Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Stopping Threat Actors from Gaining Initial Access

The recent Trustwave SpiderLabs report, Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape, offers a detailed look at the typical attack flow used in a variety of cyberattacks.

The attack flow discussed in the report focused on what a healthcare organization might face, but for the most part, attack flows stay the same regardless of the vertical being attacked. The key takeaway is the best way for an organization to stay safe is to stop the attack at this initial point.

So, let's take a look at how that can be done by drawing insights from the Trustwave SpiderLabs team. Although the details may differ in each breach or compromise, a specific sequence of events generally unfolds, starting from the initial security bypass to escalation, compromise, persistence within the network, and finally, the exfiltration or destruction of valuable data.

Additionally, we will provide actionable mitigations for organizations to implement, ensuring they can take proactive measures at each stage of the attack flow.

These recommended mitigations aim to minimize the potential risks of financial loss, damage to reputation, regulatory penalties, or physical harm that a healthcare organization may face.The typical sequence of events unfolds as follows:

What is an Initial Foothold?

This step is exactly what it sounds like, describing the time and place the attacker successfully triggers a security bypass that allows them to expand their access to suit their motives and goals. This initial foothold can take various forms, ranging from successful phishing attacks to vulnerability exploitation or even logging into public-facing systems using previously acquired credentials.

Phishing emails are by far the most prevalent form of initiating an attack. The FBI's 2022 Internet Crime Report noted 300,500 phishing attacks were reported last year, costing victims $52 million in losses. Phishing avoids having to find vulnerabilities in the software or systems on the network and instead, goes after the weakest link. The individuals operating the keyboard.

An attacker typically has one of several goals when conducting a phishing attack. Often credential theft is top of mind, and it will include an "invoice" from a customer with a link. When the link is clicked, it prompts the user for their password before "access is granted to the document." In other instances, the threat actor wants to insert malware via Powershell scripts, Javascript, or Macros. The ultimate goal is to trigger a specific type of action, such as a money wire transfer.

Attackers accomplish this task by crafting a persuasive and time-sensitive email to convince the recipient to perform an action, like clicking on a malicious link or opening a malicious attachment or following instructions to transfer funds to a purported "stranded CEO."

The attachments used in a phishing attack vary, but in the past year, those most commonly used were:

  • Document files with macros
  • OneNote Attachments with embedded links (Trustwave SpiderLabs research here and here)
  • HTML attachments, which deliver or redirect to credential phishing sites or employ HTML smuggling to hide malware (Trustwave SpiderLabs research here and here)
  • PDFs with embedded URL links

The Trustwave SpiderLabs Email Security team is dedicated to monitoring email-based threats, including opportunistic phishing, targeted/spear-phishing, and Business Email Compromise (BEC). Over the last year, our team flagged both Emotet and Qakbot as the most common trend among phishing attacks targeting healthcare organizations.

Using a Valid Account to Gain Entry

The easiest way to gain access is to have the correct credentials. There are a variety of methods an attacker can use to accomplish this task. They search for old, unchanged, or unsecured passwords, use a brute force attack to break simple passwords, discover passwords stored in plaintext, or just reach into their wallet and buy the credentials on a Dark Web forum.

SpiderLabs analysts often encounter administrative accounts that have passwords that are more than a year old. Remember, the longer a password remains unchanged, the greater the chance those credentials may be exposed, compromised, or targeted by brute-force attacks. When conducting investigations for our healthcare clients, we discovered that 30% of our findings were connected to legitimate accounts.

Sadly, many organizations make it easy for threat groups to gain access.

Login credentials stored in an unsecured fashion, such as in plaintext files, scripts, or custom applications passing credentials in cleartext in environments, are found 22% of the time by Trustwave's Threat Hunt team.

Lax password management policies in organizations, healthcare and others, also help open the door for an attacker. SpiderLabs found brute forcing passwords, trying combinations until one works, was among the most common methods of gaining access. Organizations simplify this task for attackers by allowing their workers to use extremely simple passwords, like "Password123."

An even more egregious mistake is not changing admin passwords. When an organization adds a new piece of equipment or software, it often comes with a preset password that is supposed to be immediately changed, but this step is often overlooked. Admin credentials are generally well known, and there are even repositories for them that attackers can find with a quick Internet search making it a simple matter for any threat actor to find.

Webshells are also often used. Webshells are typically inserted into compromised webservers to provide persistent access and are also for sale on the Dark Web. Webshells can often be found for sale on Dark Web markets, sometimes for the low, low price of $160. For this small expenditure, the seller promised access to the organization's Active Directory with Local Admin privileges.

Vulnerabilities and Supply Chain as Access Points

Using vulnerabilities housed within an organization system is another threat vector, with attackers exploiting issues like Apache Log4J (CVE-2021-44228). Attackers prefer to use vulnerabilities specific to their target. For example, the danger is expanded in the healthcare sector because it uses custom applications designed for healthcare organizations that often lack adequate security testing and code auditing, leading to undiscovered vulnerabilities. And the healthcare industry typically has a higher number of connected physical devices, such as heart monitors and imaging hardware, which often prioritize functionality over software security.

Healthcare organizations are often hesitant to implement changes quickly due to concerns about compliance with oversight agencies and compatibility issues with existing software and hardware. Additionally, their focus on patient safety and avoiding unexpected disruptions, like system crashes, leads healthcare organizations to be more cautious about adopting software patches or making changes that could jeopardize patient care.

Supply chain attacks are also increasingly on the rise. In these cases, instead of directly targeting multiple major organizations, attackers focus on trusted third-party partners frequently used by these entities. This approach, known as "the Domino Risk," aims to bring down one domino, triggering a chain reaction that impacts multiple others.

Given the increasing prevalence of this strategy and the alarming compromise incidents frequently making headlines, think SolarWinds, the return on investment for this type of attack is substantial.

As we have seen, attackers have a myriad of methods at their disposal to gain entry, but the good news is organizations, both on their own or in conjunction with a trusted partner, can block an attack before it gets started.

Initial Foothold Mitigation Efforts:

  • Train staff to be aware of suspicious emails and then test to ensure the lessons are learned. Utilize an email security solution like MailMarshal.
  • Regularly rotate passwords (e.g., every quarter) to mitigate issues related to valid accounts.
  • Implement password complexity requirements to enhance security.
  • Enable multi-factor authentication (MFA) to provide an additional layer of protection for accounts.
  • Securely store credentials in programs like KeePass to prevent credential abuse.
  • Promptly patch critical vulnerable systems.
  • Disable Internet access for servers that do not require it.
  • To the best of your ability, ensure suppliers are using proper cybersecurity procedures.
  • Recognize that the security of the ecosystem is dependent on the strength of its weakest link.

Latest Trustwave Blogs

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More

Why Removing Phishing Emails from Inboxes is Crucial for Healthcare Security

The adage "data is the new oil" doesn't resonate with everyone. Personally, having grown up around cars thanks to my dad, a master mechanic, I see oil as messy and cumbersome. Data, in my view, is...

Read More

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More