Looking at identified initial infection vectors, phishing served as the initial infection vector in 78% of incidents X-Force responded to across these industries so far in 2022. This tracks with phishing’s position as the lead infection vector across all incidents in 2021. This also highlights the importance of layered phishing defenses, including regular user education and training, software solutions to filter malicious email, email sandboxing solutions to analyze any attachments or linked payloads, web proxies to analyze linked domains and attachment downloads, and application allow listing and Attack Surface Reduction rules to limit which extensions and payloads can be executed by end users. Solutions such as EDR and XDR can help detect post-compromise actions on endpoints if Command and Control is established. This should also be combined with strong network and user behavior analytic detections and defenses in the event that a phish is ultimately successful.

Scanning and exploitation of vulnerabilities on external attack surfaces made up 11% of initial infection vectors in incidents. Proactively identifying and managing the external attack surface of IT and OT networks is essential to understanding what ports, services, and applications may be exposed to attackers externally and may require further hardening, patching, or isolation. Once the external attack surface is identified, focused vulnerability management can help address IT vulnerabilities, though such patching is notoriously difficult in OT environments where downtime is difficult to schedule and system refresh timelines can stretch over many years. Because of this, one might expect successful compromise through vulnerability exploitation to be observed more frequently, but typically OT equipment itself is not exposed directly to the internet and is typically targeted via IT network access. Therefore, proper network security isolation is key to reducing attack paths for threat actors seeking to pivot from IT to OT networks. The use of removable media tied for second at 11% of incidents, underscoring the long-standing threat that such media poses to OT networks, often by end users using infected USB media drives between operator workstations and personal laptops while in the field.

Proper segmentation, proactive testing of security controls, knowing your environment, and hardening systems are just a few of the steps available to secure these assets. As for removable media, ideally, USB flash drives should be prohibited when possible. If absolutely necessary, strictly control the number of portable devices approved for use in your environment and disable autorun features for any removable media.