Initial Access
What is Initial Access?
Initial AccessThe MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
Initial Access (MITRE ATT&CK tactic TA0001) groups the techniques adversaries use to gain their first entry point into a network or system. Common techniques include spearphishing attachments and links, exploitation of public-facing applications, valid accounts purchased from initial access brokers, supply-chain compromise, drive-by downloads, and abuse of trusted relationships. Initial Access is a critical inflection point because it converts external pressure into in-network presence, after which adversaries pivot to execution, persistence, and discovery. Defenders prioritise MFA-resistant authentication, attack-surface reduction, email and web filtering, patching of internet-facing services, and EDR coverage on first-touch endpoints to detect and block these techniques.
● Examples
- 01
Compromising an unpatched VPN appliance to log in with stolen credentials.
- 02
An employee opening a malicious OneNote attachment that drops a loader.
● Frequently asked questions
What is Initial Access?
The MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment. It belongs to the Defense & Operations category of cybersecurity.
What does Initial Access mean?
The MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
How does Initial Access work?
Initial Access (MITRE ATT&CK tactic TA0001) groups the techniques adversaries use to gain their first entry point into a network or system. Common techniques include spearphishing attachments and links, exploitation of public-facing applications, valid accounts purchased from initial access brokers, supply-chain compromise, drive-by downloads, and abuse of trusted relationships. Initial Access is a critical inflection point because it converts external pressure into in-network presence, after which adversaries pivot to execution, persistence, and discovery. Defenders prioritise MFA-resistant authentication, attack-surface reduction, email and web filtering, patching of internet-facing services, and EDR coverage on first-touch endpoints to detect and block these techniques.
How do you defend against Initial Access?
Defences for Initial Access typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Initial Access?
Common alternative names include: Foothold, First foothold.
● Related terms
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
- defense-ops№ 397
Execution (MITRE Tactic)
The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system.
- defense-ops№ 817
Persistence
The MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
● See also
- № 905Reconnaissance