Defense Evasion Dominated 2019 Attack Tactics

  /     /     /  
Publicated : 23/11/2024   Category : security


Defense Evasion Dominated 2019 Attack Tactics


Researchers mapped tactics and techniques to the MITRE ATT&CK framework to determine which were most popular last year.



Discovery and defense evasion were the predominant attacker tactics observed in 2019, a team of researchers report in a new ranking of common MITRE ATT&CK tactics used in the past year.
In 2019, Recorded Futures Insikt Group began to integrate data on attack tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework into its data collection and analysis. Researchers reviewed the identifiers across sandbox submissions throughout the year and compiled a list of the most frequently referenced tactics and techniques. Defense evasion dominated tactics, and security software discovery is the most popular technique for doing it.
There were really three main takeaways we saw based on this data, says David Carver, manager and analyst for on-demand services at Recorded Future. Either were looking at criminals becoming more interested in the defense perspective, or security tools are getting better, or both. We dont have evidence to lead one way or the other, but I suspect its both. 
Through defense evasion, attackers bypass detection by obfuscating malicious scripts, hiding in trusted processes, and disabling security software, among other tricks. Discovery, the next most-common tactic, involves learning and understanding a target network or host. Techniques related to discovery and defense evasion made up seven out of the top 10 most common; their prominence was consistent across all months throughout the year, researchers report.
Discovery is one of those baselines thats required for any kind of successful malware operation, as it allows an attacker to understand whether the system has everything needed to succeed. Its knowing not just your target but what I can do once Im on a target, Carver adds. This is essential for attackers because it tells them whether further activity is possible on a host.
Defense evasion benefits from discovery but is more related to understanding how an attacker can avoid network defenders, whether through certain processes or knowing which security tools are on a system. Its more concerned with detecting defenses than collecting target data. Evasion can be as basic as obfuscating a binary in a simple way that a signature-based detection wont pick up, Carver continues.
The two play off each other in a lot of different ways, he says. I cant know what Im evading unless I understand the system that Im on. The two tactics let cybercriminals operate like a fly on the wall in target networks, the researchers explain in a
blog post
on their findings.
There are other common techniques that work hand in hand, he explains. Following security software discovery, frequent MITRE ATT&CK TTPs included obfuscated files or information, process injection, system information discovery, process discovery, software packing, DLL side-loading, data encryption, execution through API, and standard cryptographic protocol.
As an example, Carver points to security software discovery and process discovery, both of which are key to process injection. An attacker cant know which process is better to inject without the discovery process. Similarly, system information discovery is key for understanding whether there is anything to take advantage of from a cryptographic or obfuscation standpoint.
I am confident well continue to see these tactics not just represented but near the top of the list over the next year or two, Carver says of this years rankings.
Nearly all of the top 10 techniques combined were found to be linked to well-known malware variants also seen in sandbox results. These included Trojans such as Emotet, TrickBot, and njRAT; botnets including Gafgyt and Mirai; and cryptocurrency miners such as Coinminer. Out of about 1,180 malware variants in the results, the most common were TrickBot, Coinminer, and njRAT.
Based on this report, its likely well continue to see more back and forth between the development of comprehensive security tools and criminal interest in how to bypass those, Carver says. The better network defenders can do their job, the more criminals have to pay attention to whats on the system theyre targeting.
In many cases, these techniques involve the use of legitimate software capabilities, which can make pure signature-based detection tough. Researchers recommend high familiarity with normal network configurations and activity. They advise businesses to monitor for new instances of, or unusual changes to, common processes, configuration files, API calls, and file systems. Security teams should also keep their antivirus programs updated and monitor for unusual or frequent command arguments, which are often used in discovery techniques.
Related Content:
Researchers Uncover Unsophisticated - But Creative - Watering-Hole Attack
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Purported Brute-Force Attack Aims at Linksys Routers as More People Work Remotely
Cyber Version of Justice League Launches to Fight COVID-19 Related Hacks
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
Untangling Third-Party Risk (and Fourth, and Fifth...).


Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Defense Evasion Dominated 2019 Attack Tactics