Predicts 2023: Enterprises Must Expand From Threat to Exposure Management

Welcome to the Picus 10 Critical MITRE ATT&CK Techniques report that is based on the in-depth research from Picus Labs, the research arm of Picus Security.
As a result of the comprehensive analysis of tens of thousands of real-world threat samples collected from numerous sources, Picus Labs unrevealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.
Download the Latest Version Now: Top 10 MITRE ATT&CK Techniques 2021
In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.
This research has found that Process Injection was the most prevalent technique, and Execution and Defense Evasion were dominating tactics observed in 2019. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.
The most common technique was T1055 Process Injection[1] that allows evading security controls (Defense Evasion[2]) and gaining higher-level privileges (Privilege Escalation[3]) by executing code under a legitimate process.
The most prevalent tactics are Defense Evasion and Execution, which indicates attackers' interests in staying under the radar of security controls. They are constantly developing new evasion and execution techniques to avoid security solutions.
Attackers frequently use native Windows command-line and scripting tools to execute commands such as PowerShell, cmd.exe, and VBScript. These tools allow attackers to perform sophisticated actions and avoid security controls by directly interacting with Windows OS.
As the third most common technique, adversaries use Credential Dumping[4] to obtain credentials from the operating system and software for performing Lateral Movement[5] and accessing restricted information and software.
MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.
The MITRE ATT&CK Windows Matrix for Enterprise[6] consists of 12 tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Windows Matrix includes 222 unique techniques.
Picus simulates adversarial TTPs in networks and endpoints by mimicking actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, Picus Labs analyze hundreds of malicious files with the help of internal tools, and open source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.
The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints, and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.
In 2019, Picus Labs analyzed 56149 unique files. 48813 of them (87%) are categorized as ‘malicious’. 445018 actions are extracted from these files, which means an average of 9.12 actions per malware on average. Since multiple actions may be relevant to the same technique, they are mapped to an average of 7.43 MITRE ATT&CK techniques per malware. Therefore, a dataset of 362637 MITRE ATT&CK techniques is used for this report.
Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which targets.
1 |
T1055 Process InjectionTactic: Defense Evasion, Privilege Escalation
|
||
2 |
T1086 PowerShellTactic: Execution
|
||
3 |
T1003 Credential DumpingTactic: Credential Access
|
||
4 |
T1036 MasqueradingTactic: Defense Evasion
|
||
5 |
T1059 Command-line InterfaceTactic: Execution
|
||
6 |
T1064 ScriptingTactics: Defense Evasion, Execution
|
||
7 |
T1053 Scheduled TaskTactic: Execution, Persistence, Privilege Escalation
|
||
8 |
T1060 Registry Run Keys / Startup FolderTactic: Persistence
|
||
9 |
T1082 System Information DiscoveryTactic: Discovery
|
||
10 |
T1089 Disabling Security ToolsTactic: Defense Evasion
|
Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by CrowdStrike[7], Recorded Future[8] and Red Canary[9] (lists are sorted by name) and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.
|
|
|
|
|
1 |
Process Injection
|
Masquerading
|
Security Software Discovery
|
Process Injection
|
2 |
PowerShell
|
Command-line Interface
|
Obfuscated Files or Information
|
Scheduled Task
|
3 |
Credential Dumping
|
Credential Dumping
|
Process Injection
|
Windows Admin Shares
|
4 |
Masquerading
|
PowerShell
|
System Information Discovery
|
PowerShell
|
5 |
Command-line Interface
|
Hidden Files and Directories
|
Process Discovery
|
Remote File Copy
|
6 |
Scripting
|
Process Injection
|
Software Packing
|
Masquerading
|
7 |
Scheduled Task
|
Registry Run Keys / Startup Folder
|
DLL Side-Loading
|
Scripting
|
8 |
Registry Run Keys / Startup Folder
|
System Owner/User Discovery
|
Data Encrypted
|
DLL Search Order Hijacking
|
9 |
System Information Discovery
|
Account Discovery
|
Execution Through API
|
Domain Trust Recovery
|
10 |
Disabling Security Tools
|
Scripting
|
Standard Cryptographic Protocol
|
Disabling Security Tools
|
The reader should bear in mind that this research is based on malicious activities of malware after infecting target systems. Therefore, the research is unable to encompass techniques in the Initial Access tactic, which are used by adversaries to gain a foothold in the target network. It should be noted that the Initial Access techniques such as Spearphishing Link (T1192)[10] and Spearphishing Attachment (T1193)[11] are also frequently used by attackers.
Due to the design of the MITRE ATT&CK framework, a malicious action may be mapped to multiple techniques and some techniques are overlapped. For example, Emotet malware uses an obfuscated VBA macro code that includes a command executed by cmd.exe that consists of a malicious PowerShell code. Therefore, running this VBA macro code can be mapped to Scripting (T1064), Command-Line Interface (T1059), and PowerShell (T1086)[12]. However, malware sandboxes map a malicious action to a single technique.
This research has shown that seven of the Top 10 ATT&CK techniques are categorized in the Defense Evasion and Execution tactics. Adversaries frequently inject malicious code into legitimate processes (T1055 Process Injection), use names and locations of legitimate programs for their malicious files (T1036 Masquareding), and execute malicious code using legitimate scripting languages such as VBScript, PowerShell and command-line batch scripts (T1064 Scripting).
Therefore, adversaries commonly use legitimate software to avoid detection and prevention of security controls. Moreover, adversaries endlessly find new methods to evade security defenses. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps.
The Picus platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs including Defense Evasion techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience. Because of our unique approach, Picus was recognized as a Cool Vendor in Security and Risk Management in the 2H19 report by Gartner.
|
|