The Red Report 2024: The Top 10 Most Prevalent MITRE ATT&CK Techniques
By Picus Labs • June 27, 2023, 18 min read
As organizations grow, their IT infrastructure becomes more complex and harder to protect against the ever-evolving threat landscape. Given shifts in working culture, such as work-from-home and bring-your-own-device policies, people and their devices have now become part of an organization's attack surface.
In this blog, we will explore the concept of an attack vector, discuss how the cumulative total of an organization's attack vectors creates an attack surface, and explain why attack surface discovery should be an essential practice within any organization.
An attack vector is a specific method used by an adversary to achieve an objective, such as gaining unauthorized access to an organizational network, stealing sensitive information, or disrupting business operations. Attack vectors often involve exploiting vulnerabilities or improper implementations within a system or taking advantage of human weaknesses. They serve as the mechanism for attackers to deliver malicious files and binaries, gain a foothold on the target system, or obtain unauthorized access to sensitive data.
Figure 1. Chaining individual attack vectors to gain access to a crown jewel of an organization.
These vectors can range from compromised account credentials, malicious email attachments, and drive-by downloads to sophisticated attack techniques such as exploiting zero-day vulnerabilities.
There are sixteen common attack vectors that adversaries use to breach into organizational systems and networks.
Below, you will find a brief overview of each attack vector.
Compromised Credentials is an attack vector that occurs when unauthorized adversaries gain access to valid account credentials, such as usernames and passwords, Kerberos ticket. The attacker can then impersonate the user, bypassing security controls as a legitimate user in the system.
The Weak Credentials attack vector involves exploiting the weak password policies implemented by an organization. Attackers often take advantage of these easy-to-guess passwords to gain unauthorized access to sensitive systems.
The term "Malicious Insider" refers to a person who works for a company and has access to its internal networks and systems with permission (typically, these people are employees), but who abuses that access. This includes data theft, which is frequently motivated by resentment or financial gain.
Data encryption is a critical security measure for protecting sensitive information. If the encryption is missing, weak, or improperly implemented, this can make the data stealing easier for adversaries. Missing or weak encryption can be exploited during data transmission or when the data is stored, leaving it at risk of compromise.
Misconfiguration is an attack vector that describes improper settings in systems or applications that make them open to attacks. Attackers may take advantage of these configuration errors or policy mismatches to gain unauthorized access to organizational systems and/or network, steal sensitive information, or stop services, potentially causing serious disruptions to the organization.
Ransomware is a type of malware that encrypts the victim's data, severely impacting the data’s availability. After encrypting the sensitive data, the attacker demands ransom from the victim to restore their access. Typically distributed through phishing emails or unsecured network services, ransomware attacks can cause serious disruptions to business operations, data loss, and financial damage.
Phishing is an attack technique (ATT&CK 1566) where attackers act like trustworthy entities to lure individuals into sharing sensitive data such as credit card details or login credentials, or download malicious binaries (such as infostealers, ransomware, keyloggers, banking trojans) into their system. Adversaries can distribute phishing emails through deceptive emails, messages, or websites.
In an SQL Injection attack, adversaries inject a malicious SQL code into an SQL query to bypass the system to gain unauthorized access to sensitive data. Adversaries can use this attack for data exfiltration or disrupting business operations. Input sanitation can be an effective countermeasure against SQL injection attacks.
Drive-by Downloads is an attack vector that occurs when a user unintentionally downloads malicious software by visiting an infected website, clicking a deceptive pop-up window, or opening a malicious email. The software can then spy on the user, control the system, or attack other systems.
Cross-Site Scripting (XSS) an serious attack vector that occurs when an attacker injects malicious scripts into web pages viewed by other users. When executed, the scripts can steal information, manipulate web content, or redirect the user to malicious sites. XSS has three different types such as reflected, stored and DOM-based XSS.
Abusing the Trust Relationship between systems or domains is an attack vector that allows an attacker to gain unauthorized access to one system and uses it as a launching pad to infiltrate other systems that trust the compromised system.
Zero-Day Vulnerabilities are software vulnerabilities that are unknown to those who should be interested in its mitigation (including the vendor of the target software). Until the vulnerability is mitigated, attackers can exploit it to adversely affect computer programs, data, or networks.
Brute-Force Attacks is a trial-and-error method used by attackers to obtain information such as personal identification numbers (PINs), passwords, or cryptographic keys. This involves systematically checking all possible combinations until the correct one is found.
Distributed Denial of Service (DDoS) attacks is one of the most well-known attack vectors to make a machine, service, or network resource unavailable to intended users by overwhelming it with a flood of internet traffic. These attacks often involve multiple compromised computers to launch the traffic flood.
Attack vector analysis is a key component of any cybersecurity program, as it provides an understanding of the potential chain of attack vectors (a.k.a attack paths) that a threat actor can take to compromise a system.
The components of attack vector analysis include:
Step 1: Threat Identification
Step 2: Mapping Out All Attack Vectors
Step 3: Vulnerability Assessment
Step 4: Risk Assessment
Each component is provided with a brief description, in the below.
The initial step in attack vector analysis involves recognizing various potential threats to the organization. In this process, it is crucial to consider a diverse range of factors and sources. Threats may emerge from misconfigurations, which can arise from cloud integrations, improperly configured firewalls, or insecure default settings.
Additionally, organizations should be aware of attack campaigns of threat actors and Advanced Persistent Threat (APT) groups that have been actively targeting their region or industry, as these actors may pose a higher risk to their systems.
Newly discovered vulnerabilities in switches, routers, or other hardware and software supplied by third-party vendors may expose an organization to potential attacks.
It is also essential to keep track of widespread vulnerabilities, such as those affecting common libraries (e.g., the Log4j vulnerability) or operating systems, which can put many organizations at risk.
Insider threats should not be overlooked, as malicious actions by employees or contractors with privileged access to systems can put the organization's data and infrastructure at risk.
Finally, staying informed about trending attack methods and new malware campaigns being executed in the wild can help organizations better understand the ever-evolving threat landscape.
By adopting a comprehensive approach to threat identification, organizations can better understand and anticipate potential threats, allowing them to prioritize their cybersecurity efforts more effectively.
The second step in the attack vector analysis involves mapping out all the potential points of entry into a network or system by examining various components of an organization's infrastructure and user activity. The goal is to develop a comprehensive understanding of the organization's attack surface.
This process should include identifying potential weaknesses or flaws in the software used across the organization, such as outdated programs, unpatched applications, or insecure code that may be exploited by threat actors. It is also essential to look for susceptibilities in hardware components like servers, routers, and endpoint devices, as these pieces could be targeted by adversaries seeking unauthorized access, data theft, or system disruption.
The organization's authentication mechanisms should be assessed to ensure robust practices, such as the use of strong passwords, two-factor authentication, and adherence to the principle of least privilege. In addition, any gaps in network security, including unprotected internal and external connections and unsecured Wi-Fi networks or virtual private networks (VPNs) should be addressed.
Physical access points to facilities or server rooms should be evaluated for proper security measures, including access controls and safeguards to deter unauthorized entry. Furthermore, human factors such as employee or contractor susceptibility to social engineering attacks, phishing, and unintentional malware introduction through external devices should be considered.
The security posture of external partners, vendors, and suppliers should also be assessed since their systems could provide an indirect path into the organization if not properly secured. Moreover, emerging technologies like cloud services, connected devices (IoT), and machine learning systems could introduce unique vulnerabilities or challenges that need to be taken into account.
By thoroughly mapping out all possible attack vectors, organizations can develop a clearer understanding of their overall risk landscape and prioritize efforts to strengthen their cybersecurity posture.
Once the inventory of assets is comprehensively identified, a crucial next step is to perform a vulnerability assessment. This process is aimed at identifying the various weaknesses in these assets that could be exploited by potential attackers.
For example, an organization might be using Fortigate SSL VPN firewalls, which were discovered to have a critical remote code execution vulnerability (CVE-2023-27997) . This flaw is heap-based and can be reached before authentication, meaning that an attacker could potentially exploit it without first needing to log in. Despite security patches being released for FortiOS firmware versions like 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, many organizations may remain unknowingly vulnerable if they are not consistently monitoring and managing their attack surfaces.
To carry out the vulnerability assessment, various tools like vulnerability scanners can be utilized to automate this process. These tools work by comparing the details of the software and hardware present in the system against databases of known vulnerabilities, like the Common Vulnerabilities and Exposures (CVE) database. In addition, organizations may want to engage in penetration testing or red teaming exercises to see the vulnerable points in an asset that might give unauthorized access to an adversary.
It is important to highlight that in addition to these traditional security assessment solutions, there are smart and stealthy complementary technologies that show how a potential attacker can chain individual attack vectors together to gain privileged and unauthorized access to an organization’s crown jewels.
