Malicious cyber actors use a variety of tactics, techniques and procedures (TTPs) to conduct malicious activity. TTPs are the behaviours or methods an actor uses to compromise or conduct activity on a network. Understanding TTPs of malicious actors can inform how organisations best defend their networks. While the NCSC observes a wide variety of TTPs in recorded cyber incidents, malicious actors continue to have success using commonly used techniques that can be prevented.
Initial access – exploiting public-facing applications
The exploitation of public-facing applications, such as websites or webservers, for initial access was the top technique in 2023/2024. It was also the top technique observed within ransomware incidents but is similarly utilised by malicious cyber actors with a wide range of motivations, including state-sponsored actors. Malicious cyber actors have increasingly been observed leveraging weaknesses, known vulnerabilities or bugs to exploit internet-facing software for initial access into a network. The existence of these vulnerabilities is typically public knowledge, and as a result, there may be several active exploits associated with them.
The exploitation of public-facing applications is typically due to weaknesses or misconfigurations within the underlying code of an internet-facing application or system. Targets usually include websites, databases or network services (such as File Transfer Protocol (FTP) or Secure Shell (SSH)). A frequently recorded technique in 2023/2024 was cyber criminals exploiting public-facing application vulnerabilities through SQL injection and cross-site scripting for manipulating or stealing data from internet-facing applications.
Reconnaissance – scanning
Consistent with past years, vulnerability scanning remains a top-recorded technique, likely enabled by tools facilitating automation. During 2023/2024, vulnerabilities were observed frequently being leveraged for initial access. Publicly accessible vulnerabilities within networking devices and security infrastructure have become some of the most common initial access vectors for malicious cyber actors, including for ransomware.
Reconnaissance – gather credentials
Compromised credentials persist as a key vector for enabling network-wide compromise. During 2023/2024, the NCSC continued to record incidents for identified compromised credentials, consistent with the increase observed in 2022/2023. The NCSC also observed an increase in the use of valid account credentials in both routine and significant incidents in 2023/2024, including cloud user account logins. Adversaries may obtain and abuse the credentials of existing accounts as a means of gaining initial access, maintaining persistence or evading defences. In many cases, gaining initial access through valid accounts is made possible via insecure software development practices. Credentials used in these situations are typically gained either through phishing, when passwords are leaked in credential dumps, or when cyber actors make use of default passwords or attempt brute-forcing.
Most recorded MITRE ATT&CK techniques used in incidents of potential national significance in 2023/24
