What would you do differently if you knew in advance what your adversaries were most likely to do? Thanks to a new research report, you can learn the top 10 most frequently detected MITRE ATT&CK techniques and use that information to optimize your security services.
The new report, titled In the Wild 2024, is the result of research performed by D3 Labs. In collaboration with a select group of clients, D3 Labs analyzed more than 75,000 real-world cybersecurity incidents from across all of 2023 and tracked the ATT&CK techniques that were involved. The 10 most common techniques were:
- Execution: Command and Scripting Interpreter (52.2%)
- Initial Access: Phishing (15.44%)
- Credential Access: Unmapped (3.8%)
- Initial Access: Valid Accounts (3.47%)
- Initial Access: Spearphishing (2.57%)
- Initial Access: Unmapped (2.55%)
- Credential Access: Brute Force (2.05%)
- Persistence: Unmapped (1.62%)
- Credential Access: OS Credential Dumping (1.37%)
- Persistence: Account Manipulation (1.34%)
Visit D3 Security’s Resource Hub to read In the Wild 2024 in full.
The research is relevant to all frontline security professionals, but there are three takeaways that are particularly important for MSSPs.
How are Adversaries Progressing Through the Kill Chain?
Let’s start with a quick refresher on the MITRE ATT&CK matrix. It consists of 14 “tactics” — what the adversary is trying to do — each with many associated “techniques” — how the adversary is trying to achieve the goal. To take an example from the top 10, the technique of phishing is a common way that adversaries try to achieve the goal of initial access. The tactics are arranged sequentially, representing the stages — or kill chain — of an incident.
That brings us back to the findings of the report. Command and Scripting Interpreter was by far the most prevalent technique. What is interesting is that it is associated with the tactic of Execution, which is towards the middle of the kill chain. This suggests that there are many techniques for achieving earlier tactics that are going undetected. For example, an adversary cannot run a malicious script without first achieving initial access.
For MSSPs that monitor alerts for clients, this illustrates the need for effective alert triage and threat detection to better identify incidents in the early stages. For incidents that are detected in later stages, what processes are in place to trace those incidents back to their origins?
Established Techniques are Still Used in Most Incidents
More than two-thirds of the incidents in the dataset involved one of two techniques: Command and Scripting Interpreter and Phishing. This tells us that, at least in terms of volume, attacker methods cluster around a small number of tried-and-true techniques. Frequency isn’t the only thing that matters—after all, one well-planned attack can be more damaging than hundreds of scattershot phishing attempts—but it is still a significant takeaway for MSSPs that by focusing on a few key techniques, they can secure their clients against most attacks.
MSSPs should work with their clients to review their detection and response capabilities for each of the common attack techniques identified in the report, such as scripting threats, phishing, spearphishing, and account manipulation. Where gaps are identified, teams should define and document the processes needed to bridge these gaps, whether through the adoption of new technologies.
Security Awareness is a Critical Piece of the Puzzle
With both Phishing and Spearphishing in the top five techniques, the report demonstrates why human error can be the single point of failure for many incidents. A little security awareness and training goes a long way, so MSSPs should integrate training programs into their service offerings that educate client employees about the latest phishing tactics, the importance of using secure passwords, and how to report suspected security incidents. MSSPs can offer more than just technical solutions by proactively helping clients improve their security maturity.
When we’re talking about responding to specific MITRE ATT&CK techniques, MSSPs can also help their clients follow the guidelines of D3FEND, MITRE’s lesser-known framework. MITRE D3FEND provides defensive techniques that organizations can use to minimize their vulnerability to the top 10 techniques found in the report. Using the report as inspiration for what techniques to prioritize, MSSPs can educate their clients on what the D3FEND framework says about effectively detecting, containing, and recovering from such attacks.
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and enables high-value services with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs. D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.
Guest blog courtesy of D3 Security. Read more D3 Security guest blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.