Topic 27

Initial Access

Initial Access

Initial access is the moment an attacker crosses from outside to a foothold, and it almost always comes through one of a handful of doors: a phished credential, a vulnerable internet-facing service, a valid account bought or leaked, or a malicious attachment. Knowing which doors are most used lets a defender spend where it matters — and the data is clear that phishing and exposed services dominate.

This topic frames the initial-access techniques the rest of the book defends against specifically, mapping each of Meridian's doors to the control that closes it.

The Common Doors

Real intrusions come overwhelmingly through phishing (Chapter 9), exploiting a public-facing application (Chapters 6 and 7), and valid accounts — stolen, leaked, or reused credentials. Supply-chain and trusted-relationship access is a fourth, growing door. The distribution matters: defending against exotic techniques while leaving reused passwords and weak MFA is spending effort where the attacker is not.

Valid Accounts — the Quiet Door

A working stolen credential needs no exploit, generates no crash, and looks like a normal login. This is the door attackers prefer precisely because it is quiet — which is why MFA (Chapter 3) matters so much, and why login-anomaly detection (Chapter 10) is worth so much. You cannot patch away valid-account access; you can only make the credential insufficient (phishing-resistant MFA) and the login suspicious (behavioral detection).

Exploiting the Public-Facing Service

An unpatched VPN gateway, a vulnerable web app, an exposed admin panel — internet-facing services are continuously scanned and are breached within hours of a public exploit appearing. This is why patch speed on internet-facing systems (Chapter 7) is a frontline control, not routine maintenance: the window between a proof-of-concept being published and mass exploitation is now measured in hours.

The Foothold's First Minutes

The moment an attacker lands, they orient (who am I, where am I on the network), establish persistence and a command-and-control channel, and try not to trip detection. Catching these first minutes is high value for defenders, because it is the cheapest point to evict an intruder — before they have harvested credentials and spread. Endpoint detection (Chapter 7) instrumented for new persistence and outbound C2 is what turns a foothold into a caught intrusion.

Exploit vs Valid Accounts

Exploit — breaks a vulnerable service; noisy, may crash things, leaves artifacts, and is closed by patching.

Valid accounts — just log in with real credentials; silent, no exploit, defeated only by MFA and behavioral detection, not by patching. Defenders over-index on exploits and under-invest in the credential door, which attackers prefer because it is quiet.

Common Mistakes
  • Focusing initial-access defense on exploits while leaving credential reuse and weak MFA — the quiet door — wide open.
  • Slow patching of internet-facing services, which are exploited within hours of a public proof-of-concept.
  • No detection on anomalous logins, so valid-account access blends into normal traffic indefinitely.
  • Ignoring the first minutes of a foothold — persistence, command-and-control setup — where detection is cheapest and most decisive.
  • Leaving more internet-facing exposure than necessary, widening the set of doors to defend.
Best Practices
  • Close the top doors first: phishing-resistant MFA on all accounts, aggressive patching of internet-facing services, and killing credential reuse.
  • Detect anomalous logins — impossible travel, new device, unusual hour — since valid-account access cannot be patched away.
  • Reduce internet-facing exposure to the minimum and monitor it most intensely.
  • Instrument endpoints to catch the foothold's first actions — new persistence, outbound C2 — feeding Chapter 10 detection.
  • Prioritize defenses by how attackers actually get in, not by which techniques are most exotic.
Comparable toolsTechniques phishing (Ch 9) · exploit frameworks (Metasploit) · credential stuffingMarkets initial-access brokersDefenses MFA (Ch 3) · patching (Ch 6/7) · login detection (Ch 10)

Knowledge Check

Why do attackers often prefer valid stolen credentials over exploiting a vulnerability?

  • A real login needs no exploit and looks like normal activity
  • Stolen credentials are easier to buy than exploits are to write
  • Exploits are illegal while using stolen credentials is not
  • Valid credentials bypass the need for the target to be online

Why is patch speed on internet-facing services a frontline control?

  • They are exploited within hours of a public proof-of-concept
  • Internet-facing services never need any other control
  • Patching internet-facing services improves their performance
  • Only internal services are ever exploited

Since valid-account access can't be patched, what actually defends against it?

  • Phishing-resistant MFA and anomaly detection
  • A faster patch cycle on the web server
  • Blocking all inbound traffic on the HTTPS port 443
  • Rotating the TLS certificate more frequently

You got correct