Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
To say that 2021 was a turbulent year for security teams would be a massive understatement. Last year, we observed paralyzing ransomware operations against critical infrastructure, supply-chain attacks impacting hundreds of organizations, and state-sponsored espionage campaigns leaving no company—even those with expensive firewalls—feeling safe.
Within this messy ecosystem, initial access brokers (IABs) have established themselves as a pillar of cybercrime in 2021. The rise of cybercrime has created fertile ground for IABs, who have been able to exploit the constant demand for readily available accesses. In 2021, we observed more IAB listings than any year before. The IAB market has been able to adapt to the ever-changing conditions of the cybercriminal ecosystem and maintain business continuity.
In 2021, the Photon Research Team observed a 57.45% growth in the number of IAB listings advertised in cybercriminal forums, compared to 2020
In our 2020 research report Initial Access Brokers: An Excess of Access, we stated that the IAB market was heading towards an unprecedented level of business maturity. IABs were selling access to a wider-than-ever range of victims, regardless of size, industry, country, or revenue. One year later, we can confirm this trend and further claim that this market is close to reaching full potential, given the consistency of quantity and quality of high-level accesses sold by IABs.
To better understand how these threat actors evolved in 2021, we’ve analyzed almost 800 listings advertising access to organizations, posted 01 Jan 2021 to 31 Dec 2021. The sections below dive into the research findings;, here are the key points:
In past years, we published quite a few blogs on the topic of IABs. Our monitoring of them goes back as far as 2014, and we’ve been tracking the sale of access to systems since the practice first began making ripples in the cybercriminal underground. Initial access brokership isn’t a business model spun off the COVID-19 pandemic; its popularity and profitability have long simmered beneath the surface. However, in the past two years IABs have established a profitable business model garnering significant attention for its interconnection with other cybercriminal activities.
IABs have acquired a significant cybercriminal role by doing the technical, dirty work and providing others with a wealth of victims to compromise easily. They are a symbol of cybercrime professionalization: a phenomenon that has malware commodity and task separation at its core. These actors are both victim and customer agnostic―something that makes them even more dangerous, from a certain point of view.
IABs gain network access to vulnerable organizations, establish the access’s value, then turn to cybercriminal forums to advertise the access and cash in on their work
These threat actors have been forced to adapt to the conditions of dark-web forums. In May 2021, IABs endured a considerable setback when cybercriminal forums XSS, Exploit, and RaidForums banned from their platform all things ransomware. The decision came after the “DarkSide” attack against Colonial Pipeline and impacted what is likely to be the IABs’ most profitable clients. Regardless, the bans have not been strictly policed, and IABs continued to operate mostly undisturbed while improving their operational security (OPSEC) measures. This translated into giving away fewer victims’ details to avoid alerting security researchers or law-enforcement authorities, for example.
Right now, IABs’ market is as mature as ever. In 2021, we observed access listings targeting a wider number of sectors and countries than any previous year. Additionally, although the usual suspects remain at the top of the list, IABs seem to be experimenting with exploiting a bigger number of software and applications to gain—and then sell—initial access to victims’ environments.
Before delving into the research itself, it’s important to acknowledge the methodology used to build the data set supporting it. Recognizing intelligence gaps and collection biases is critical when dealing with threat intelligence, and Digital Shadows (now ReliaQuest) is committed to building a transparent process when disseminating internal data.
The data set analyzed for this research does not include every access listing published on any cybercriminal platform in 2021. Our analysts implemented a structured methodology to manually triage listings on a select subset of cybercriminal platforms, prioritizing offerings that were: posted by threat actors with high reputation scores, related to key geographies and sectors, and potentially relevant to our clients. The resulting data set is significantly reliable and representative of the IAB ecosystem.
Despite the increase in access listings over 2021, the most targeted sectors remained similar over time. As you can see from the graph below, cybercriminals routinely targeted retail more than any other sector. This is likely explained by the presence of many e-commerce websites that employ weak security measures and make easy targets for opportunistic threat actors, such as IABs. These websites also tend to host information that can be easily monetized, which is useful for cybercriminals in the carding business.
Other key sectors widely targeted by IABs include technology and industrial goods, which featured heavily in our 2020 data set but jumped to 2nd and 3rd position, respectively, in 2021. Access to tech companies can be used in a variety of ways, including to acquire sensitive data and move laterally to networks of connected organizations (similar to what happened with REvil and Kaseya). Companies in industrial goods are also at risk from IAB operations given the high number of Operational Technology (OT) and Industrial Control System (ICS) devices that may be vulnerable to offensive attacks.
However, the most targeted sectors are rarely the most valuable when it comes to selling those accesses. Analyzing the average price per access for every sector paints a very different picture. At the top of this special pyramid, we find—somewhat surprisingly—the government sector (average of $4828 per access). Access to public institutions or organizations cooperating closely with governments can offer malevolent actors the potential to snap up highly valuable data, such as personally identifiable information (PII). The podium for the most expensive access is then completed by organizations operating in the financial services and retail sectors (respectively averaging at $3949 and $3062 per access).
Analyzing the 2021 data set shows that the US remained IABs’ favorite target and one of the most valuable in terms of access. North American companies often operate high-value networks that may strongly interest threat actors looking to infiltrate profitable organizations; such accesses were priced at an average of $2893 in 2021. Even above North America, the most valuable regions to target for IABs in 2021 were Europe (average of $3552 per access) and the Middle East ($3390).
Other countries highly targeted by IABs include France, the UK, Brazil, and Australia. On one hand, the geographical diversity indicates that IABs will target organizations in almost any country, making them a considerable threat for most companies. But on the other hand, the top five targeted countries in 2021 are all among the wealthiest and most developed in the world, implying that IABs may focus their efforts on them to snag what they perceive is more valuable access.
Observing the map above, some key observations can be made about those countries in gray that were not compromised. As you can see, most countries belonging to the Commonwealth of Independent States (CIS) region were completely unaffected by IAB activity during 2021.
Why is that? Most IABs operate on Russian-language cybercriminal forums and these forums formally prohibit their members from targeting CIS-based organizations. This is one of the most reliably enforced rules in this environment; users advertising services and products targeting that region are quickly banned and have their threads removed. According to chatter we observed, cybercriminals adhere to this rule because of a longstanding belief that avoiding CIS victims will help them avoid scrutiny from local law-enforcement bodies.
As we all know, nothing is eternal. The past few weeks have shattered many perceptions about the role of law enforcement in Russia, after several arrests―including REvil gang members. And if Russia actually ends up invading Ukraine, will certain countries be excluded from the untouchables list? Ultimately, IABs are still respecting that rule but it’ll be interesting to observe how this situation will evolve.
IABs can get creative when it comes to gaining access to organizations. Although the most used access methods used in 2021 remained very similar to those from 2020, in recent months we’ve observed IABs experimenting with innovative means to compromise companies and maintain persistent access.
Out of every ten observed listings, six were for access via remote desktop protocol (RDP) and/or virtual private network (VPN) applications. These applications remain the favorites for IABs for their relative ease with which they enable compromise through default or stolen passwords obtained via brute-force attacks. As we described in our 2020 report, the use of RDP and VPN has greatly expanded since the beginning of the pandemic, without any major security improvements. Consequently, threat actors have been able to compromise these applications and drive more malicious activity.
While experimenting with innovative ways to compromise organizations, IABs relied on tried-and-tested vulnerable RDP and VPN applications for 62.8% of observed listings.
To study access price, we used a statistical method called box plot. For those of you unfamiliar, the box plot allows us to visualize the spread of data across multiple groups and compare their distributions. Using this method enabled us to focus on the median price at which an access is sold and thus reduce the weight of the most extreme results on both sides of the spectrum.
In this instance, the position of the box plot indicates the median price for which each access type is being advertised, as well as the general range of the market value of the particular exploit. From this graph, we can see that web-shell is, on average, the most valuable initial access type overall. It also has a wide spread, likely because of the range of privileges ascribed to web-shells. On the other hand, although RDP is the most common listing, this graph shows that its low median value likely indicates that most of its listings may often grant access to low-privileged machines.
IABs are playing an increasingly important role in facilitating access for a variety of threat actors. By outsourcing some malicious activity to IABs, threat actors can minimize the time it takes to identify and exploit a target of interest. They can also obfuscate their identity by avoiding many of the “noisier” steps associated with the earlier stages of the cyber kill chain.
IAB’s access prices are cheap and likely to become cheaper still, as additional brokers further saturate the market. RDP and VPN will almost certainly continue to represent the access means of choice, owing to the flexibility and capabilities afforded to buyers.
Having an in-house or out-sourced cyber-threat intelligence team monitoring the surface, deep, and dark web can go a long way in identifying relevant listings and observing access trends. If provided with timely, relevant, and actionable intelligence, defenders can prioritize security efforts to address the most significant threats. If you’d like to gauge your exposure, access a threat intelligence library of actors/groups relevant to your industry and geography, and learn how to mitigate, get a seven-day trial of Search Light (now ReliaQuest GreyMatter Digital Risk Protection)™ for free here.
Additionally, our newest Vulnerability Intelligence solution can be an incredible asset for fine-tuning your vulnerability management process and monitoring many of the potential flaws targeted by IABs. By understanding the context behind individual vulnerabilities, security teams can move away from solely using CVSS scores and instead focus on what matters to your organization.
Too many vulnerabilities and far too little time are common complaints in the security community; at Digital Shadows (now ReliaQuest), we pride ourselves in enabling our clients to reduce the noise and focus on what matters. Taking a risk-based approach is the most effective method of targeting vulnerabilities, and will ultimately have the most significant impact on reducing your overall cyber risk.