New analysis of illicit dark web marketplaces where cybercriminals buy and sell access to corporate networks uncovers new insights into how initial access to compromised businesses is being sold — often for less than $1,000 — and the steps defenders can take to disrupt the process in its earliest stages.
Rapid7’s threat intelligence researchers analyzed hundreds of posts by Initial Access Brokers (IABs) offering access to compromised networks across a range of industries and regions. Their findings show that ‘initial’ access doesn’t necessarily equate to minimal; in many cases, this access represents a deep compromise.
“This report shows that initial access brokers aren’t intent upon finding a single way into an organization’s network and then quickly exiting — they’re making attempts to explore the networks they’ve infiltrated. And they’re often succeeding,” says Raj Samani, SVP and chief scientist at Rapid7. “In doing so, the IAB can offer buyers admin privileges, multiple access types, or both. By the time a threat actor logs in using the access and privileged credentials bought from a broker, a lot of the heavy lifting has already been done for them. Therefore, it’s not about if you’re exposed, but whether you can respond before the intrusion escalates.”
The vast majority of access broker sales (71.4 percent) offer more than just a specific access vector; they also include a level of privilege, and in nearly 10 percent of those sales, it’s a bundle with multiple initial access vectors and/or privileges.
While the average sale price hovers just over $2,700, nearly 40 percent of offerings are priced between $500–$1,000. VPN, Domain User, and RDP are the most common access types.
The research underlines Rapid7’s position that threat detection and exposure management must be fast, unified, and context-rich. The company has recently launched Incident Command, an AI-native SIEM that unifies prevention, detection, intelligence, and response within a single workflow.
The report highlights steps that enterprises can take to protect themselves, including enforcing MFA –especially on VPN, RDP, and user accounts that access critical infrastructure. They should also look at investing in threat-informed detection and response, including unified platforms that correlate access signals with suspicious activity. In addition they need to run regular red team exercises to identify exposure paths like abandoned accounts, default credentials, and externally accessible RDP services.
The full report is available from the Rapid7 site.
Image credit: Frank-Peters/depositphotos.com
