The Mitre Att&ck Matrix has defined nine techniques to cover initial access activities in a cyber attack.
Drive-by-Compromise is when a threat actor compromises a website to inject malicious code that executes when a victim visits the affected page. An alternative to this is to develop malware-infected ads that will randomly show up when the website is visited.
Exploit Public-Facing Application is when a threat actor utilizes a vulnerability on a website or applications code to access a system.
External Remote Services are when the threat actor utilizes obtained credentials to get into a system or service with valid credentials. Alternatively, if a misconfigured firewall allowed a service that didn’t need authentication to be accessible through the internet, the threat actor wouldn’t even need compromised accounts to obtain access.
Hardware Applications are small devices a threat actor installs in a location that can be out of site. A Raspberry Pie is an example of a device that a threat actor can install in a network hidden from view.
Phishing is when a threat actor fabricates an email pretending to be a person or organization of importance to trick the victim into clicking a link or running a malicious attachment.
Replication Through Removable media is when a threat actor deploys malware on a USB flash drive or similar device to discard somewhere. The idea is that whoever finds the flash drive will plug it in to determine who it belongs to, at which point the malware is triggered.
Supply Chain Compromise this is when a vulnerability of a component used in a program is compromised or replaced with a malicious clone. Python’s package manager, pip, has been prone to this as of late. In the case of pip, threat actors compromised pip’s software repositories replacing legitimate python packages with malicious versions, so when developers or users install a python module to enable execution of a script, they are installing malware instead without knowledge.
Trusted Relationship is when a threat actor compromises a 3rd party that is known to be trusted by the target organization. Then they use the trust to slip malicious code through so the threat actor has a way into the network. It’s easier to slip through defenses if it’s coming from a trusted source and the traffic doesn’t necessarily seem malicious at first glance.
Valid Accounts are when a threat actor obtains valid credentials to access accounts. These credentials are obtained through brute forcing or from a previous data breach. Password reuse increases the vulnerability of being breached in this scenario, given the history of data breaches of other organizations.