Cyber intrusions are primarily facilitated by the use of genuine account details, as per the findings by CISA.
In a recent report, the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the significant role of credential compromise and spear-phishing in cyber infrastructure infiltrations.
The report states that spear-phishing attachments and external remote services were each used 3% of the time to gain initial access. However, it does not provide an explicit percentage of infiltrations in the last year attributed specifically to the combination of valid credential compromise and spear-phishing attacks.
Despite this, the report sheds light on the importance of these threats. Insider threats involving legitimate credentials now account for about 25% of incidents in critical sectors, according to a 2023 Ponemon Institute report. Spear-phishing is a known common vector for credential compromise, but no specific percentage tying these two factors together is stated in the sources.
To combat these threats, CISA emphasizes layered defense strategies, including workforce training and strict access control. The agency's performance measures and cybersecurity plans referenced by FEMA show emphasis on phishing training (70% target) and multi-factor authentication (70% target) to mitigate these risks.
The report also reveals that spear-phishing links - malware-laced emails sent to targeted individuals - were responsible for 1 in 3 attacks. In fact, CISA found that valid account credentials are at the root of most successful intrusions of critical infrastructure networks and state and local agencies.
In the annual risk and vulnerability assessment released by CISA, valid accounts, including former employee accounts not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied. The compromise of valid credentials combined with spear-phishing attacks accounts for nearly 90% of infiltrations last year, underscoring the staying power of these methods threat actors use to gain initial access to targeted systems.
The success rate of these techniques underscores the importance of vigilance and proactive measures. Corporate stakeholders are increasingly asking the question: Are we a target? As the report shows, many organizations across varying critical infrastructure sectors exhibited the same vulnerabilities, making it crucial for all entities to prioritize cybersecurity.
Gaining initial access to an organization’s network is the first step in a successful attack. If threat actors establish initial access, they could execute other techniques such as privilege escalation to ultimately steal information. CISA found many real-world attacks followed a typical order of operations, including gaining initial access, establishing a foothold and maintaining persistence, privilege escalation, defense evasion, discovering systems and networks, lateral movement, collecting sensitive data, using command and control, and potentially maintaining control after the attack.
In conclusion, while precise figures on the exact percentage of infiltrations caused by the combination of valid credential compromise and spear-phishing may not be available, the CISA report underscores the importance of these threats and the need for layered defense strategies, including workforce training, strict access control, phishing training, and multi-factor authentication. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against these common methods used by threat actors.
[1] Ponemon Institute Report, 2023 [5] CISA Performance Measures and Cybersecurity Plans, referenced by FEMA
- The CISA report emphasizes that spear-phishing links, often laden with malware, are responsible for one-third of all cyber attacks, highlighting their significance in cybersecurity threats.
- The report from the Ponemon Institute specifies that insider threats, involving legitimate credentials, are responsible for about a quarter of incidents in critical sectors, further underscoring the importance of proper data-and-cloud-computing security and technology practices.
- In the CISA annual risk and vulnerability assessment, compromised valid credentials, such as former employee accounts and default administrator credentials, were involved in more than half of all studied attacks, suggesting a high susceptibility to cybersecurity infiltrations when security measures are lax.
