Initial Access Broker (IAB)

What Is an Initial Access Broker?

An Initial Access Broker (IAB) is a threat actor specializing in infiltrating computer systems and networks, then selling that unauthorized access to other malicious actors. IABs are skilled at identifying and exploiting security vulnerabilities, providing services to ransomware groups and other bad actors. IABs perpetuate malicious activities and enable entry into compromised systems by acting as intermediaries.

How Initial Access Brokers Operate

IABs are skilled at exploiting common hacking techniques to gain unauthorized access to networks, leveraging social engineering attacks, brute force attacks, and other attack vectors. The asking price for IAB services depends on factors such as the size and type of the target and the type of access offered. By selling access instead of carrying out attacks themselves, IABs mitigate the risks associated with executing a ransomware attack, focusing instead on breaching networks and capitalizing on their expertise.

IABs primarily operate on dark web forums and underground markets and can function as individual actors or as part of larger organizations like ransomware-as-a-service (RaaS) gangs. Their clientele consists of groups with malicious intent who leverage the purchased access to launch ransomware attacks, execute data breaches, and engage in other malicious activities—typically for financial gain.

What Initial Access Brokers Sell

Initial access brokers sell various types of network access.

Remote Desktop Protocol (RDP)

RDP is a cybersecurity protocol enabling users to control a computer via a network connection remotely. IABs sell compromised systems with RDP access enabled, allowing buyers to exploit systems remotely.


VPNs are used to establish secure connections over the internet. If VPN servers are not configured correctly, IABs can gain access to system accounts and sell the compromised credentials.

Web Shell Attack

In a web shell attack, threat actors take advantage of web server vulnerabilities and implant malicious files within web server directories, establishing backdoor access to the web server.

Remote Monitoring and Management (RMM)

RMM is the set of tools and processes that enable IT service providers to monitor client endpoints, networks, and computers remotely and proactively.

Active Directory

Active directory is a directory service that stores information about resources and items on a network, allowing for easy use and control of information. IABs infiltrate these structured data stores and sell them to buyers to access private networks.

Dangers of Initial Access Brokers

IABs pose a significant risk to network security as they perpetuate the rise of cyber threats, such as malware and ransomware attacks. By assisting threat actors that lack the technical expertise or resources to hack into systems independently, IABs streamline cyberattacks.

IABs also benefit RaaS gangs by reducing their workload and accelerating their services. As partnerships between IABs and RaaS gangs grow, both parties gain access to stronger skillsets, clientele, and power. RaaS gangs continue to receive financial compensation while other threat actors are provided with the tools needed to extort organizations and capitalize on cyberattacks. 

Well-known RaaS gangs such as LockBit and Conti ransomware have contributed to the rise of ransomware attacks—a detrimental trend that leaves organizations vulnerable to the theft of sensitive data and financial information.

How to Protect Against Initial Access Brokers

Maintain network security and defend against IABs by implementing the following cybersecurity measures:
Endpoint security is a cyber solution that protects an organization’s endpoints, including all network devices. It mitigates cyberattacks by preventing malicious actors like IABs from infiltrating electronic systems.
ZTNA is a security approach that sets boundaries and restrictions for resources within a network—to access any information, all users must first authenticate themselves. By continuously validating the identities of everyone that attempts to enter a network, ZTNA models prevent unauthorized access.
MDR is a security solution that ensures the continuous monitoring and safety of a network. By combining endpoint protection with the skills of cybersecurity experts, MDR solutions carry out robust threat hunting and incident response operations, safeguarding an organization’s data.
Security awareness training ensures all employees and organizational stakeholders are educated on best cybersecurity practices. As threat actors target human errors when attempting to breach networks, security awareness training is vital for promoting cybersecurity awareness and defending against cyberattacks.
 As a human-centric subscription-based 24x7x365 Managed XDR service, CylanceGUARD® provides the expertise and support businesses need to prevent and protect against ransomware attacks. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry® Security Services with AI-based Endpoint Protection (EPP) and on-device threat detection and remediation through CylanceENDPOINT™. In short, CylanceGUARD provides businesses with the people and technology needed to protect the enterprise from the modern threat landscape.