The Department of Homeland Cybersecurity and Infrastructure Security Agency (CISA) has released an analysis detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries.
The officials' analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Both CISA's analysis and the accompanying infographic, which includes the success rate percentage for each tactic and technique, map to the MITRE ATT&CK framework, they report.
In the breakdown of successful initial access techniques, officials found phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). For execution, PowerShell was used in 24.4% of RVAs, followed by Windows Management Instrumentation (13%) and Command & Scripting Interpreter (12.2%).
Valid accounts were used to gain privilege escalation in 37.5% of RVAs, followed by exploitation for privilege escalation (21.9%) and making and impersonating tokens (15.6%). For lateral movement, attackers primarily used pass-the-hash (29.8%), followed by Remote Desktop Protocol (25%) and exploitation of remote services (11.9%).
CISA notes the sample size is limited and organizations should consider additional attack vectors and mitigation strategies based on their environments.
Read more information here.