Security Experts:

Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster

Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware’s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months.

Analyzing the top techniques

Almost everyone working in cybersecurity today is familiar with MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Threat intelligence sharing efforts like this work to address the defender's reactive disadvantage by organizing adversaries' behaviors by their goals and steps to achieve them (tactics and techniques, respectively). 

It's helpful for defenders to understand more enduring techniques so they can better understand the functionality of specific, ephemeral malware to protect from the next attack. But what about the popularity and prevalence of individual techniques? My team at FortiGuard Labs used telemetry from detonated malware samples throughout the second half of 2021 to find out what might have happened in a potential victim's environment. Specifically, we looked at the prevalence of techniques for three tactics: Execution, Persistence and Defense Evasion.

Looking at execution tactics

Execution, as defined by MITRE ATT&CK, consists of techniques that result in adversary-controlled code running on a local or remote system. There are currently 12 such techniques outlined by MITRE. 

Execution through API was the most pervasive technique across all of the sectors and geographic regions we looked at. That was followed by user execution, which ranked especially high for the education sector. It’s not a shocking idea to most people that users in the education vertical being a significant vector of infiltration, but it’s interesting to find that attackers believe that, too, when prioritizing malware functionality. And then rounding it out, the third most popular technique was scripting. These three techniques comprised 82% of the functionality for analyzed systems.

Persistence pays off 

MITRE defines persistence this way: “Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access.” There are currently 19 techniques outlined in the framework. What we saw in the second half of 2021 is that the top two techniques of obtaining a foothold represented 95% of observed functionality. The top two were Scheduled Task (51.7%) and Registry Run Keys/Startup Folder (43%).

Other techniques made only a guest appearance, including New Service, Modifying an Existing Service and Shortcut Modifications. 

Trying to avoid getting caught

Defense evasion refers to techniques used when an attacker is trying to avoid detection. These showed far greater variety based on what our researchers found. The most prevalent techniques for this tactic included Hidden Window, Process Hollowing and Process Injection. 

Whichever technique they choose, adversaries are using more automated techniques to scale efforts and execute more sophisticated attacks at a tremendous pace. New and evolving attack techniques span the entire kill chain but especially in the weaponization phase, showing an evolution to a more advanced persistent cybercrime strategy that is more destructive and unpredictable.

Bringing it all together

So, what do all of these findings mean? Cybersecurity professionals clearly have their work cut out for them – cyberattacks will only continue to grow in volume and sophistication. But looking at some of the hot spots and the most prominent techniques being used can help teams to prioritize and make sure they aren’t missing anything in terms of coverage. Such analysis can be used to help organizations prioritize their security strategies to maximize their defense, as it speaks to the need to improve global capabilities for takedown operations and broader efforts to disrupt cybercrime.

The attack techniques discussed above are just some of the many we saw in the second half of 2021. As attacks continue to get faster, enterprises need to move away from collections of point products and toward integrated solutions that are designed to work in sync. To protect networks and their assets against evolving attack techniques, organizations need AI-powered solutions that can ingest real-time threat intelligence, detect threat patterns and fingerprints, correlate massive amounts of data to detect anomalies and automatically initiate a coordinated response. 

In addition, the centralized management, visibility and automation of a cybersecurity mesh platform can help ensure that IT security teams can consistently enforce policies, promptly deliver configurations and updates, and launch a coordinated threat response when they detected suspicious activity. Such updates to the security posture will help you address current threats and be prepared for whatever’s next.

view counter
Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.