What are common Initial Access techniques in MITRE ATT&CK, and how can detections be built around them?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Prepare for the Security Operations Exam with targeted practice questions. Enhance your understanding with detailed explanations and tips to successfully pass your exam!

Multiple Choice

What are common Initial Access techniques in MITRE ATT&CK, and how can detections be built around them?

Explanation:
Initial access is about how an attacker first gains entry into an environment. In MITRE ATT&CK, several common ways attackers get footholds are included under this tactic, and among the most frequent are phishing, exploitation of public-facing applications, and the use of valid accounts. Phishing relies on tricking a user or system to reveal credentials or deliver a malicious payload. Exploiting public-facing apps takes advantage of exposed services that aren’t properly secured or patched, giving an attacker a way to enter without needing user interaction. Valid accounts involve compromising legitimate credentials or using them in a way that bypasses typical malware-focused detections, allowing access with a trusted identity. Detections should be built by aligning telemetry to these techniques and applying layered controls. For phishing, deploy strong email filtering, link and attachment reputation checks, URL rewriting and sandboxing of attachments, and user awareness programs to reduce reliance on a single control. For exploitation of public-facing applications, monitor for unusual or failed access attempts to exposed services, apply and enforce patches, use secure configurations, and deploy web application firewalls and anomaly checks on access patterns to catch attempts at exploitation. For valid accounts, look for anomalous sign-ins such as unusual geolocations or devices, authentication adversaries like credential stuffing or password spraying, and enforce multifactor authentication and device trust to minimize success when credentials are compromised. Correlate these signals in a SIEM/EDR/identity platform to produce detections tied to the specific initial-access techniques, then escalate or respond via automation. These three techniques collectively capture the most common entry paths and provide practical, multi-layered detection coverage. Other options are too narrow or omit key detection angles, such as focusing only on malware payloads, ignoring anomaly-based authentications, or limiting visibility to webhook activity.

Initial access is about how an attacker first gains entry into an environment. In MITRE ATT&CK, several common ways attackers get footholds are included under this tactic, and among the most frequent are phishing, exploitation of public-facing applications, and the use of valid accounts. Phishing relies on tricking a user or system to reveal credentials or deliver a malicious payload. Exploiting public-facing apps takes advantage of exposed services that aren’t properly secured or patched, giving an attacker a way to enter without needing user interaction. Valid accounts involve compromising legitimate credentials or using them in a way that bypasses typical malware-focused detections, allowing access with a trusted identity.

Detections should be built by aligning telemetry to these techniques and applying layered controls. For phishing, deploy strong email filtering, link and attachment reputation checks, URL rewriting and sandboxing of attachments, and user awareness programs to reduce reliance on a single control. For exploitation of public-facing applications, monitor for unusual or failed access attempts to exposed services, apply and enforce patches, use secure configurations, and deploy web application firewalls and anomaly checks on access patterns to catch attempts at exploitation. For valid accounts, look for anomalous sign-ins such as unusual geolocations or devices, authentication adversaries like credential stuffing or password spraying, and enforce multifactor authentication and device trust to minimize success when credentials are compromised. Correlate these signals in a SIEM/EDR/identity platform to produce detections tied to the specific initial-access techniques, then escalate or respond via automation.

These three techniques collectively capture the most common entry paths and provide practical, multi-layered detection coverage. Other options are too narrow or omit key detection angles, such as focusing only on malware payloads, ignoring anomaly-based authentications, or limiting visibility to webhook activity.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy