The Top Ten MITRE ATT&CK Techniques

The Top Ten MITRE ATT&CK Techniques
5:42

Picus 10 Critical Mitre Att&Ck Techniques

Welcome to the Picus Red Report 2024, which is based on in-depth research from Picus Labs, the research arm of Picus Security. As a result of the comprehensive analysis of hundreds of thousands of real-world threat samples collected from numerous sources, Picus Labs revealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.

RedReport2024-mockup-small

 

 

The Red Report 2024
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

Executive Summary

In 2023, Picus Labs analyzed 612,080 malware samples to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 7,754,801 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

This research has found that T1055 Process Injection was the most prevalent technique, and Defense Evasion was the dominating tactic observed in 2023. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.

Key Findings

Hunter-Killer Malware:
      Unveilling a New Wave of Aggressive Cyber Attacks

The entry of T1562 Impair Defenses into the third spot on this year's Red Report signifies a notable shift in cyberattack strategies, marked by a dramatic surge in its prevalence - a 333% increase. Threat actors are transforming malware into proactive 'hunter-killers' of cybersecurity defenses, directly targeting and disrupting the tools meant to protect networks. This approach against security measures shows that attackers are now disabling defense mechanisms in addition to evading them. The prominence of T1562 is a clear sign that offensive capabilities are evolving, reflecting a bold and aggressive stance.

This evolution is further nuanced by repurposing cybersecurity utilities as instruments of aggressive attacks. In 2023, the LockBit ransomware group abused Kaspersky's TDSSKiller anti-rootkit utility, Earth Longzhi exploited Zemana Antimalware's driver, and the AuKill malware abused Microsoft's Process Explorer to disable endpoint defenses like Windows Defender and other AV and EDR solutions.

Invisibility at the Forefront Evasion:
      Evolving Tactics Challenge Detection and Response

Our research uncovers that an overwhelming 70% of malware analyzed now employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks.

T1055 Process Injection saw an alarming rise, soaring from 22% in 2022 to 32% in 2023 (a 45% increase), as it moved from fourth to dominate as the most prevalent technique. This notable shift indicates that nearly one-third of all analyzed malware can inject malicious code into legitimate processes, allowing adversaries to avoid detection while potentially gaining elevated privileges.

In parallel, the T1059 Command and Scripting Interpreter remains a favorite due to its dual functionality. It enables attackers to carry out and disguise malicious operations using native tools, sidestepping traditional detection systems. Similarly, the inclusion of T1027 Obfuscated Files or Information in the Red Report 2024 Top Ten list, with a 150% jump in prevalence from 4% in 2022 to 10% in 2023, highlights a trend toward hindering the effectiveness of security solutions and obfuscating malicious activities to complicate the detection of attacks, forensic analysis, and incident response efforts.

The Ransomware Saga Continues:
      Enduring Impact and Emerging Extortion Trends

T1486 Data Encrypted for Impact has consistently emerged as one of the top threats in our annual Red Reports. Our study reveals a concerning trend: 21% of the malware samples we analyzed possess the capability to encrypt data. Furthermore, we've identified a 176% increase in the use of T1071 Application Layer Protocol, which are being strategically deployed for data exfiltration as part of sophisticated double extortion schemes. High-profile ransomware cases in 2023 bear witness to the critical impact of these techniques, playing pivotal roles in attacks by BlackCat/AlphV against NCR and Henry Schein, Cl0p targeting the US Department of Energy, Royal breaching the City of Dallas, LockBit's assaults on Boeing, CDW, and MCNA, and Scattered Spider infiltrating MGM Resorts and Caesars Entertainment.

Refinement Over Revolution:
      Adversaries Perfect Existing Techniques

In addition to the appearance of four new techniques in the Red Report 2024 Top Ten, there is also a notable refinement and continued use of established methods like T1059 Command and Scripting Interpreter, T1047 Windows Management Instrumentation, T1082 System Information Discovery, and T1003 OS Credential Dumping. The appearance of these techniques at the top of the list means that attackers are successfully exploiting them. This suggests that these methods are flexible, reliable, and hard to defend against.

