Red Canary researchers reviewed data from over 20,000 attacks detected on client networks in 2020 and mapped them using methodologies and sub-attack methods defined in the Knowledge Base & TCK MITER.
The study gives a thorough review of the tactics employed and the dangers discovered, as well as advice on how attackers employ them and how to detect them.
Reuse of TTPs used for years
Experts determined that attackers continue to rely on techniques and methods that have been in use for years, and that companies can profit from improved protection by monitoring a small number of data sources and tracing a sequence of recurring hostile activities.
The most prevalent attacks that organizations experienced last year are referred to as “common malware,” and much of the information required to detect them may be gleaned from Windows operating system logs.
TTP used
According to the Red Canary investigation, attackers mostly employed the Windows PowerShell and Windows Command Shell tools to execute malicious commands, scripts, and apps. Almost half of the reported cyber threats (48.7 percent) made use of PowerShell, while 38.4 percent made use of Windows Command Shell. The PowerShell features were utilized by the attackers to execute instructions, disguise malicious operations, download more payloads, and generate other processes.
The second most commonly discovered attack approach was proxy execution of a signed binary, an attack method that employs digitally signed, highly trusted executable files, such as Rundll32 and Mshta, to avoid signature and behavior-based detection systems. The method can also be used to run arbitrary VBScript and JScript code.
The third discovered methodology entails creating and changing system processes, such as Windows services, in order to obtain persistence within the compromised system and extra/administrative access.
The fourth and most commonly used strategy makes use of Windows’ “Scheduled Task” function to maintain access and conduct system administrator-specific operations.
The fifth strategy entails the theft of access credentials in order to elevate privileges, data theft, and lateral movement.
One of the most difficult challenges for organizations in detecting the use of these techniques is that most of the tools presented can be used in both legitimate and malicious ways. Therefore, it is critical to have a thorough understanding of the entity’s digital activity in order to distinguish legitimate activity from malicious activity.
Cobalt Strike, Qbot, IcedID, Mimikatz și Emotet
According to the research, several of the most often identified malware applications and dual-purpose tools seen by businesses in 2020 were tools that companies undervalued because they fall into the category of common/known malware. Cobalt Strike, Qbot, IcedID, Mimikatz, and Emotet were among them.
The USB Gamarue worm is also among the top ten, despite the fact that the malware’s command and control infrastructure was shut down in 2017, and the malware still surfaces on a regular basis in compromised setups.