LAST UPDATED ON JUNE 13, 2023
Picus 10 Critical MITRE ATT&CK Techniques
Welcome to the Picus Red Report 2024, which is based on in-depth research from Picus Labs, the research arm of Picus Security. As a result of the comprehensive analysis of hundreds of thousands of real-world threat samples collected from numerous sources, Picus Labs revealed the most prevalent ATT&CK techniques and tactics to help you focus on what significantly improves your security.
|
The Red Report 2024
|
Executive Summary
In 2023, Picus Labs analyzed 612,080 malware samples to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 7,754,801 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.
This research has found that T1055 Process Injection was the most prevalent technique, and Defense Evasion was the dominating tactic observed in 2023. The findings of this research provide insights for better prioritization of risks and security operations by presenting the most prevalent attack techniques, threat actors using these techniques, and red and blue team exercises for them.
Key Findings
Hunter-Killer Malware:
Unveilling a New Wave of Aggressive Cyber Attacks
The entry of T1562 Impair Defenses into the third spot on this year's Red Report signifies a notable shift in cyberattack strategies, marked by a dramatic surge in its prevalence - a 333% increase. Threat actors are transforming malware into proactive 'hunter-killers' of cybersecurity defenses, directly targeting and disrupting the tools meant to protect networks. This approach against security measures shows that attackers are now disabling defense mechanisms in addition to evading them. The prominence of T1562 is a clear sign that offensive capabilities are evolving, reflecting a bold and aggressive stance.
This evolution is further nuanced by repurposing cybersecurity utilities as instruments of aggressive attacks. In 2023, the LockBit ransomware group abused Kaspersky's TDSSKiller anti-rootkit utility, Earth Longzhi exploited Zemana Antimalware's driver, and the AuKill malware abused Microsoft's Process Explorer to disable endpoint defenses like Windows Defender and other AV and EDR solutions.
Invisibility at the Forefront Evasion:
Evolving Tactics Challenge Detection and Response
Our research uncovers that an overwhelming 70% of malware analyzed now employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks.
T1055 Process Injection saw an alarming rise, soaring from 22% in 2022 to 32% in 2023 (a 45% increase), as it moved from fourth to dominate as the most prevalent technique. This notable shift indicates that nearly one-third of all analyzed malware can inject malicious code into legitimate processes, allowing adversaries to avoid detection while potentially gaining elevated privileges.
In parallel, the T1059 Command and Scripting Interpreter remains a favorite due to its dual functionality. It enables attackers to carry out and disguise malicious operations using native tools, sidestepping traditional detection systems. Similarly, the inclusion of T1027 Obfuscated Files or Information in the Red Report 2024 Top Ten list, with a 150% jump in prevalence from 4% in 2022 to 10% in 2023, highlights a trend toward hindering the effectiveness of security solutions and obfuscating malicious activities to complicate the detection of attacks, forensic analysis, and incident response efforts.
The Ransomware Saga Continues:
Enduring Impact and Emerging Extortion Trends
T1486 Data Encrypted for Impact has consistently emerged as one of the top threats in our annual Red Reports. Our study reveals a concerning trend: 21% of the malware samples we analyzed possess the capability to encrypt data. Furthermore, we've identified a 176% increase in the use of T1071 Application Layer Protocol, which are being strategically deployed for data exfiltration as part of sophisticated double extortion schemes. High-profile ransomware cases in 2023 bear witness to the critical impact of these techniques, playing pivotal roles in attacks by BlackCat/AlphV against NCR and Henry Schein, Cl0p targeting the US Department of Energy, Royal breaching the City of Dallas, LockBit's assaults on Boeing, CDW, and MCNA, and Scattered Spider infiltrating MGM Resorts and Caesars Entertainment.
Refinement Over Revolution:
Adversaries Perfect Existing Techniques
In addition to the appearance of four new techniques in the Red Report 2024 Top Ten, there is also a notable refinement and continued use of established methods like T1059 Command and Scripting Interpreter, T1047 Windows Management Instrumentation, T1082 System Information Discovery, and T1003 OS Credential Dumping. The appearance of these techniques at the top of the list means that attackers are successfully exploiting them. This suggests that these methods are flexible, reliable, and hard to defend against.