Continuity in Credential Theft:
      Foreshadowing Lateral Movements & Privilege Escalations

Despite dropping from the second to the sixth position, T1003 OS Credential Dumping remains a cornerstone of attacker strategies. The sustained presence of this technique signals an enduring threat where attackers prioritize gaining elevated permissions to spread across networks. This technique's role in facilitating lateral movement and privilege escalation showcases adversaries' intent to maximize reach and impact following initial access, as utilized by Sandworm threat group in the Russia-Ukraine war.

From Opportunity to Espionage:
      The Evolution of Threats into Advanced Persistent Campaigns

The steady presence of T1082 System Information Discovery combined with the entry of T1071 Application Layer Protocol implies an increased adoption of cyber espionage activities. Additionally, the introduction of T1547 Boot or Logon Autostart Execution reflects a strategy explicitly engineered to ensure persistent, long-term access to victim networks. Collecting sensitive information and maintaining a presence within networks are hallmarks of advanced persistent threats (APTs). This could signal the involvement of sophisticated, well-funded adversaries. Notable entities such as Russia's APT28 (Fancy Bear) and APT29 (Cozy Bear), along with Star Blizzard, China's Volt Typhoon, and North Korea's Lazarus Group have demonstrated significant activity during 2023. These groups' strategic operations in 2023 indicate an escalating trend of state-sponsored attack campaigns.

MITRE ATT&CK Framework

MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.  

The MITRE ATT&CK Matrix for Enterprise [1] consists of 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.  There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Enterprise Matrix includes 201 techniques and 424 sub-techniques.

Methodology

Picus simulates adversarial TTPs in networks and endpoints by mimicking the actions of threat actors and their malware without adversely affecting any network or systems.  To build adversarial attack scenarios, Picus Labs analyzes hundreds of malicious files with the help of internal tools and open-source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums. 

The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls  and endpoints and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.

In 2022, Picus Labs analyzed 667,401 unique files. 612,080 of them (92%) were categorized as 'malicious'. 7,754,801 actions were extracted from these files, which means an average of 13 actions per malware on average. Since multiple actions may be relevant to the same technique, they were mapped to an average of 11 MITRE ATT&CK techniques per malware. Therefore, a dataset of 7,015,759 MITRE ATT&CK techniques is used for this report.

picus-redreport2024-methodology-graphic-slide

 

Picus 10 Critical MITRE ATT&CK Techniques

Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which target

green-arrow

#1
2023:4

32-badge

 

T1055 Process Injection
defense-evasion-badge privilege-escalation-badge

red-arrow

#2
2023:1

28-badge

 

T1059 Command and Scripting Interpreter
execution-badge

blue-diamond

#3
New

26-badge

 

T1562 Impair Defenses
defense-evasion-badge

green-arrow

#4
2023:5

23-badge

 

T1082 System Information Discoverydiscovery-badge

red-arrow

#5
2023:3

21-badge

 

T1486 Data Encrypted for Impact
impact-badge 

red-arrow

#6
2023:2

21-badge

 

T1003 OS Credential Dumping
credential-access-badge

blue-diamond

 

#7
New

18-badge

 

T1071 Application Layer Protocol
command-control-badge

blue-diamond

#8
New

15-badge

 

T1547 Boot or Logon Autostart Execution
persistence-badge privilege-escalation-badge

red-arrow

#9
2023:7

12-badge

 

T1047 Windows Management Instrumentation
execution-badge

blue-diamond

 

#10
New

10-badge

 

T1027 Obfuscated Files or Informationdefense-evasion-badge


Comparison With Other Top ATT&CK Techniques Lists

Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by Red Canary [2], MITRE CTID [3],  and Mandiant [4] and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.

