Emerging Threats

Shutting down the growing threat of initial access brokers (IABs)

Jan 05, 2022
Fight IABs with ZTE

What happens when outsourced IT service models meet criminal communities?

The answer is cybercrime-as-a-service, the most infamous of which is probably Ransomware-as-a-Service (RaaS) as applied in high-profile breaches.  

Consider the instance of the May 2021 Colonial Pipeline hack, which resulted in the shutdown for several days of the largest fuel pipeline in the United States, led many states to declare a formal state of emergency and even got direct attention and immediate action from the White House.  

According to the FBI, an eastern European criminal group called DarkSide executed this breach using software it created in exchange for a percentage of collected ransoms. DarkSide’s affiliates and clients leverage the software over the Internet via a centralized web-based portal, much as business managers routinely manage business services hosted by public cloud providers.

Any organization that offers such initial access to corporate networks or resources is known as an Initial Access Broker (IAB). The IAB model is valuable to criminals is straightforward. They can outsource the initial breach of a targeted company to specialist criminals that focus on what matters to them: what happens after the breach, such as collecting sensitive data for corporate espionage, implementing ransomware attacks, directly accessing financial resources, or other malicious actions. The specific technical means of gaining access, such as compromised VPN credentials or a Windows server with outdated security, is simply no longer a concern for them at all.

Several factors are responsible for the rise of IABs in recent years:

Ongoing critical vulnerabilities in key solutions commonly used by IT, particularly regarding remote computing. The most common examples are VPNs and RDP (Microsoft’s Remote Desktop Protocol) servers which are intended to empower a distributed workforce, but once compromised in several possible ways, can also amount to an open door beneath a neon sign reading CRIMINALS WELCOME HERE. IABs are also ripe to take advantage of the Log4j vulnerability that security teams are currently aggressively mitigating and monitoring.

The COVID-19 pandemic and the instant shift to remote work. Instead of most of the workforce operating behind a traditional corporate perimeter secured via traditional solutions like firewalls and identity management tools, workers suddenly found themselves distributed remotely, and to a significant degree, were responsible for implementing security on their own.  Organizations tried to respond with security strategies and solutions such as VPNs, but this response was both imperfect and incomplete (see the previous bullet point). Now as the pandemic gradually recedes (fingers crossed), remote work on a mass scale remains exceptionally common.

The increasing popularity of cloud services. Cloud computing is arguably the single most remarkable shift in corporate IT in the new millennium. As more and more IT services migrate and execute outside company walls, the difficulty of securing them all while continuing to receive the intended value from them grows in parallel.

One excellent strategy is to fight fire with fire in order to mitigate the threat from IABs and the criminal organizations that leverage them.  

Just as criminals can outsource initial breaches to a specialist IAB, legitimate businesses can outsource IT security to a trusted partner to fortify their infrastructures, services, sensitive data, remote workers, and network transactions.

For instance, a cloud-native platform like the Zscaler Zero Trust Exchange can serve as a buffer between cloud services on the one hand and the public internet, IABs, and criminal organizations on the other.  As network interactions go through the exchange, it uses enterprise-class security based on zero trust principles to continually look for human attacks, malware, forged or compromised credentials, and a variety of other potential threats or signs of malicious activity.  

The platform effectively eliminates the attack surface since apps are invisible to everyone but those specifically authorized to use them. In other words, organizations using the Zero Trust Exchange do not face the public Internet, only face the SaaS-delivered exchange itself. In turn, criminals on the public internet have little chance of obtaining the information needed to execute a breach, such as the IP address of virtual servers. They can only determine that the organization is working through the exchange, a security fortress extremely difficult to breach.

Furthermore, with the platform, it simply does not matter what percentage of an organization’s workforce works remotely because all workers everywhere are secured in exactly the same way — their access privileges, their anti-malware, their credential authentication and validation, and all other security functions remain completely consistent. Nor does it matter whether IT services execute from an on-premises local server behind a local firewall, or from a remote data center, or even from a public cloud owned and operated by a completely different company. IT security spanning the network, data, applications, and services is consistent, agile, and flexible enough to cover every scenario, both today and going forward into the future.

Organizations evaluating their cybersecurity strategies for 2022 should look beyond Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs) in securing not just public cloud services using zero trust, but their entire infrastructures: cloud services, all office facilities, all data centers, and all remote workers. Such comprehensive cloud-based global scale coverage ensures that no matter how an organization is distributed or implements its IT infrastructure and services, it is always fortified to the fullest possible extent by the best available solutions.  

The growth of IABs should be a top concern not to just IT and security leaders, but to the entire business community and regulators alike as it makes it easier for criminals to enter the game and spawn costly ransomware attacks. Learn how your organization can play a role in defending against them using zero trust principles by reaching out to us to find out how we can help.

What to read next 

A CISO's perspective on ransomware payments

What CXOs need to know about ransomware

With no end in sight for ransomware, experts zero in on solutions