Continuity in Credential Theft:
Foreshadowing Lateral Movements & Privilege Escalations
Despite dropping from the second to the sixth position, T1003 OS Credential Dumping remains a cornerstone of attacker strategies. The sustained presence of this technique signals an enduring threat where attackers prioritize gaining elevated permissions to spread across networks. This technique's role in facilitating lateral movement and privilege escalation showcases adversaries' intent to maximize reach and impact following initial access, as utilized by Sandworm threat group in the Russia-Ukraine war.
From Opportunity to Espionage:
The Evolution of Threats into Advanced Persistent Campaigns
The steady presence of T1082 System Information Discovery combined with the entry of T1071 Application Layer Protocol implies an increased adoption of cyber espionage activities. Additionally, the introduction of T1547 Boot or Logon Autostart Execution reflects a strategy explicitly engineered to ensure persistent, long-term access to victim networks. Collecting sensitive information and maintaining a presence within networks are hallmarks of advanced persistent threats (APTs). This could signal the involvement of sophisticated, well-funded adversaries. Notable entities such as Russia's APT28 (Fancy Bear) and APT29 (Cozy Bear), along with Star Blizzard, China's Volt Typhoon, and North Korea's Lazarus Group have demonstrated significant activity during 2023. These groups' strategic operations in 2023 indicate an escalating trend of state-sponsored attack campaigns.
MITRE ATT&CK Framework
MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of tactics and techniques to better classify adversary behaviors. While a tactic specifies a goal that an adversary is trying to achieve, a technique represents how an adversary accomplishes the tactic by performing an action.
The MITRE ATT&CK Matrix for Enterprise [1] consists of 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. There may be many techniques to achieve a tactic, so there are multiple techniques in each tactic category. Similarly, a technique may be categorized into multiple tactics. For example, the Process Injection technique is used by attackers for Defense Evasion and also Privilege Escalation. Currently, the ATT&CK Enterprise Matrix includes 201 techniques and 424 sub-techniques.
Methodology
Picus simulates adversarial TTPs in networks and endpoints by mimicking the actions of threat actors and their malware without adversely affecting any network or systems. To build adversarial attack scenarios, Picus Labs analyzes hundreds of malicious files with the help of internal tools and open-source and commercial sandboxes. Sources of these files include but are not limited to commercial and open-source threat intelligence services, blogs and white papers of security vendors and researchers, social media, malware sandboxes, and forums.
The red team analysts of Picus Labs evaluate the results and examine indicators to identify malicious actions for building attack scenarios. Then, our blue team analysts examine the effects of these malicious actions on security controls and endpoints and develop actionable prevention signatures and detection rules for them. As building blocks of attack scenarios, each malicious action is mapped to a technique of the MITRE ATT&CK framework to ground the scenarios in a common taxonomy.
In 2022, Picus Labs analyzed 667,401 unique files. 612,080 of them (92%) were categorized as 'malicious'. 7,754,801 actions were extracted from these files, which means an average of 13 actions per malware on average. Since multiple actions may be relevant to the same technique, they were mapped to an average of 11 MITRE ATT&CK techniques per malware. Therefore, a dataset of 7,015,759 MITRE ATT&CK techniques is used for this report.
Picus 10 Critical MITRE ATT&CK Techniques
Click on a technique to explore how to simulate the technique (red team exercise), how to detect and mitigate the technique (blue team exercise), and which threat actors and malware use these techniques on which target
#1
|
|
T1055 Process Injection
|
|
#2
|
|
T1059 Command and Scripting Interpreter
|
|
#3
|
|
T1562 Impair Defenses
|
|
#4
|
|
T1082 System Information Discovery
|
|
#5
|
|
T1486 Data Encrypted for Impact
|
|
#6
|
|
T1003 OS Credential Dumping
|
|
|
#7
|
|
T1071 Application Layer Protocol
|
#8
|
|
T1547 Boot or Logon Autostart Execution
|
|
#9
|
|
T1047 Windows Management Instrumentation
|
|
|
#10
|
|
T1027 Obfuscated Files or Information |
Comparison With Other Top ATT&CK Techniques Lists
Apart from our report, there are valuable studies on top ATT&CK techniques. The following table presents the top 10 lists prepared by Red Canary [2], MITRE CTID [3], and Mandiant [4] and the common techniques between these lists. In these lists, various techniques will be listed differently, but diversity does not necessarily signify inaccuracy or incompleteness. Since different methodologies and threat samples were used when creating the lists, it is natural to see different results.
