# Initial Access Techniques
Initial access is the set of techniques an adversary uses to gain their first foothold inside a target environment. In MITRE ATT&CK, this is Tactic TA0001, the first step in every attack chain. Nothing that follows, no lateral movement, no credential theft, no data exfiltration, no ransomware deployment, is possible without first solving the initial access problem.
Every intrusion starts with one of a small number of repeatable entry vectors. The Verizon Data Breach Investigations Report (DBIR) has tracked these vectors for over a decade. Phishing and valid account abuse consistently account for the majority of confirmed breaches. Exploitation of public-facing applications follows closely. The attack techniques are not exotic. They are reliable, repeatable, and defensible when organizations treat the right domains with the right priority.
Initial access defense does not belong to a single PDM domain. Each technique is owned by a different layer of the concentric model. Phishing is an IAT and SPH problem. Exploitation of public-facing applications is a VSD problem. Valid account compromise is an IAT problem. External remote services exposure is both an IAT and VSD problem. Supply chain compromise touches VSD and RGA simultaneously. This is why initial access requires The Shield to diagnose: a weakness in any domain creates a viable entry point.
Understanding initial access techniques is the foundation of all threat intelligence work. An organization that does not know how attackers get in cannot rationally prioritize its defenses.
Phishing is the most volumetrically dominant initial access technique by a significant margin. Verizon DBIR data shows it appears in over a third of all breaches annually. The technique relies on human decision-making rather than technical vulnerability: send a convincing message, get the target to click a link or open an attachment, and the first phase of the attack is complete.
Sub-techniques under T1566 cover distinct delivery mechanisms:
The Change Healthcare breach illustrates the consequence of phishing without phishing-resistant authentication. Credentials were obtained through a phishing campaign targeting a Citrix portal that lacked multi-factor authentication. Once the credentials were in attacker hands, the absence of MFA meant the portal provided direct, uncontested access. Phishing succeeded not because technical defenses failed, but because the authentication layer did not require a second factor that an attacker could not steal through phishing.
Valid account abuse means the attacker authenticates using real credentials. No exploit required. The credentials may come from credential stuffing (testing breach databases against target systems), password spraying (trying common passwords against many accounts), phishing (as above), or purchase from initial access brokers on criminal marketplaces.
Sub-techniques reflect the account type targeted:
Both Colonial Pipeline and Change Healthcare began with valid account abuse. In the Colonial Pipeline incident, attackers used a compromised VPN account, likely obtained from a breach database or dark web marketplace, to authenticate to a VPN portal with no MFA enabled. In the Change Healthcare incident, attackers used stolen credentials to access a Citrix remote access portal. In both cases, the authentication mechanism accepted the credentials because they were technically valid. The systems could not distinguish the attacker from a legitimate user.
Exploitation of internet-facing vulnerabilities remains a reliable and frequently exploited initial access vector. The critical window is the period between vulnerability disclosure and patch deployment. During this window, exploitation is often trivial because proof-of-concept code is publicly available and the population of vulnerable organizations is large and known.
Recent high-impact examples illustrate the speed of exploitation:
The pattern across all of these is consistent: public disclosure followed by rapid exploitation, with the organizations slowest to patch bearing the greatest exposure. VSD (Vulnerability and Surface Defense) is the primary defensive domain here because the attack targets the surface area the organization exposes to the internet.
External remote services are the administrative access mechanisms organizations expose to the internet: VPN concentrators, RDP (Remote Desktop Protocol), SSH, Citrix Virtual Apps and Desktops, and similar remote access infrastructure. These services are necessary for remote work and administrative operations, but they represent the most directly accessible entry points to internal networks.
The attack against external remote services typically combines T1133 with T1078 (valid accounts) or T1190 (exploitation): obtain credentials through a breach or phishing campaign, then authenticate directly to the exposed VPN or RDP endpoint. Alternatively, exploit a vulnerability in the remote access appliance itself.
This technique is the most preventable attack vector in the initial access taxonomy. Multi-factor authentication on every external remote service closes the valid account abuse path entirely for password-only authentication. Phishing-resistant MFA (hardware security keys implementing FIDO2) also closes the credential-theft-then-MFA-bypass path. Colonial Pipeline's VPN had no MFA. Change Healthcare's Citrix portal had no MFA. Both are textbook T1133 entry points that MFA would have blocked.
Supply chain compromise targets the software and services that organizations trust by default. Instead of attacking the target directly, the attacker compromises a supplier whose product or access is trusted by the target. When the target installs an update or allows vendor access, the attacker is already inside.
T1195.002 (Compromise Software Supply Chain) covers software-based attacks:
Supply chain attacks are particularly difficult to defend because they exploit trust. The compromised software passed the vendor's build process, was digitally signed by the vendor, and arrived through the vendor's legitimate distribution channel.
Drive-by compromise occurs when visiting a legitimate website results in malware execution on the visitor's system. The attacker compromises a website visited by target populations (a watering hole attack) or purchases advertising that serves malicious code (malvertising). When a visitor with a vulnerable browser or browser plugin loads the page, exploit code executes automatically.
Strategic web compromise targets specific industries or organizations. An attacker wanting to target defense contractors compromises a website those contractors are likely to visit, such as an industry association site or a contractor-relevant news portal. The target visits a trusted site and receives malware without any user interaction beyond visiting the page.
