Initial Access Brokers are cybercriminals that gain access to your data, but instead of using that data themselves for malicious purposes, they sell it onto other cybercriminals. Access Brokers use forums to advertise the access to personal data, and they ensure victims aren’t aware that they’re access has been compromised before it has been sold. Cybercriminals don’t want to waste their money on buying access, just to find out that the owner of the data has increased their security, and the access is no longer there.
To ensure the identity of the victim remains anonymous, they put as little information as possible on the advertisement. Often, the broker will put the victim’s location, industry, company revenue and the level of access. In most cases, the access they have gained is to a corporate account, which yields more reward. They may also add any other helpful information such as if there’s any antivirus in place, the amount of data available, and other technical information. Sometimes access is sold per individual, and sometimes in bundles. As with any other salesperson, Access Brokers each have their own approach to selling. Some brokers simply post on a forum that they sell initial access, so buyers must go through private messages to get more information.
Access Brokers are common amongst Russian cybercriminal groups, and so the forums are often in Russian. They use encrypted messaging systems and built-in justice systems to negotiate and trade anonymously. Like many forums, they often have a reputation system to reward brokers with great service. If an Access Broker receives lots of positive feedback, not only will more people be likely to buy from them, but they can also charge a premium for the higher level of trust and experience.
US-based access is the most frequently advertised location, and the academic sector is the most frequently advertised industry (CrowdStrike, 2024). But this doesn’t mean other countries and sectors aren’t at risk. With any aspect of cybersecurity, don’t get too comfortable and think that you won’t be affected – unfortunately, no one is safe.
As with many industries, specialism is key in cybercrime. So, while many extortion and data-leak cybercriminals would be able to gain access to data, it’s not their focus. This is where the market for Access Brokers opens. Access Brokers play their part, just like the criminals who specialise in encryption, exfiltration, and negotiation. Access Brokers simply gain access, sell the access, and move onto the next victim. Not only does this simplify their work, but it also reduces their chances of getting caught, so their hands stay clean, sort of.
Access Brokers are increasing in popularity – accesses advertised increased by almost 20% in 2022 (CrowdStrike, 2024) – and it’s becoming more profitable too. So, what can you do as a user to deter Access Brokers?
How to deter Initial Access Brokers
The standard user-security precautions are the first steps to keeping Access Brokers out of your accounts. Think MFA, strong passwords, and phishing awareness. These are all basic user-security provisions that everyone should have in place. Password managers are really helpful, as they create strong, unique passwords that you don’t need to try and remember – they do all the hard work for you.
You can also use role-based access controls to limit access to systems to just those that need it, instead of just giving everyone access. We all know it’s not best practice to give all of your employees Admin access, but you should drill down even further. Having really tight access to your systems and data significantly reduces your chances of unauthorised access and data loss.
A dark web scan or open-source intelligence analysis can highlight security weaknesses, so you know what you need to fix or strengthen. This shows what information is available to Access Brokers, such as email addresses or passwords that have been leaked, vulnerabilities in your network, and your firewall and hostname information.
Implementing a Zero Trust model where no one is trusted by default, inside or outside of the network, keeps your network locked down and reduces the likelihood of a broker gaining access. You can also divide your networks into smaller, isolated segments to limit the spread of any breach and make it harder for Access Brokers to move around a company.
You can even try to trick Access Brokers with “honeypots” or “honeynets” which are decoy systems that mimic valuable targets to detect and divert attackers. But regular training, patch management, incident response planning, and Intrusion Detection Systems are more typical methods of dissuading cybercriminals.
Concerned about Initial Access Brokers? Get in touch to discuss how to build up your defences and improve your overall cybersecurity landscape.
