentials quickly or may simply want to speed up operations.
It is evident that each side of the IAB equation gains great advantages that eliminate waste in labor hours. They reduce risk and increase profits for everybody. Amid their newfound popularity, IABs are keeping authorities busy. In April, dark-Web marketplace Genesis Market was shut down by international law-enforcement agencies in Operation Cookie Monster. Similar operations had previously targeted Hydra Market and BreachForums. But these are just the markets. The sellers can skip town and go elsewhere. So how do we stop IABs? There are four main ways.
- Enforce the principle of least privilege
By granting only those privileges needed to perform a role, organizations ensure that if a user is tricked by an IAB, the harvest will be lean. IABs do their homework and will target users with administrator rights, so it is wise to ensure that users who are not system admins in their day job are not given such access. Admin rights are a springboard for lateral movement, further credentials theft, and the elevation of privileges. Guard them well.
- Revamp MFA
IABs have learned to compromise MFA, but that does not mean we must abandon it as a protection measure. It is still a useful tool against stolen credentials or credential-stuffing attacks. MFA fatigue attacks use push notifications and SIM-jacking to compromise this extra layer of security but Fast Identity Online (FIDO2) protects against this by using local authentication and asymmetric public-key cryptography. This delivers decentralized authentication, which is resistant to MFA fatigue and other forms of MFA bypassing.
- Jettison VPN and RDP
VPN and RDP can often be unnecessary for remote work. What users need is straightforward access to the systems that are relevant to them. By granting this access in a controlled and auditable way, organizations stay a step ahead of IABs by preventing them from exploiting VPN access to flat networks or public-facing RDP servers. Such exploits allow free and rapid movement around IT environments. Enterprises should pay particular attention to the access granted to third parties who will be using personal or unmanaged devices.
- Eliminate dormant accounts
Default, dormant, orphaned — these accounts are nectar to IABs, providing a pre-provisioned identity that allows an infiltrator to wander around unchallenged. They may belong to humans or machines, but when compromised, they can lead to increased dwell time; and if they have levels of privilege attached, a lot of damage can occur before the attacker is discovered. These accounts must be brought under strict management, and if they are not needed, they should be deleted. Often, default, dormant, or orphaned accounts are not enrolled in MFA. An IAB can use credential stuffing and self-enrolment in MFA to set up OTP delivery to a device of their choosing and gain access on a whim.
The game has changed but the fundamentals remain
So, the good news is that while initial access brokers are certainly a gamechanger for the threat-actor community, the risks they pose to the legitimate business are no different than they have always been. It is imperative that businesses have the security capabilities to notice they have been targeted and that access to their systems is going under the hammer at dark-Web auction houses.
Awareness begins with proactive management of identities and privileges, but to be truly cognizant of the threats to an environment, security teams should consider an identity threat detection and response (ITDR) approach. ITDR builds on privileged access management (PAM) by integrating threat intelligence, best practices, tools, and processes that allow the timely detection and investigation of high-risk anomalies, as well as a response that can save the organization from damage to assets and reputation.
Unfortunately, we live in a world where we cannot escape the digital realm. But we also live in a world that is wise to the dangers. IABs may be on the prowl, but with the right maneuvers, we can give them the slip.