Trusted relationship attacks exploit vendor and partner access. Managed service providers, IT contractors, law firms, accounting firms, and software vendors often have direct network access, VPN credentials, or remote management tools in client environments. Compromising the vendor provides access to every client they serve.
The Kaseya attack demonstrates T1199 combined with T1195: attackers compromised MSP infrastructure and used that trusted access to push ransomware to MSP clients. The access was legitimate from the client network's perspective because the MSP account had authorized access. Detecting this attack required recognizing that an authorized account was being used to perform unauthorized actions.
| Technique | ATT&CK ID | PDM Domain | Methodology | Primary Control | CDA Mission | |-----------|-----------|-----------|-------------|----------------|-------------| | Phishing | T1566 | IAT + SPH | ZPA + APC | Phishing-resistant MFA, email security | IAT-B01, SPH-B01 | | Valid Accounts | T1078 | IAT | ZPA | MFA, breach credential monitoring, PAM | IAT-R01, IAT-B01 | | Exploit Public-Facing App | T1190 | VSD | CSR | Patch management, WAF, ASM | VSD-R01, VSD-B01 | | External Remote Services | T1133 | IAT + VSD | ZPA + CSR | MFA on all remote access, attack surface reduction | IAT-B01, VSD-R01 | | Supply Chain Compromise | T1195 | VSD + RGA | CSR + PCA | SBOM, vendor risk assessment, OAF | VSD-B02, RGA-H01 | | Drive-By Compromise | T1189 | SPH + VSD | APC + CSR | Browser security, vulnerability patching | SPH-B02, VSD-B01 | | Trusted Relationship | T1199 | IAT + RGA | ZPA + PCA | Vendor access reviews, OAF controls | IAT-H01, RGA-B01 |
Initial access is not one step in the kill chain. It is the enabling condition for everything that follows. Without initial access, there is no lateral movement, no privilege escalation, no data exfiltration, no ransomware detonation. Organizations that significantly harden initial access vectors reduce the probability of reaching any subsequent phase of an attack.
Mandiant M-Trends data consistently shows that organizations with strong initial access controls (MFA universally deployed, rapid vulnerability patching, email security with sandbox detonation) detect intrusions earlier and suffer materially less damage than those without.
The three most common initial access techniques by volume are phishing, valid account abuse, and exploitation of public-facing applications. These three cover the majority of all intrusions. An organization that achieves strong coverage across all three has eliminated the vast majority of likely initial access paths. This is not about achieving perfect security. It is about eliminating the techniques adversaries actually use, at the statistical rate they use them.
Many organizations deploy extensive detection infrastructure (SIEM, EDR, threat intelligence) while leaving initial access controls weak. They can see the attacker moving laterally but could not prevent the initial entry. Detection and response capabilities are essential, but they are degraded by weak initial access controls because the attacker has more time and more options once inside.
The other common mistake is believing MFA on email is sufficient. Email is one initial access channel. VPN, RDP, Citrix, SSH, cloud consoles, and SaaS applications all need MFA. Change Healthcare had email MFA but not Citrix MFA. The attacker used the Citrix portal. Defense is as strong as its weakest access point.
Initial access is the clearest demonstration of the PDM's concentric model. No single domain defends against all initial access techniques because no single domain owns all of them. This is why The Shield assessment evaluates all six domains simultaneously. Gaps in IAT (identity controls), VSD (vulnerability and surface management), and SPH (endpoint and email hygiene) each create distinct initial access paths.
CDA's Full Risk Map (FRM) external reconnaissance missions evaluate all initial access vectors simultaneously. VSD-R01 (attack surface management) discovers exploitable internet-facing services. IAT-R01 (identity exposure assessment) identifies compromised credentials and accounts at risk. The combination provides the initial access exposure profile that drives remediation priority.
The Orbital Alliance Framework (OAF) specifically addresses T1199 (trusted relationship) and T1195 (supply chain) by treating vendor relationships as orbital bodies whose security posture affects the planet's defense. A vendor with weak security is not a trusted partner. It is an attack vector wearing a vendor's badge.
Zero Possession Architecture (ZPA) reframes the valid account problem. "Trust nothing. Possess nothing. Verify everything." Even a valid credential is not sufficient for access. Every access request requires continuous verification: MFA at login, step-up authentication for privileged actions, session monitoring for behavioral anomalies, and immediate revocation on indicators of compromise. When Colonial Pipeline's compromised VPN credentials were used, ZPA controls would have flagged the login anomaly (new geographic location, non-standard access time, account not recently active) and required re-verification before granting access.
Mission IAT-R01 (identity exposure reconnaissance) is the starting point. It identifies which accounts have been exposed in known breach databases, which accounts have not enrolled in MFA, which service accounts have excessive privileges, and which external services lack authentication requirements. These findings drive IAT-B01 (identity hardening), which closes the gaps.
MITRE ATT&CK. "Initial Access (TA0001)." MITRE Corporation, 2024. https://attack.mitre.org/tactics/TA0001/
Verizon. "2024 Data Breach Investigations Report." Verizon Business, 2024. https://www.verizon.com/business/resources/reports/dbir/
Mandiant. "M-Trends 2024 Special Report." Google Cloud, 2024. https://www.mandiant.com/m-trends
CISA. "Advisory: Change Healthcare Cybersecurity Incident (AA24-131A)." CISA, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
CDA, LLC. "Zero Possession Architecture (ZPA) Methodology Reference." CDA Canon, 2026.