2019's top cyberattack techniques
Recorded Future has been logging sandbox submissions from its platform as mapped to the MITRE ATT&CK framework over 2019 and has released a list of the most frequently referenced tactics and techniques.
The most common tactic in the results is Defense Evasion and the most common technique Security Software Discovery. Defense Evasion involves avoiding detection by, among other things, hiding in trusted processes, obfuscating malicious scripts, and disabling security software.
The next most common tactic, Discovery, involves knowledge and understanding of a victim network or host.
The researchers suggest Defense Evasion's dominance on this list indicates one of three things: a heightened concern among cyberattackers with security solutions; an improvement in network defenses up to the present; or both.
Nearly all of the top 10 techniques were found to be associated with many prominent malware variants in the sandbox results. These include trojans like Emotet, Trickbot, and njRAT; botnets like Gafgyt and Mirai; and cryptocurrency miners like Coinminer. Out of approximately 1,180 separate malware variants in our sandbox results, the top referenced malware variants were Trickbot, Coinminer, and njRAT/Bladabindi.
"The MITRE ATT&CK knowledge base provides a common language for the cybersecurity community to use when describing adversary behaviors," says Jon Baker, MITRE department head for adversary emulation and orchestration. "We continue to be inspired by the ways the entire community is using ATT&CK to improve their defenses."
In many cases, the operation of these attack techniques involves the use of legitimate software capabilities, which can make purely signature-based detection difficult, if not impossible, in recognizing malicious activity. Overall, effective mitigation of these techniques requires a defense-in-depth approach and high familiarity with normal network configurations and activity.
You can read more about the results on the Recorded Future blog.