Image

Drive-by downloads
Description: The gist of this technique is to dupe the victim into opening a website hosting various browser and plugin exploits, obfuscated frames or malicious JavaScript files that can be downloaded to the target system beyond the user’s awareness.How to protect yourself:
- Use up-to-date web browsers and plugins and run an antimalware solution. Microsoft recommends using Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard (WDEG.)
Exploiting public-facing applications
Description: This method involves known glitches, bugs and vulnerabilities in applications with open network ports (SSH network services, web servers, SMB2, etc.) The top 10 web application vulnerabilities are being regularly published by OWASP.How to protect yourself:
- Use firewalls.
- Perform network segmentation with DMZ.
- Follow safe software development practices.
- Avoid issues documented by CWE and OWASP.
- Scan the network perimeter for vulnerabilities.
- Monitor logs and traffic for anomalous activity.
Hardware additions
Description: Computers, network appliances and computer accessories may go with covert hardware components tasked with providing initial access. Both open-source and commercial products may include features for stealth network connection, MITM (man-in-the-middle) attacks implementation for encryption cracking, keystroke injection, reading kernel memory via DMA, adding a new wireless network, etc.How to protect yourself:
- Adopt policies for network access control such as certificates for devices and IEEE 802.1X standard.
- Restrict the use of DHCP to registered devices only.
- Block network interaction with unregistered equipment.
- Disable the addition of unknown external devices using host protection mechanisms (endpoint security agents for device monitoring.)
Removable media
Description: This technique leads to the execution of rogue code via autorun feature. To deceive the user, the attacker may modify or rename the “legit” file beforehand and then copy it onto a removable drive. The malware can also be embedded in the firmware of removable media or executed via the initial formatting tool.How to protect yourself:
- Disable the autorun feature in Windows.
- Restrict the use of removable media at the level of your company’s security policy.
- Use antivirus software.
Spear-phishing - attachments
Description: This mechanism presupposes the distribution of viruses attached to phishing emails. The email body typically contains a plausible-looking reason why the user should open the attached file.How to protect yourself:
- Use IDS (intrusion detection system) along with an antivirus suite that scans emails for malicious attachments and removes or blocks them.
- Configure a policy to block certain formats of email attachments.
- Train your personnel how to identify and avoid phishing.
Spear-phishing - links
Description: Cybercriminals may send emails with links leading to malware.How to protect yourself:
- Check the received emails for URLs leading to known malicious websites.
- Use IDS and antivirus software.
- Conduct phishing awareness training of your staff.
Spear-phishing via service
Description: In this case, the threat actors send booby-trapped messages via social networks, personal email accounts and other services that are beyond the company’s control. They may use fake social network profiles to send job offers or similar eye-catching messages. This allows them to build trust and later ask the targeted employee about policies and software used in the enterprise and convince the victim to click malicious links and attachments. As a rule, the malefactor first establishes contact and then sends the malicious entity to the email address that the employee uses at their workplace.How to protect yourself:
- Consider blocking access to personal email accounts, social networks, etc.
- Use application whitelisting, IDS and antivirus software.
- Set up a personnel awareness program focused on anti-phishing.
Supply chain compromise
Description: This method comes down to injecting various backdoors, exploits and other hacking instruments into software and hardware at the supply stage. The possible attack vectors are as follows:- Manipulating software development tools and environments,
- Abusing source code repositories,
- Interfering with software update and distribution mechanisms,
- Compromising and contaminating OS images,
- Modifying legit software,
- Sale of counterfeit\modified products and
- Interception at the shipment stage.
How to protect yourself:
- Implement SCRM (supply chain risk management) and SDLC (software development life cycle) management systems.
- Run continuous contractors’ reviews.
- Strictly limit access within your supply chain.
- Use procedures to control the integrity of binary files.
- Scan distribution kits for viruses.
- Test all software and also updates prior to deployment.
- Physically examine the hardware being purchase as well as the media containing software distribution kits and support documentation for signs of forgery.
Trusted relationship
Description: Malicious agents can take advantage of organizations that may access the infrastructure of the target enterprise. Companies often use a less secure practices while interacting with trusted third parties than for regular access from the outside. Trusted third parties may include IT service contractors, security vendors and infrastructure maintenance contractors. Furthermore, the accounts used by trusted parties to access the company can be hacked and leveraged for initial access.How to protect yourself:
- Use network segmentation and isolate critical IT infrastructure components that shouldn’t be widely accessible from outside the organization.
- Manage accounts and privileges used by trusted third parties.
- Check security procedures and policies of the contractors that need privileged access.
- Monitor the activity of third-party vendors and trusted individuals.
Using valid accounts
Description: Criminals can steal the credentials for a specific user’s account or service account or retrieve credentials in the course of reconnaissance with the help of social engineering. Compromised credentials can then be used to get around access management systems and get access to remote systems as well as external services, such as remote desktops, VPNs and Outlook on the web, or to obtain elevated privileges in specific systems and areas of the network. If this attempt turns out successful, the perpetrators can decide not to use malware and thereby complicate detection. Also, the attackers may create new accounts to maintain access in case the other techniques fail.How to protect yourself:
- Stay away from credential overlapping across different services and systems.
- Adopt a password policy and follow enterprise network administration guidelines to restrict the use of privileged accounts.
- Monitor domain and local accounts and their privileges to identify the ones that can allow an adversary to get wide access to the network.
- Keep track of account activity using security information and event management (SIEM) solutions.
Image
