The Red Report 2021

Your ultimate guide to the most prevalent MITRE ATT&CK techniques used by adversaries in 2021

Welcome to The Picus Red Report 2021. Based upon research conducted by Picus Labs, this report highlights the ten most common MITRE ATT&CK tactics and techniques used by adversaries over the last 12 months. The report is based on an in-depth analysis of over 200,000 malware samples and provides insights to help guide your defensive strategy.


Read the report to learn:

  • Why malware is now more sophisticated and evasive
  • Why there has been a shift towards ransomware
  • Why attackers are abusing legitimate applications such as Powershell
  • How a threat-centric approach can help to prioritize defensive actions

About  Research:


Between October 2020 - October 2021, Picus Labs analyzed 231,507 unique files. 204,954 of these files (89%) were categorized as malicious. 2,197,025 actions were extracted from these files and mapped to 1,871,682 MITRE ATT&CK techniques.

To compile the Red Report 2021 Top Ten, Picus Labs researchers determined how many malicious files in the dataset exhibited each technique. The results have been compared to the Red Report 2020.

The Picus Red Report 2021 Top Ten:

The most prevalent MITRE ATT&CK techniques observed by Picus:

  1. T1059 Command and Scripting Interpreter
  2. T1055 Process Injection
  3. T1486 Data Encrypted for Impact
  4. T1218 Signed Binary Proxy Execution
  5. T1003 OS Credential Dumping
  6. T1027 Obfuscated Files or Information
  7. T1053 Scheduled Task/Job
  8. T1036 Masquerading
  9. T1082 System Information Discovery
  10. T1497 Virtualization/Sandbox Evasion

Read the report to learn more about each technique and its prevalence

Red Report 2021 Key Findings:

  • Encryption of data has become more prevalent: One in five malware variants that can encrypt files uses the ATT&CK technique "Data Encrypted for Impact," which is listed for the first time in the Red Report Top Ten.

  • The sophistication of malware is rapidly increasing: The average malware now demonstrates 11 malicious behaviors (TTPs), as opposed to nine in 2020 - indicating increased sophistication in attacks and adversaries behind them.

  • Defense evasion is the most common tactic: The most common MITRE ATT&CK tactic used by adversaries is under ATT&CK’s “Defense Evasion” tactic.  Malware files contain at least one of these techniques, demonstrating attackers' determination to stay undetected.

Download the full report to read more key findings 

Why a Threat-Centric Security Approach Is Needed?

As we move into 2022, ransomware shows no signs of slowing down and has become the most popular ATT&CK technique according to the Red Report 2021 Top Ten list. Furthermore, malware variants are becoming more complex and evasive in 2021, making it more challenging to detect and respond to them. 

Read the report to learn about the importance of a threat-centric approach and obtain advice to help more effectively identify and respond to the latest attack techniques.

How to Test Your Ability to Prevent, Detect and Respond to the Latest Attack Techniques?

With the emerging threat landscape, it’s getting more difficult to answer questions such as “How safe is my business from the emerging threats? Or “Am I up to date with the Tactics, Techniques, and Procedures (TTPs) used in the latest threats? 

The Picus Complete Security Control Validation Platform enables organizations to test and measure the ability of their security controls to defend against the latest threats by running real-world adversary behavior against their security controls on a truly continuous basis 

All assessment results are mapped to the MITRE ATT&CK framework, which helps organizations to uncover their systematic weaknesses and assess their resilience to specific APT groups on an ongoing basis. Where weaknesses are identified, Picus provides vendor-specific actionable mitigation content to help swiftly address gaps and improve security outcomes.