The top initial access vectors in 2022, mapped to ATT&CK
In reviewing security firms’ 2022 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.
| Rank | MITRE ATT&CK Technique ID | Vector | Percentage |
|---|---|---|---|
| 1 | T1566 | Phishing | 45% |
| 2 | T1190 | Exploit Public-Facing Application | 26% |
| 3 | - | Other | 9% |
| 4 | T1189 | Drive-By Compromise | 6% |
| 4 | T1133 | External Remote Services | 6% |
| 4 | T1078 | Valid Accounts | 6% |
| 5 | T1195 | Supply Chain Compromise | 2% |
Methodology
To determine the most prevalent initial access techniques leveraged by adversaries in 2022, I relied on data from the following reports:
- eSentire 2023 Ransomware Report: Disrupting Initial Access
- HP Wolf Security Threat Insights Report Q4 2022
- IBM Security X-Force Threat Intelligence Index 2023
- Kroll Q4 2022 Threat Landscape
- Secureworks Learning from Incident Response: 2022 Year in Review Report
- Mandiant M-Trends 2023 (to be released in April 2023)
Because not all of these reports use a standard taxonomy, I mapped each of their reported vectors to the corresponding MITRE ATT&CK Initial Access parent technique.
As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.
How to use this information
From my earlier thoughts on this matter:
A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.