The best MITER ATT&CK techniques and how to defend against them

Of the hundreds of documented MITER ATT&CK techniques, two dominate the field: command and script interpreters (T1059) and phishing (T1566).

In a report published on April 10, D3 Security analyzed more than 75,000 recent cybersecurity incidents. His goal was to determine which attack methods were most common.

The results paint a bleak picture: These two techniques outperformed all others by orders of magnitude, with the best technique outperforming the runner-up by a factor of three.

For defenders looking to allocate limited attention and resources, here are just some of the most common ATT&CK techniques and how to defend against them.

Execution: Command and script interpreter (used in 52.22% of attacks)

Things: Attackers write scripts in popular languages ​​like PowerShell and Python for two main purposes. Most commonly, they are used to automate malicious activities such as data collection or downloading and extracting a payload. They are also useful for evading detection, bypassing antivirus, extended detection and response (XDR) solutions, and the like.

The fact that these scripts are by far No. 1 on this list is extremely surprising to Adrianna Chen, vice president of product and service at D3. “Because Command and Scripting Interpreter (T1059) falls under the Execution tactic, it is in the middle stage of the MITER ATT&CK kill chain,” she says. “So, it is fair to assume that other techniques from previous tactics have already gone unnoticed by the time they were detected by the EDR tool. Given that this technique was so prominent in our dataset, it highlights the importance of having processes to trace back to the ‘origin of an accident.”

How to defend yourself: Because malicious scripts are diverse and multifaceted, addressing them requires a thorough incident response plan that combines detection of potentially malicious behavior with strict control over script execution policies and privileges.

Initial Access: Phishing (15.44%)

Things: Phishing and its subcategory, spear-phishing (T1566.001-004), represent the first and third most common ways attackers gain access to targeted systems and networks. Using the former in general campaigns and the latter when targeting specific individuals or organizations, the goal is to force victims to divulge crucial information that will allow access to sensitive accounts and devices.

How to defend yourself: Even the most intelligent and educated among us they fall for sophisticated social engineering. Frequent training and awareness campaigns can go some way to protecting employees from themselves and the companies they provide a window into.

Initial Access: Valid Accounts (3.47%)

Things: Often, effective phishing allows attackers to gain access to legitimate accounts. These accounts provide keys to otherwise locked doors and cover up their various misdeeds.

How to defend yourself: When employees inevitably click on that malicious PDF or URL, robust multi-factor authentication (MFA) they can, if nothing else, serve as additional hoops through which attackers can jump. Anomaly detection tools can also help if, for example, a strange user connects from a distant IP address or simply does something he shouldn’t be doing.

Credential Access: Brute Force (2.05%)

Things: A more popular option in the old days, brute force attacks have remained widespread thanks to the ubiquity of weak, reused, and unchanged passwords. In this case, attackers use scripts that run automatically through username and password combinations, as in an attack on the dictionary – to gain access to the desired accounts.

How to defend yourself: No item on this list is as easily and completely preventable as brute force attacks. Using strong enough passwords solves the problem on its own, period. Other small mechanisms, such as blocking a user after repeated login attempts, also work the same way.

Persistence: Account Manipulation (1.34%)

Things: Once an attacker has used phishing, brute force, or other means to gain access to a privileged account, they can then exploit that account to solidify their position in a targeted system. For example, they can change the account’s credentials to block its original owner or possibly change permissions to access even more privileged resources than they already have.

How to defend yourself: To mitigate the damage resulting from an account compromise, D3 recommends that organizations implement strict restrictions on access to sensitive resources and follow principle of least privilege access: Grant no more than the minimum level of access necessary for any user to do their job.

Beyond that, it offers a number of recommendations that can be applied to this and other MITER techniques, including: