As a result of the comprehensive analysis of tens of thousands of real-world threat samples collected from numerous sources, we unrevealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.
We analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files, categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.
This research has found that Process Injection was the most prevalent technique, and Execution and Defense Evasion were dominating tactics observed in 2019. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.
The most common technique was T1055 Process Injection that allows evading security controls (Defense Evasion) and gaining higher-level privileges (Privilege Escalation) by executing code under a legitimate process.
The most prevalent tactics are Defense Evasion and Execution, which indicates attackers' interests in staying under the radar of security controls. They are constantly developing new evasion and execution techniques to avoid security solutions.
Attackers frequently use native Windows command-line and scripting tools to execute commands such as PowerShell, cmd.exe, and VBScript. These tools allow attackers to perform sophisticated actions and avoid security controls by directly interacting with Windows OS.
As the third most common technique, adversaries use Credential Dumping to obtain credentials from the operating system and software for performing Lateral Movement and accessing restricted information and software.
MITRE ATT&CK Framework
MITRE ATT&CK is an open source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.
The MITRE ATT&CK Windows Matrix for Enterprise consists of 12 tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Windows Matrix includes 222 unique techniques.
We simulates adversarial TTPs in networks and endpoints by mimicking actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, and analyze hundreds of malicious files with the help of internal tools, and open source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.
The red team analysts evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints, and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.
In 2019, 56149 unique files. 48813 of them (87%) are categorized as ‘malicious’. 445018 actions are extracted from these files, which means an average of 9.12 actions per malware on average. Since multiple actions may be relevant to the same technique, they are mapped to an average of 7.43 MITRE ATT&CK techniques per malware. Therefore, a dataset of 362637 MITRE ATT&CK techniques is used for this report.
10 Critical MITRE ATT&CK Techniques
Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which targets.
9. T1082 System Information Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.
10. T1089 Disabling Security Tools
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
The reader should bear in mind that this research is based on malicious activities of malware after infecting target systems. Therefore, the research is unable to encompass techniques in the Initial Access tactic, which are used by adversaries to gain a foothold in the target network. It should be noted that the Initial Access techniques such as Spearphishing Link (T1192) and Spearphishing Attachment (T1193) are also frequently used by attackers.
Due to the design of the MITRE ATT&CK framework, a malicious action may be mapped to multiple techniques and some techniques are overlapped. For example, Emotet malware uses an obfuscated VBA macro code that includes a command executed by cmd.exe that consists of a malicious PowerShell code. Therefore, running this VBA macro code can be mapped to Scripting (T1064), Command-Line Interface (T1059), and PowerShell (T1086). However, malware sandboxes map a malicious action to a single technique.
THE TECH PLATFORM