Researchers mapped tactics and techniques to the MITRE ATT&CK framework to determine which were most popular last year.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 31, 2020

4 Min Read

Discovery and defense evasion were the predominant attacker tactics observed in 2019, a team of researchers report in a new ranking of common MITRE ATT&CK tactics used in the past year.

In 2019, Recorded Future's Insikt Group began to integrate data on attack tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework into its data collection and analysis. Researchers reviewed the identifiers across sandbox submissions throughout the year and compiled a list of the most frequently referenced tactics and techniques. Defense evasion dominated tactics, and security software discovery is the most popular technique for doing it.

"There were really three main takeaways we saw based on this data," says David Carver, manager and analyst for on-demand services at Recorded Future. "Either we're looking at criminals becoming more interested in the defense perspective, or security tools are getting better, or both. We don't have evidence to lead one way or the other, but I suspect it's both." 

Through defense evasion, attackers bypass detection by obfuscating malicious scripts, hiding in trusted processes, and disabling security software, among other tricks. Discovery, the next most-common tactic, involves learning and understanding a target network or host. Techniques related to discovery and defense evasion made up seven out of the top 10 most common; their prominence was consistent across all months throughout the year, researchers report.

Discovery "is one of those baselines that's required for any kind of successful malware operation," as it allows an attacker to understand whether the system has everything needed to succeed. "It's knowing not just your target but what I can do once I'm on a target," Carver adds. This is essential for attackers because it tells them whether further activity is possible on a host.

Defense evasion benefits from discovery but is more related to understanding how an attacker can avoid network defenders, whether through certain processes or knowing which security tools are on a system. It's more concerned with detecting defenses than collecting target data. Evasion can be as basic as obfuscating a binary in a simple way that a signature-based detection won't pick up, Carver continues.

"The two play off each other in a lot of different ways," he says. "I can't know what I'm evading unless I understand the system that I'm on." The two tactics let cybercriminals operate like a "fly on the wall" in target networks, the researchers explain in a blog post on their findings.

There are other common techniques that work hand in hand, he explains. Following security software discovery, frequent MITRE ATT&CK TTPs included obfuscated files or information, process injection, system information discovery, process discovery, software packing, DLL side-loading, data encryption, execution through API, and standard cryptographic protocol.

As an example, Carver points to security software discovery and process discovery, both of which are key to process injection. An attacker can't know which process is better to inject without the discovery process. Similarly, system information discovery is key for understanding whether there is anything to take advantage of from a cryptographic or obfuscation standpoint.

"I am confident we'll continue to see these tactics not just represented but near the top of the list over the next year or two," Carver says of this year's rankings.

Nearly all of the top 10 techniques combined were found to be linked to well-known malware variants also seen in sandbox results. These included Trojans such as Emotet, TrickBot, and njRAT; botnets including Gafgyt and Mirai; and cryptocurrency miners such as Coinminer. Out of about 1,180 malware variants in the results, the most common were TrickBot, Coinminer, and njRAT.

"Based on this report, it's likely we'll continue to see more back and forth between the development of comprehensive security tools and criminal interest in how to bypass those," Carver says. "The better network defenders can do their job, the more criminals have to pay attention to what's on the system they're targeting."

In many cases, these techniques involve the use of legitimate software capabilities, which can make pure signature-based detection tough. Researchers recommend high familiarity with normal network configurations and activity. They advise businesses to monitor for new instances of, or unusual changes to, common processes, configuration files, API calls, and file systems. Security teams should also keep their antivirus programs updated and monitor for unusual or frequent command arguments, which are often used in discovery techniques.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights