Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Neko Papez | Aug 02, 2022
Share this article
Access holds the keys to power. Want to get something done in Washington? You have to know the right people who can manipulate the levers of government. Starting a business? It’s critical that you have access to capital and other financial resources. Trying to move up in your career? Networking gives you access to the right opportunities.
Cybercriminals are no different. Getting paid, causing a disruption, or stealing information requires access to top targets at businesses, government entities, and prominent individuals around the world. However, surveilling a target, crafting an attack plan, sending out feelers, and gaining initial access is time consuming – sometimes taking months or even years. As a result, we’ve seen a dramatic rise in initial access brokers, cybercriminals who have managed to build an entire industry around the monetization of network access.
Who are these initial access brokers? What services do they provide? Why are they so successful? Why should you care? Here are the answers to these important questions.
Initial access brokers are the opportunistic locksmiths of the security world, gaining and selling access to target organizations. Many ransomware-as-a-service (RaaS) offerings allow anyone with a credit card or cryptocurrency account to purchase initial access to a target while skipping the time- and labor-intensive surveillance and scoping process. Threat actors can use this access to hold corporate information and systems for ransom, steal data, deliver a payload, or disrupt operations. This speeds time to market for threat actors to gain access to targeted networks, allowing them to act quickly when opportunities arise.
Initial access brokers open up a whole new market of malicious actors who are as lean and agile as their enterprise targets. A cybercriminal no longer needs to be an expert hacker to infiltrate a multinational corporation or government entity. They just need a credit card or cryptocurrency account. In addition, many hobbyist hackers who gained unauthorized access to networks for sport and preferred not to capitalize on the access they gained can now monetize their efforts without the moral objections. By selling access to the highest bidder, initial access brokers feel isolated from the harm their customers may be spreading and may be more likely to expand their attacks in scale and scope.
Surprisingly cheap. According to Kela, initial access brokers sell access for an average of roughly $5,400, but domain admin privileges to networks owned by multinational corporations or high-profile government agencies can command significantly higher prices. Network access sales typically take one to three business days, and companies in the U.S. and the EU are the most common targets. The five most well-known Russian-speaking ransomware operators (LockBit, Avaddon, DarkSide, Conti, and BlackByte) are all known to use initial access brokers.
A recent cybersecurity incident carried out against Bangkok Airways has been traced to initial access brokers. Access through the airline’s Cisco AnyConnect VPN was offered up for auction in July 2021, and just two months later the company announced it had been the victim of an attack that exposed passenger data to an unauthorized person.
The anatomy of an initial access broker attack is pretty straightforward:
The acceleration of digital transformation, modern applications, multi-cloud environments, and remote work have spread threat surfaces, making it impossible for organizations to protect every distributed asset. Malicious actors are able to take advantage of HEAT techniques, vulnerabilities in VPNs, and user behavior to evade traditional detect-and-respond defenses.
HEAT-based attacks bypass traditional web security measures and leverage web browser features to deliver initial payloads or compromise credentials. Typically, the point of detection (if the attack is detected at all) is too late to stop the initial breach. By then, access has likely already been sold to the highest bidder, who is then under pressure to get their investment back.
The only way to stop these attacks is to prevent the initial access brokers from gaining a foothold into organizations at the initial access points – making a potential breach useless, as if it never happened. This requires a robust protection strategy focused on advanced anti-phishing and Internet isolation capabilities. Isolation provides a virtual air gap in the cloud between the Internet and users’ devices. All content is routed through a Secure Web Gateway (SWG) with isolation capabilities, where it is executed in isolation within the cloud. This prevents all code – whether malicious or not – from executing on endpoints, effectively cutting off any access a malicious actor has to the network and rendering HEAT attacks ineffective.
Posted by Neko Papez on Aug 02, 2022
Tagged with Awareness, Blog, HEAT, Isolation, SWG, Threat Trends
Threat Trends & Research
To talk to a Menlo Security expert, please complete the form.