  picus-attack-table

red-canary-attack-table

mitre-engenuity-attack-table

mandiant-attack-table

1

T1055 - Process Injection

T1059.001: Command and Scripting Interpreter: PowerShell
T1059 - Command and Scripting Interpreter
T1059 - Command and Scripting Interpreter

2

T1059 - Command and Scripting Interpreter
T1059:003 - Command and Scripting Interpreter: Windows Command Shell
T1027 - Obfuscated Files or Information
T1027 - Obfuscated Files or Information

3

T1562 - Impair Defenses
T1047 - Windows Management Instrumentation
T1105 - Ingress Tool Transfer
T1083 - File and Directory Discovery

4

T1082 - System Information Discovery
T1078.004 - Valid Accounts: Cloud Accounts
T1112 - Modify Registry
T1021 - Remote Services

5

T1486 - Data Encrypted for Impact
T1027 Obfuscated Files or Information
T1070 - Indicator Removal
T1082 - System Information Discovery

6

T1003 - OS Credential Dumping
T1114.003 - Email Collection: Email Forwarding Rule
T1204 - User Execution
T1070 - Indicator Removal

7

T1071 - Application Layer Protocol
T1003 - OS Credential Dumping
T1564 - Hide Artifacts
T1071 - Application Layer Protocol

8

T1547 - Boot or Logon Autostart Execution
T1218.011 - System Binary Proxy Execution: Rundll32
T1055 - Process Injection
T1033 - System Owner/User Discovery

9

T1047 - Windows Management Instrumentation
T1105 - Ingress Tool Transfer
T1003 - OS Credential Dumping
T1140 - Deobfuscate/Decode Files or Information

10

T1027 - Obfuscated Files or Information
T1036.003 - Masquerading: Rename System Utilities
T1021 - Remote Services
T1190 - Exploit Public-Facing Application

Limitations

The limitations outlined below are imperative to consider when interpreting the Red Report 2024:

  1. Sample Size Representation: Despite analyzing an extensive dataset of over 600,000 malware samples, it encompasses a subset of the vast malware landscape. This limitation may introduce a bias in the visibility of malware types and behaviors.
  2. Focus on Post-Compromise Tactics: Our research focused primarily on post-compromise activities, thus excluding TA0043 Reconnaissance, TA0042 Resource Development, and TA0001 Initial Access techniques. Understanding that these initial access techniques such as T1566 Phishing and T1190 Exploit Public-Facing Applications were not covered is critical, as they are crucial steps in the attack chain.

Reflecting on these points provides a balanced view of the findings, acknowledging the scope of analysis while recognizing aspects not addressed within the study.

Conclusion

This research has shown that the Top 10 ATT&CK techniques concentrate on techniques used in Defense Evasion attacks. Sophisticated adversaries actively hunt for defenses in the compromised system, neutralize them, and, by doing so, ensure the malware remains stealthy for a longer time. The rise of Hunter-killer malware shows that these malware strains evade security measures with precision and proactively seek out and impair security tools, firewalls, logging services, audit systems, and other protective measures within an infected system.

Cyber threat actors endlessly develop new adversary techniques and tools while perfecting the use of existing ones. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques and tools used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps. 

The Picus Security Validation Platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs, including Top 10 ATT&CK techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience.

References

[1] "Matrix - Enterprise." [Online]. Available: https://attack.mitre.org/versions/v14/matrices/enterprise/. [Accessed: May 23, 2024]

[2] "Top ATT&CK® Techniques - Red Canary Threat Detection Report," Red Canary, Mar. 11, 2024. Available: https://redcanary.com/threat-detection-report/techniques/. [Accessed: May 23, 2024]

[3] "Top Trends in Cyber Security," Mandiant, Aug. 31, 2021. Available: https://www.mandiant.com/m-trends. [Accessed: May 23, 2024]

[4] "Top 15 Techniques — Sightings Ecosystem v2.0.0 documentation." Available: https://center-for-threat-informed-defense.github.io/sightings_ecosystem/top-15-techniques/. [Accessed: May 23, 2024]