{"id":18958,"date":"2021-10-07T17:50:08","date_gmt":"2021-10-07T13:50:08","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/most-common-initial-attack-vectors\/18958\/"},"modified":"2022-05-05T11:03:28","modified_gmt":"2022-05-05T07:03:28","slug":"most-common-initial-attack-vectors","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/most-common-initial-attack-vectors\/18958\/","title":{"rendered":"Common initial attack vectors"},"content":{"rendered":"

Other companies frequently call in our experts for emergency assistance with incident response<\/a>, to conduct (or help conduct) investigations, or to analyze cybercriminals\u2019 tools. Throughout 2020, we collected a wealth of data<\/a> for a view on the modern threat landscape that helps us predict the most likely attack scenarios \u2014 including the most common initial attack vectors \u2014 and choose the best defensive tactics.<\/p>\n

When we investigate a cyberincident, we always pay special attention to the initial attack vector. Simply put, the way in is a weak point, and to avoid recurrence, identifying defense systems\u2019 weak spots is crucial.<\/p>\n

Unfortunately, that is not always possible. In some cases, too much time has elapsed between the incident and its detection; in others, the victim did not keep logs or destroyed the traces (accidentally or intentionally).<\/p>\n

Complicating matters, when cybercriminals attack through the supply chain<\/a> \u2014 an increasingly prevalent method \u2014 the initial vector falls not under the end victim\u2019s purview, but rather that of a third-party program developer or service provider. However, in more than half of all incidents, our experts were able to determine the initial attack vector precisely.<\/p>\n

First and second place: Brute force and exploitation of publicly accessible applications<\/h2>\n

Brute-force attacks and exploitation of vulnerabilities in applications and systems accessible from outside the corporate perimeter share the top two spots. Each served as the initial vector of penetration in 31.58% of cases.<\/p>\n

As we observed in previous years, no other method is as effective for launching an attack as the exploitation of vulnerabilities. A more detailed analysis of the exploited vulnerabilities suggests that is attributable primarily to companies\u2019 failure to install updates promptly; at the time of the attacks, patches were available for every single vulnerability. Simply applying them would have protected the victims.<\/p>\n

Companies\u2019 mass transition to remote work and the use of remote-access services account for the uptick in brute-force-attack popularity. In making the transition, many organizations failed to address security matters adequately, and, as a result, the number of attacks on remote connections shot up practically overnight. For example, the period of March to December 2020 saw a 242% increase<\/a> in RDP-based brute-force attacks.<\/p>\n

Third place: Malicious e-mail<\/h2>\n

In 23.68% of cases, the initial attack vector was malicious e-mail, either with malware attached or in the form of phishing. Targeted attack operators and mass mailers alike have long used both types of malicious messaging.<\/p>\n

Fourth place: Drive-by compromise<\/h2>\n

Sometimes attackers try to gain access to the system using a website that the victim visits periodically or lands on by chance. To use such a tactic, which we\u2019ve seen in some complex APT attacks<\/a>, cybercriminals either furnish the site with scripts that exploit a browser vulnerability to run malicious code on the victim\u2019s computer or trick the victim into downloading and installing the malware. In 2020, it was the initial attack vector in 7.89% of cases.<\/p>\n

Fifth and sixth place: Portable drives and insiders<\/h2>\n

The use of USB drives to infiltrate company systems has become rare. In addition to flash-drive-infecting viruses largely being a thing of the past, the tactic of slipping someone a harmful USB stick is not very reliable. Nevertheless, this method accounted for 2.63% of initial network penetrations.<\/p>\n

Insiders caused the same proportion (2.63%) of incidents. That\u2019s employees who, for whatever reason, wanted to harm their own companies.<\/p>\n

How to minimize the likelihood of a cyberincident and its consequences<\/h2>\n

Most of the incidents our experts analyzed were preventable. Based on their findings, they recommend:<\/p>\n