Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

Why the MITRE ATT&CK framework helps prevent HEAT attacks

Neko Papez | Oct 11, 2022

Illustration of MITRE ATT&CK framework calling out initial access phase

Share this article

Expanding threat surfaces as a result of work-from-home and accelerated digital transformation initiatives are creating a perfect storm for threat actors. No longer restricted to trying to penetrate hardened perimeter defenses, malicious actors are worming their way into corporate networks via backdoors through remote devices, web applications, and Software as a Service (SaaS) platforms. From there, they can freely spread throughout the network, picking when, where, and how to compromise their intended target.

As a result, many organizations have surrendered to the fact that attackers are already in their network. Security teams have now decided to focus on detecting the lateral movement of these attackers inside the network by identifying and intercepting abnormal or unauthorized behavior.

However, this focus on detection rather than prevention of that initial access is playing right into attackers’ hands. Ceding the initial access allows adversaries to shroud their malicious activity as normal user behavior — allowing them to hide in plain sight before launching their attack.

The importance of focusing on initial access

Initial access is arguably the most important adversarial tactic across the MITRE ATT&CK Framework. Highly Evasive Adaptive Threats (HEAT) increasingly use initial access techniques such as HTML smuggling, password-protected documents, oversized files, and email path avoidance to evade detection in order to gain a foothold in the network. These initial access techniques are successful because traditional Secure Web Gateway (SWG), anti-virus, and sandbox solutions are designed to look for specific patterns, remote file requests, and signatures as a way to detect abnormal behavior. However, HEAT attacks use evasive techniques such as drive-by compromise and phishing to bypass these technologies and gain that initial access.

diagram showing 9 techniques of initial access

In a drive-by compromise, adversaries compromise legitimate websites to gain access to a user’s system. In this case, when a user visits a compromised website as part of a regular browsing session, their web browser is targeted and exploited simply by visiting the website. In phishing attacks, adversaries use various forms of website manipulation and spearphishing tactics via professional networks, collaboration tools, and SMS texting to get around traditional email security solutions.

By not focusing on preventing initial access and instead taking a traditional detect-and-respond approach to cybersecurity, security teams fail to stop these evasive threats, allowing an untenable amount of false positives that disrupt operations and sap productivity.

Becoming complacent about attackers gaining initial access to end devices while they are getting increasingly better at avoiding detection is a recipe for disaster. If organizations are serious about stopping phishing and drive-by attacks that can lead to things like ransomware and credential theft, they need to prevent initial access and focus security defenses on where the attack occurs and where users spend most of their time — within the web browser.

Prevention and detection: A balanced approach

To completely stop ransomware, credential theft, and other malware, organizations need to make sure they are covering all stages of the MITRE ATT&CK framework — but focusing on that initial access step is key. Traditional detect-and-respond security solutions are important, but they must be augmented with prevention solutions such as anti-phishing and advanced isolation technologies that can prevent initial access and stop attackers from getting into an organization’s network.

Instead of making an allow-or-block decision at the point of click, isolation assumes that all users, applications, data, and web and email traffic are malicious and isolates all content in a remote browser in the cloud. With no access to the end device, the malware is effectively neutralized whether or not it’s been detected. The malware is simply unable to make that initial breach or deliver its intended payload.

If organizations can stop threats at the initial access point, then they can prevent malware from ever reaching the endpoint and stop HEAT attacks and ransomware altogether.

Preventing highly evasive web threats: download eBook

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.