1 |
T1055 - Process Injection |
T1059.001: Command and Scripting Interpreter: PowerShell
|
T1059 - Command and Scripting Interpreter
|
T1059 - Command and Scripting Interpreter
|
2 |
T1059 - Command and Scripting Interpreter
|
T1059:003 - Command and Scripting Interpreter: Windows Command Shell
|
T1027 - Obfuscated Files or Information
|
T1027 - Obfuscated Files or Information
|
3 |
T1562 - Impair Defenses
|
T1047 - Windows Management Instrumentation
|
T1105 - Ingress Tool Transfer
|
T1083 - File and Directory Discovery
|
4 |
T1082 - System Information Discovery
|
T1078.004 - Valid Accounts: Cloud Accounts |
T1112 - Modify Registry
|
T1021 - Remote Services
|
5 |
T1486 - Data Encrypted for Impact
|
T1027 Obfuscated Files or Information
|
T1070 - Indicator Removal
|
T1082 - System Information Discovery
|
6 |
T1003 - OS Credential Dumping
|
T1114.003 - Email Collection: Email Forwarding Rule
|
T1204 - User Execution
|
T1070 - Indicator Removal
|
7 |
T1071 - Application Layer Protocol
|
T1003 - OS Credential Dumping
|
T1564 - Hide Artifacts
|
T1071 - Application Layer Protocol
|
8 |
T1547 - Boot or Logon Autostart Execution
|
T1218.011 - System Binary Proxy Execution: Rundll32
|
T1055 - Process Injection
|
T1033 - System Owner/User Discovery
|
9 |
T1047 - Windows Management Instrumentation |
T1105 - Ingress Tool Transfer
|
T1003 - OS Credential Dumping
|
T1140 - Deobfuscate/Decode Files or Information |
10 |
T1027 - Obfuscated Files or Information
|
T1036.003 - Masquerading: Rename System Utilities
|
T1021 - Remote Services
|
T1190 - Exploit Public-Facing Application
|
Limitations
The limitations outlined below are imperative to consider when interpreting the Red Report 2024:
- Sample Size Representation: Despite analyzing an extensive dataset of over 600,000 malware samples, it encompasses a subset of the vast malware landscape. This limitation may introduce a bias in the visibility of malware types and behaviors.
- Focus on Post-Compromise Tactics: Our research focused primarily on post-compromise activities, thus excluding TA0043 Reconnaissance, TA0042 Resource Development, and TA0001 Initial Access techniques. Understanding that these initial access techniques such as T1566 Phishing and T1190 Exploit Public-Facing Applications were not covered is critical, as they are crucial steps in the attack chain.
Reflecting on these points provides a balanced view of the findings, acknowledging the scope of analysis while recognizing aspects not addressed within the study.
Conclusion
This research has shown that the Top 10 ATT&CK techniques concentrate on techniques used in Defense Evasion attacks. Sophisticated adversaries actively hunt for defenses in the compromised system, neutralize them, and, by doing so, ensure the malware remains stealthy for a longer time. The rise of Hunter-killer malware shows that these malware strains evade security measures with precision and proactively seek out and impair security tools, firewalls, logging services, audit systems, and other protective measures within an infected system.
Cyber threat actors endlessly develop new adversary techniques and tools while perfecting the use of existing ones. Effective mitigation of these techniques requires challenging each security control in your security stack with the same attack techniques and tools used by adversaries, finding gaps in your security controls, and improving defense by closing these gaps.
The Picus Security Validation Platform continuously challenges your security controls in production with thousands of real attack techniques and identifies gaps in your security stack. Moreover, Picus provides actionable prevention signatures and detection rules to remedy security controls against unblocked and undetected attacks. As a result, organizations can prevent and detect adversarial TTPs, including Top 10 ATT&CK techniques, get the maximum benefit from their security investments, quantify their risks, and increase their resilience.
References
[1] "Matrix - Enterprise." [Online]. Available: https://attack.mitre.org/versions/v14/matrices/enterprise/. [Accessed: May 23, 2024]
[2] "Top ATT&CK® Techniques - Red Canary Threat Detection Report," Red Canary, Mar. 11, 2024. Available: https://redcanary.com/threat-detection-report/techniques/. [Accessed: May 23, 2024]
[3] "Top Trends in Cyber Security," Mandiant, Aug. 31, 2021. Available: https://www.mandiant.com/m-trends. [Accessed: May 23, 2024]
[4] "Top 15 Techniques — Sightings Ecosystem v2.0.0 documentation." Available: https://center-for-threat-informed-defense.github.io/sightings_ecosystem/top-15-techniques/. [Accessed: May 23, 2024]