Following the identification of vulnerabilities, the subsequent stage is to assess the risk associated with each vulnerability. This process entails evaluating the potential consequences of a successful attack and the probability of such an attack happening. An organization should consider factors such as the value of compromised assets, the sensitivity of the information at stake, and the potential operational disruptions that could arise from a security breach.
Risk assessment involves classifying and prioritizing vulnerabilities based on their severity and potential impact. For instance, a vulnerability that grants an attacker full access to sensitive data would be considered a high-risk vulnerability, while a low-risk vulnerability might only provide limited access with minimal consequences. By assessing the risks, organizations can allocate their resources and efforts more efficiently, focusing on addressing the most critical vulnerabilities first.
Upon completing these first four steps, you need to take the remediation and mitigation steps for the high-risk attack vectors that can be chained to lead to devastating attack paths.
An attack surface is the total sum of attack vectors within a system, network, or organization that an adversary could exploit to achieve their objective. Thus, an organization's attack surface includes all known, unknown, and potential attack vectors that a malicious entity could exploit to compromise its systems or networks.
Figure 1. Attack Surface is all known, unknown and potential attack vectors within an organization.
The broader the attack surface, the greater the risk, as there are more opportunities for attackers to gain unauthorized access. By identifying and minimizing the attack surface, organizations can manage their cyber risk more effectively. The attack surface can be divided into three primary components:
The digital attack surface refers to the cumulative hardware and software connected to an organization's network. It includes
where unauthorized devices or applications bypass the implemented security controls.
The digital attack surface comprises numerous points within an organization's network that are potentially exposed to unauthorized access. It underlines the need for a comprehensive attack surface inventory to establish well-prioritized and effective defensive strategies.
A physical attack surface refers to the variety of physical vulnerabilities that could be used to compromise a system or network. It includes unattended equipment, exposed confidential information, and any physical entry points into a building or server room.
Social engineering attack surface is a collection of attack vectors that result from human flaws. It involves being vulnerable to manipulation techniques like phishing, tailgating, baiting, or pretexting that are intended to fool people into disclosing sensitive information or taking security-compromising actions.
Creating a comprehensive asset inventory is a critical step in discovering your organization’s attack surface, which we will talk about in the upcoming section. It's about developing a detailed understanding of all assets that could potentially be exploited by an attacker.
Organizations must take every asset in their digital environment into consideration. This step includes not only physical hardware but also software applications, databases, network infrastructure, and cloud resources. Data from various sources should be collected and consolidated to ensure all assets are identified.
It's important to categorize and prioritize your assets based on the risk they may possess. Prioritization helps in focusing resources and efforts on assets that, if compromised, could lead to significant damage.
Maintaining your attack surface inventory is not a one-time task. As organizations continually evolve - including new devices or hardware, deploying new software, and migrating to the cloud - the inventory needs to be updated. Regular updates ensure that the inventory remains current and continues to reflect the actual attack surface.
In addition, a comprehensive attack surface inventory should include assets managed by third parties and those used by employees working remotely. A thorough inventory accounts for all the different ways an attacker might gain unauthorized access.
The inventory can also be enriched with threat intelligence data. By aligning the knowledge of assets with the understanding of current threats and vulnerabilities, organizations can get a more accurate picture of their security status. For instance, you might be running a particular exchange server that has been actively exploited lately in the wild. This kind of threat intelligence can help you to identify the potential vulnerable points in your server and patch as soon as possible (if it exists) to remediate this attack vector.
By following these best practices, organizations can build a comprehensive attack surface inventory, which will serve as a foundational tool for their cybersecurity initiatives.
Attack surface discovery is a process that identifies and maps all digital assets within an organization's network or system that holds the potential to become an attack vector in the hand of an adversary.
Attack surface discovery is the prior step to attack surface management. Thus, it includes listing all types of digital assets such as routers and switches, endpoints, web servers, databases, cloud services, remote connections, and APIs, but can also extend to physical access points and potential targets for social engineering attacks.
The primary steps involved in attack surface discovery typically include:
Create Your Asset Inventory: This involves creating a comprehensive list of all assets in the IT infrastructure of an organization, such as employee computers, servers, databases, etc.
Identify Possible Access Points: After all assets are listed, the next step is to identify the possible ways that an individual with malicious intentions can access these assets. This can include public-facing applications, user interfaces, VPN connections, unsecured Wi-Fi, APIs, and more. For instance, in the picture below, we can see that while an employee from the Sales subnetwork cannot access a critical database in a Production environment (the one in red), an IT professional has the privilege to access it.
