The top initial access vectors in 2022, mapped to ATT&CK

This data is from 2022. For data from 2023 (the most recent), please go HERE.

In reviewing security firms’ 2022 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.

alt

Rank MITRE ATT&CK Technique ID Vector Percentage
1 T1566 Phishing 42.9%
2 T1190 Exploit Public-Facing Application 31.7%
3 T1189 Drive-By Compromise 9.5%
3 T1133 Valid Accounts 9.5%
4 T1078 External Remote Services 4.8%
5 T1195 Supply Chain Compromise 1.6%

Methodology

To determine the most prevalent initial access techniques leveraged by adversaries in 2022, I relied on data from the following reports:

Because not all of these reports use a standard taxonomy, reported vectors were mapped to the corresponding MITRE ATT&CK Initial Access parent technique.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility and methodology.

How to use this information

From my earlier thoughts on this matter:

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.

A company with a formal org chart is a company big enough to have an informal org chart that accurately describes how things actually get done. Permalink

From Byrne Hobart at The Diff, a list of scaling bottlenecks often encountered by startups: Recruiting, decision-making, management, and more.

[O]ne of the biggest scaling bottlenecks ends up being the related problems of asymmetric information and decision fatigue. In a small company with a flat corporate hierarchy, information travels fast. If people are working long hours in close proximity, it’s almost impossible for anything to stay secret. And if everyone’s either a founder or a direct report of one, there isn’t much room for politics. A company with a formal org chart is a company big enough to have an informal org chart that accurately describes how things actually get done. Whether this is described as “politics” or as “effective” partly depends on people’s relative positions in both. And that adds an inescapable tax to growth: more people means more conflicting interests, and more cases where the right choice for the company as a whole conflicts with the right choice for individuals.

On delegation in particular, very much a limiting factor for learning and growth:

Effective delegation can be best defined in negative terms: a manager is not delegating unless their subordinates at least occasionally make exactly the opposite decision from the one their manager would have made.

If you wait until you feel like doing stuff, you’re fucked. Permalink

If there’s an article-length version of Atomic Habits, published years prior to the best-selling book, this might be it.

Motivation is like manually winding up a crank to deliver a burst of force. At best, it stores and converts energy to a particular purpose. There are situations where it is the correct attitude, one-offs where getting psyched and spring-loading a metric fuckton of mental energy upfront is the best course of action. Olympic races and prison breaks come to mind. But it is a horrible basis for regular day-to-day functioning, and anything like consistent long-term results.

By contrast, discipline is like an engine that, once kickstarted, actually supplies energy to the system.

Productivity has no requisite mental states. For consistent, long-term results, discipline trumps motivation, runs circles around it, bangs its mom and eats its lunch.

In summary, motivation is trying to feel like doing stuff. Discipline is doing it even if you don’t feel like it.

Observability as a function of your threat model

This model attempts to explain the relationship between visibility, observability, detection, and mitigation, which are closely related and important to understand when implementing any information security or cybersecurity program.

alt

Of course, having a model is not the same as having an implementation or an operational capability. And in implementing any program based on a model, it’s very easy to fall into the trap of using the model as a bingo card, treating each component equally and in doing so expending resources in a way that is inefficient or ineffective.

In considering how to approach these four components, it might help to bucket them based on:

  • Their primary inputs or drivers
  • Any limiting factors that they have in common

alt

Visibility is a function of your attack surface. Some key inputs here include facilities, networks, infrastructure, and service providers. For each of these, you’re wise to invest in as much visibility as you can. Keep in mind that visibility is knowing that an asset exists, but not necessarily knowing everything about it, how it’s used, or actively monitoring it. You can get a lot of mileage out of good accounting related to identities, devices, applications, etc.

Observability, detection, and mitigation are functions of your use cases. Use cases will include things like the needs of your operational teams, including technical and security operations. They may need more or less of these things in order to maintain systems, detect threats, investigate incidents, and generally mitigate threats or other types of problems.

Observability is the most interesting of the three, because there is so much debate (and marketing) surrounding the types and levels of observability that you need. Of course, a vendor that makes money when you feed it log, security, or other event data–or one who sells you products that produce those signals–is going to make a case that you need as much observability as you can afford. From a security standpoint, I would argue that observability should be driven largely by your threat model, and your understanding of where you need to be in order to observe, detect, and respond effectively to threats.

