What Are Initial Access Brokers?
Initial access brokers are threat actors that sell cybercriminals access to corporate networks. They are highly skilled in their field and possess a specialised set of skills honed over a long period of black hat hacking that they utilize to access secure networks.
Once they have access, they offer their service in underground online forums, the kind found on the dark and grey web. Their primary customers are ransomware groups and their associates who purchase access to already breached networks and systems.
How Do Initial Access Brokers Gain Access to Secure Networks?
Initial access brokers gain access to systems via standard cybercriminal means. Chief among those are social engineering tactics such as phishing. But that’s not the only tool in their cyber toolbox. They’ll also breach a system through an exploit of unpatched software, via the local installation of malware after gaining physical access to an organisation through something like tailgating, via brute-force attacks or password spraying, or through stolen network credentials purchased from a third-party.
What Kind of Access do Initial Access Brokers Sell?
As they hold the keys to a network’s kingdom, they can name their own price and set their own terms. The cost for using their services varies, in large part, due to the type of organisation to which they’re offering access. Factors that influence the price tag for using their services include the organisation’s industry, size, number of employees and annual revenue.
Other contributing factors include the vulnerability level of the company (i.e., how much time and resources it took for them to gain that initial access) as well as the type of access being sold. Typically, an initial access broker will offer one or more of the following types of access:
- Remote Desktop Protocol (RDP)
- Active Directory (AD)
- Server Root Credentials
- Web Shell Access
- Remote Monitoring & Management (RMM)
- Control Panels
Initial Access Brokers and Ransomware
According to the 2022 Verizon Data Breach and Investigation Report, “In 2021, ransomware has continued its upward trend with an almost 13% increase (for a total of 25% of breaches)—a rise as big as the past five years combined.”
Ransomware is not going anywhere. Analysts not only expect the frequency of attacks to continue to increase, but the average ransom demand, as well. And, thanks to sinister new innovations like double and triple extortion, more would-be cyber criminals might decide it’s just too target-rich of an environment to ignore.
While the gangs that grab headlines have managed to make massive profits, and Ransomware-as-a-Service (Raas) — where developers of a ransomware variant recruit affiliates that exclusively use their ransomware in targeted attacks for a split of the profits — has seen a surge, creating a ‘successful’ ransomware attack still takes a great deal of time and resources.
Even if a cybercriminal has a variant that’s dependable, they still need to gain access to the target system in order to deploy it. That means significant time spent on reconnaissance and resource development, and any time spent on initial access into a target organisation is time not spent on developing payloads and reaping ransoms.
To solve this problem, more cyber criminals are turning to cost-effective alternatives that do the hard work of gaining access to corporate networks for them – initial access brokers.
How Can You Protect Your Organisation from Initial Access Brokers?
Turning to managed security operations solutions can make the difference in protecting you from the risks of ransomware, including infiltration by initial access brokers. Arctic Wolf — the leader in security operations — offers multiple solutions that can help you end cyber risk for your organisation.
Managed Detection and Response provides 24×7 monitoring of your networks, endpoints, and cloud environments — including remote modes of access such as VPNs, Active Directory, and RDPs (Remote Desktop Protocol).
Managed Security Awareness prepares your employees to recognise and neutralise social engineering attacks and human error, better protecting your organization, your people, and your data from suspicious emails, links, attachments, login attempts, and unwarranted physical access to devices.
Managed Risk enables you to discover, assess, and harden your environment against digital risks by contextualising your attack surface coverage across your networks, endpoints, and cloud environments. Fully managed by our Concierge Security Team, it offers around-the-clock monitoring for vulnerabilities, system misconfigurations, and account takeover exposure — as well as recommendations to help you harden your security posture.