Figure 1. Access Points to a Critical Database.
3. Find the Vulnerabilities: Once the access points are listed, it is time to assess the potential vulnerabilities that they might have. This can be done through automated scanning tools, manual penetration testing, or other complementary automated solutions.
4. Analyze the Potential Threats: The final step is analyzing the potential threats that could exploit the vulnerabilities and determining the likely impact if they were to be exploited.
Attack surface discovery is important for four main reasons, such as visibility, risk management, threat prevention and regulatory compliance.
Visibility: As the organizations get bigger, their IT infrastructure becomes more complex. For instance, with newcomers, new endpoints and devices are introduced to the system. If your organization provides remote-working options, or runs a bring-your-own-device policy, this process can become more complex than you think. In addition, these individuals are placed in particular network segments/domains with certain privileges, etc. Thus, it is difficult to know every system, host, domain, or network under your control. Attack surface discovery provides complete visibility into your environment, including shadow IT and forgotten assets.
Risk Management: By understanding your attack surface, you can prioritize your focus and remediation efforts on the critical assets that poses the highest risk to your organization.l
Threat Prevention: If you can identify the possible entry points to your assets, you can harden these points to prevent a potential attack to your organization. In that sense, attack surface discovery helps organizations to shift from a reactive to proactive cybersecurity approach.
Regulatory Compliance: Many regulations and standards require businesses to maintain a certain level of security. Understanding your attack surface can help you meet these requirements and avoid penalties.
Ultimately, you cannot secure what you don't know. Hence, the process of attack surface discovery is a fundamental step in developing an effective cybersecurity strategy.
Organizations can prioritize threats based on their attack surface analysis by adopting a risk-based approach. This means assessing each potential threat in terms of its likelihood and the impact it could have on the organization's systems and data.
Understanding the attack surface is the first step. It involves inventorying all assets, including hardware, software, network components, and data, and mapping these to potential attack vectors.
Once the attack surface has been mapped, each potential threat can be assessed. Factors to consider include the nature of the threat (such as whether it's a common or rare type of attack), the potential impact on the organization (how much damage it could do), and the vulnerability of the asset (how easy it would be for an attacker to exploit).
After assessing the threats, they can be prioritized. Typically, high-impact and high-likelihood threats are given the highest priority. These are the threats that could do the most damage and are the most likely to occur, and so they should be addressed first.
The prioritization process also involves considering the organization's risk tolerance. This involves determining how much risk the organization is willing to accept. For example, some organizations might choose to accept a higher level of risk for less critical systems or data, while prioritizing protection for their most sensitive and important assets.
By prioritizing threats based on their attack surface analysis, organizations can make more informed decisions about where to focus their security efforts. This can help them to more effectively and efficiently manage their cybersecurity risks.
Advanced Persistent Threats (APTs) perform sophisticated, sustained cyberattacks in which an intruder gains access to a network and remains undetected for a long period of time. These attacks are often targeted at organizations with high-value information, such as national defense agencies, manufacturing firms, and financial institutions. Here's how organizations can protect their attack surface from APTs:
Continual Monitoring: Constantly monitor networks for unusual activity. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can be used to identify and block abnormal behavior.
Regular Patching and Updating: Ensure software and systems are up-to-date. APTs often exploit known vulnerabilities in software that haven't been patched.
Network Segmentation: By dividing the network into smaller parts, an intrusion can be contained within a smaller environment and prevent it from spreading across the entire system.
Employee Training: Staff should be trained on security best practices and how to identify suspicious activity. Many APTs begin with a successful phishing attempt.
Two-factor Authentication (2FA): Implement 2FA to add an extra layer of security and prevent unauthorized access, even if credentials are compromised.
Zero-Trust Architecture: Adopt a zero trust model, which is based on the principle of maintaining strict access controls and not trusting anything inside or outside its perimeters by default.
Regular Audits and Testing: Regular audits of network systems and penetration testing can help identify potential vulnerabilities and ensure that defense systems are working as expected.
Incident Response Planning: Have a plan in place to respond to a detected intrusion quickly and effectively to minimize damage.
The goal is to reduce the attack surface and increase the organization's ability to prevent, detect, and respond to APTs.
 D. Burton, “CVE-2023-27997: Critical Fortinet Fortigate Remote Code Execution Vulnerability,” Rapid7, Jun. 12, 2023. [Online]. Available: https://www.rapid7.com/blog/post/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/. [Accessed: Jun. 16, 2023]