Imagine a burglar. They’ve spent large amounts of time researching their target — your house. They’ve perfected their infiltration techniques, found your weak points, learned your schedule, and know the best time to strike. They’ve shown up when you least expect it and jimmied open the lock on the back door. And now, rather than head inside and steal your valuables, they hold the door open for someone else. That person pays a fee to the burglar and then heads inside to rob you blind.
Seems like a strange way to rob a house, doesn’t it? But it’s becoming quite a popular way to steal an organization’s data.
What Are Initial Access Brokers?
Initial access brokers are threat actors that sell cybercriminals access to corporate networks. They are highly skilled in their field and possess a specialized set of skills honed over a long period of black hat hacking that they utilize to access secure networks.
Once they have access, they offer their service in underground online forums, the kind found on the dark and grey web. Their primary customers are ransomware groups and their associates who purchase access to already breached networks and systems.
How Do Initial Access Brokers Gain Access to Secure Networks?
Initial access brokers gain access to systems via standard cybercriminal means. Chief among those are social engineering tactics such as phishing. But that’s not the only tool in their cyber toolbox. They’ll also breach a system through an exploit of unpatched software, via the local installation of malware after gaining physical access to an organization through something like tailgating, via brute-force attacks or password spraying, or through stolen network credentials purchased from a third-party.
What Kind of Access do Initial Access Brokers Sell?
As they hold the keys to a network’s kingdom, they can name their own price and set their own terms. The cost for using their services varies, in large part, due to the type of organization to which they’re offering access. Factors that influence the price tag for using their services include the organization’s industry, size, number of employees and annual revenue.
Other contributing factors include the vulnerability level of the company (i.e., how much time and resources it took for them to gain that initial access) as well as the type of access being sold. Typically, an initial access broker will offer one or more of the following types of access:
- Remote Desktop Protocol (RDP)
- Active Directory (AD)
- Server Root Credentials
- Web Shell Access
- Remote Monitoring & Management (RMM)
- Control Panels
Initial Access Brokers and Ransomware
According to the 2022 Verizon Data Breach and Investigation Report, “In 2021, ransomware has continued its upward trend with an almost 13% increase (for a total of 25% of breaches)—a rise as big as the past five years combined.”
Ransomware is not going anywhere. Analysts not only expect the frequency of attacks to continue to increase, but the average ransom demand, as well. And, thanks to sinister new innovations like double and triple extortion, more would-be cyber criminals might decide it’s just too target-rich of an environment to ignore.
While the gangs that grab headlines have managed to make massive profits, and Ransomware-as-a-Service (Raas) — where developers of a ransomware variant recruit affiliates that exclusively use their ransomware in targeted attacks for a split of the profits — has seen a surge, creating a ‘successful’ ransomware attack still takes a great deal of time and resources.
Even if a cybercriminal has a variant that’s dependable, they still need to gain access to the target system in order to deploy it. That means significant time spent on reconnaissance and resource development, and any time spent on initial access into a target organization is time not spent on developing payloads and reaping ransoms.
To solve this problem, more cyber criminals are turning to cost-effective alternatives that do the hard work of gaining access to corporate networks for them – initial access brokers.
How Can You Protect Your Organization from Initial Access Brokers?
Turning to managed security operations solutions can make the difference in protecting you from the risks of ransomware, including infiltration by initial access brokers. Arctic Wolf — the leader in security operations — offers multiple solutions that can help you end cyber risk for your organization.
Managed Detection and Response provides 24×7 monitoring of your networks, endpoints, and cloud environments — including remote modes of access such as VPNs, Active Directory, and RDPs (Remote Desktop Protocol).
Managed Security Awareness prepares your employees to recognize and neutralize social engineering attacks and human error, better protecting your organization, your people, and your data from suspicious emails, links, attachments, login attempts, and unwarranted physical access to devices.
Managed Risk enables you to discover, assess, and harden your environment against digital risks by contextualizing your attack surface coverage across your networks, endpoints, and cloud environments. Fully managed by our Concierge Security Team, it offers around-the-clock monitoring for vulnerabilities, system misconfigurations, and account takeover exposure — as well as recommendations to help you harden your security posture.