Initial Access Brokers (IABs) represent one of the most significant shifts in the cybercrime ecosystem over the past three years. Rather than executing full attack chains themselves, these threat actors specialize exclusively in gaining unauthorized access to corporate networks — and then selling that access to the highest bidder, typically ransomware affiliates.
How IABs Operate
IABs employ a variety of techniques to gain initial footholds in target environments:
- Exploiting public-facing applications — VPN appliances (Fortinet, Pulse Secure, Citrix), email gateways, and web servers with known CVEs
- Credential stuffing and brute force — Leveraging leaked credential databases against RDP, VPN, and Citrix endpoints
- Phishing campaigns — Targeted spear-phishing to harvest credentials or deploy backdoors
- Stealer log exploitation — Purchasing credentials harvested by infostealer malware (Redline, Raccoon, Vidar)
The Marketplace
Access is sold on dark web forums like Exploit, XSS, and RAMP, as well as through private Telegram channels. Pricing follows a predictable model:
- RDP access: $10–$500 depending on the organization size and industry
- VPN credentials: $500–$5,000 for enterprise-grade access
- Domain admin access: $5,000–$100,000+ for high-value targets
- Citrix/VMware Horizon: $2,000–$30,000 based on the environment
Detecting IAB Activity
Security teams can proactively detect IAB activity targeting their organizations by:
- Monitoring dark web forums — Track listings that reference your organization, industry vertical, or geographic region using platforms like SIA Watch Tower
- Credential monitoring — Use SIA Monitor to detect compromised credentials appearing in stealer logs and dark web dumps before they're weaponized
- Attack surface auditing — Regularly scan for exposed RDP, VPN, and Citrix endpoints with SIA ASM
- Threat intelligence feeds — Integrate IOC feeds from SIA Feeds into your SIEM to detect known IAB infrastructure
Defensive Recommendations
Organizations should implement the following controls to mitigate IAB risk:
- Enforce MFA on all remote access points (VPN, RDP, Citrix, email)
- Patch public-facing applications within 48 hours of critical CVE disclosure
- Monitor for credential leaks in real-time with automated alerting
- Implement network segmentation to limit lateral movement from initial access points
- Deploy deception technologies (honeypots, honey credentials) to detect post-access reconnaissance
Conclusion
IABs have commoditized the most difficult part of the attack chain, making it accessible to less sophisticated threat actors. By monitoring the dark web for access listings, tracking credential exposures, and maintaining a hardened perimeter, security teams can disrupt this supply chain before it leads to a full-scale breach.
How SIA Force Helps
Our comprehensive suite helps combat Initial Access Brokers. Use SIA Watch Tower to monitor dark web forums, SIA Monitor to track compromised credentials, SIA ASM to uncover exposed RDP/VPN endpoints, and SIA Feeds to integrate actionable IOCs.