An implementation of this approach might look something like this:

Activity Sample Resources
Understand the threats that we face based on the technology that we use, the data that we have, and other factors. Industry threat reports are great sources of this information:

Red Canary’s Threat Detection Report
CrowdStrike’s Global Threat Report
Mandiant’s M-Trends
Identify the techniques that those threats leverage, which can be found using readily available industry reporting. Leverage the above coupled with other open source reporting, and use MITRE ATT&CK as a model for enumerating specific techniques:

https://attack.mitre.org/techniques/enterprise/
From the relevant ATT&CK techniques, identify the data sources that lead to observability of these techniques.

Pro tip: You’ll likely find that a small number of data sources have an outsized impact on observability coverage (i.e., a few data sources means that you can see a great percentage of techniques).
Each ATT&CK technique includes the specific data sources that can be used to observe it:

https://attack.mitre.org/datasources/

You can go wild with this implementation, but you can also keep it relatively simple and get great results. The guiding principles are that you want to ensure the broadest possible visibility, so that you understand your attack surface and the assets that are at risk, and you want to implement the right level of observability to meet adversaries where they operate, which is where you need to be in order to detect, respond, and mitigate related threats.

The future of cybersecurity might be insurance

For some time now, I’ve been considering a hypothesis that the future of cybersecurity is some form of vertically integrated set of products, services, and insurance. This won’t represent emerging or niche cybersecurity products and services, but will bring actuarial rigor to identification and measurement of the outcomes that cybersecurity vendors claim to provide, and so it will represent the subset of offerings that provide consistent, provable value (i.e., things that reliably mitigate high impact threats). The primary consumer benefit will be a faster path to implementation of a plenty good enough cybersecurity portfolio for a large percentage of organizations.

Enter the National Cybersecurity Strategy

With the release of the United States 2023 National Cybersecurity Strategy, there’s been much ado about this strategic objective:

STRATEGIC OBJECTIVE 3.6: EXPLORE A FEDERAL CYBER INSURANCE BACKSTOP

When catastrophic incidents occur, it is a government responsibility to stabilize the economy and provide certainty in uncertain times. In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilize the economy and aid recovery. Structuring that response before a catastrophic event occurs-rather than rushing to develop an aid package after the fact could provide certainty to markets and make the nation more resilient. The Administration will assess the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. In developing this assessment, the Administration will seek input from, and consult with, Congress, state regulators, and industry stakeholders.

Equally important is the drive to improve development practices by limiting the degree to which vendors can absolve themselves of liability: “Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,”

For those who have been following along at home, the Federal Government has been doing its homework and soliciting input on this for years. Notably, this research broadened with a call from the Government Accountabiliy Office in June 2022, urging that “Treasury and Homeland Security jointly assess if a federal response is needed to address the situation.” This was followed by a formal request for comment from the United States Treasury in 2022, titled “Potential Federal Insurance Response to Catastrophic Cyber Incidents”. So, the announcements in the National Cybersecurity Strategy are important but not surprising.

Back to private industry

The cyber insurance industry has swung like a pendulum within the last decade. What was once cheap and plentiful and underwritten with a low level of rigor has led to substantial losses, and relatively quickly become a web of sub-insurance requirements and narrowing coverage. So, there will be a lot of momentum and buzz about the prospect of the government stepping in to provide some stabilization. But there are also plenty of potential, or even likely, downsides including:

  • Moral hazard - There’s been plenty of anecdotal correlation between the tightening market for cyber insurance and increased investment and attention on behalf of organizations in their cybersecurity posture. Knowing that the government will be there to bail them out—whether directly or through their insurers—may stymie this progress.
  • Absence of catastrophic economic risk - Directly from Lawfare: “There is no evidence that firms are halting online economic activity because of either low cyber insurance limits or the introduction of new war clauses. It is simply unthinkable that retail firms would shut down websites and rely on brick and mortar stores because of changes in cyber insurance coverage. The impact of the digital age—and reliance on the internet—is simply too strong.”

Clear opportunity

There’s plenty more to be considered. But the sheer magnitude and complexity of the economics of cybercrime, in particular how we insure against losses, and the expansive but not yet outcome-bound cybersecurity solution landscape, are all great indicators of opportunity. A marketplace for offerings with tightly aligned incentives will advance both the insurance and cybersecurity industries in a meaningful way, raising the standards of cybersecurity posture at-large, in turn alleviating some of this public and private market pressure.