Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
March 31, 2020 • Insikt Group®
Click here to download the complete analysis as a PDF.
This report covers tactics and techniques tagged in Recorded Future® Platform sandbox submissions as mapped to the MITRE ATT&CK® framework over 2019. This report is designed for those familiar with ATT&CK, with particular relevance to security teams that rely on the framework to inform red and blue team exercises, penetration testing, threat hunting, and various security protocol prioritizations.
In 2019, Recorded Future began integrating data regarding cyberattacker tactics, techniques, and procedures (TTPs) based on MITRE ATT&CK® into its data collection and analysis. As part of a review of these identifiers across sandbox submissions for the year, Recorded Future’s Insikt Group assembled a list of the top 10 most frequently referenced techniques. Our analysis of this data found that Defense Evasion was the predominant tactic observed in 2019, with the number one technique being Security Software Discovery.
Given the dominance of this tactic across both the whole year and individual months of 2019, Recorded Future assesses with moderate confidence that this trend is reflective of current trends in criminal activity. We believe that an understanding of these specific top 10 TTPs can help defenders better prepare themselves for attacks from a wide scope of malicious actors.
- The most common tactic in our results was Defense Evasion (TA005), and the most common technique was Security Software Discovery (T1063). Defense Evasion involves avoiding detection by, among other things, hiding in trusted processes, obfuscating malicious scripts, and disabling security software. The next most common tactic, Discovery (TA007), involves knowledge and understanding of a victim network or host.
- Based on Defense Evasion’s superseding of these other types of tactics, we assess with moderate confidence that its dominance on this list indicates one of three things: a heightened concern among cyberattackers with security solutions; an improvement in network defenses up to the present; or both.
- Nearly all of the top 10 techniques together were found to be associated with many prominent malware variants in our sandbox results, including trojans like Emotet, Trickbot, and njRAT; botnets like Gafgyt and Mirai; and cryptocurrency miners like Coinminer. Out of approximately 1,180 separate malware variants in our sandbox results, the top referenced malware variants were Trickbot, Coinminer, and njRAT/Bladabindi.
- In many cases, the operation of these techniques involves the use of legitimate software capabilities, which can make purely signature-based detection difficult, if not impossible, in recognizing malicious activity. Overall, effective mitigation of these techniques requires a defense-in-depth approach and high familiarity with normal network configurations and activity.
Background: MITRE ATT&CK
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The framework was created to solve a pressing issue facing the information security community: there is a plethora of data on adversary behavior, malware, and exploits, but how do we make sense of it? The framework created an industry standard for practitioners to evaluate their security tools and acceptable risk, and ultimately, create an open source library for organizations to pull from and contribute to.
Containing over 200 unique techniques, also referred to as TTPs, and updated bi-annually, ATT&CK is a detailed library with direct adversary tactics, or categories, and regular system administrator behavior that can be exploited. With the help of the ATT&CK framework, security teams have a wider picture of adversary behavior, allowing mitigation and detection methods to be tested against the techniques. It has become a useful tool across many cybersecurity disciplines to provide intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.
The MITRE ATT&CK® knowledge base provides a common language for the cybersecurity community to use when describing adversary behaviors,” said Jon Baker, MITRE department head for adversary emulation and orchestration. “We continue to be inspired by the ways the entire community is using ATT&CK to improve their defenses.
For additional information about how industry experts employ ATT&CK, please refer to this article from Recorded Future.
The data set for this report came from sandbox results that were collected by Recorded Future between January and December 2019, with April being the month that that source began to fully associate submissions with ATT&CK identifiers. These sandbox results, which in total comprised 47,665 unique submissions, were categorized as “malicious” (score of 40-100), “suspicious” (score of 20-39), “clean” (score of 0-19), or “unknown.” To keep our analysis focused only on likely malicious activity, we eliminated all but those submissions that were marked as “malicious,” which accounted for roughly 64% of the total submissions. Finally, we removed any “malicious” submissions that were not associated with ATT&CK identifiers, leaving a total of 26,057 records.
There is one caveat to this data that readers should note before examining the full list. Malware submissions and detonations by nature give information about the activity of malicious software itself, but not necessarily about the full activity over the lifecycle of an operation. As a result, the data set contributing to this report inevitably deprioritizes techniques related to initial access, such as phishing attacks or supply chain compromise, which are ongoing, highly dangerous threats.
Top 10 ATT&CK Techniques: Summary
The chart below shows the top 10 ATT&CK techniques, by reference count, that were identified as part of confirmed malicious sandbox submissions to the Recorded Future platform.
As this chart demonstrates, techniques related to Discovery and Defense Evasion were predominant in the Top 10 ATT&CK TTPs, not only in their position, but also in their frequency (seven out of 10). This predominance is also consistent across individual months over the entire year of 2019. We note that the number one item, Security Software Discovery, which is a Discovery technique, is more closely aligned with detecting and evading security defenses than with gathering information about target data or access.
The Discovery (TA007) tactic relates to knowledge and understanding of a victim, from basic information like a host’s operating system, to more application-specific data like browser bookmarks. Discovery is critical for threat actors since it helps to determine the direction, or even possibility, of further activity as part of an attack. Not only are Discovery techniques important pieces of fundamental malware functionality, but their operation also can indicate likely purposes or origins of threat campaigns.
While Discovery involves detecting information about a host or network, Defense Evasion (TA005) involves avoiding detection by others. This can be accomplished in several ways; for example, MITRE references hiding in trusted processes, obfuscating malicious scripts, and disabling security software. Like Discovery techniques, Defense Evasion techniques are often core features of malware.
In tandem, these two tactics allow cyberattackers to operate like a “fly on the wall” in victim networks, seeing as much as possible and avoiding the sight or counterattacks of others. Looking at the two individually, the frequency and top position of Discovery techniques is unsurprising. The most basic cyber intrusions require a match between malware variant and target system (for example, Mac-specific malware is unlikely to impact a Windows machine), so the fact that malware commonly looks for victim information is to be expected.
Defense Evasion, on the other hand, goes beyond simple malware functionality. In fact, several other tactics — such as Execution, Lateral Movement, and Command and Control — more directly align with what malware is designed to accomplish on a victim system. A piece of malware like Emotet, for example, is merely interesting if it can avoid detection, but do nothing else. Based on Defense Evasion’s superseding of these other types of tactics, we assess with moderate confidence that its dominance on this list indicates one of three things: a heightened concern among cyberattackers with security solutions; an improvement in network defenses up to the present; or both.
Nearly all of these techniques together were found to be associated with many prominent malware variants in our sandbox results, including trojans like Emotet, Trickbot, and njRAT; botnets like Gafgyt and Mirai; and cryptocurrency miners like Coinminer. Out of approximately 1,180 separate malware variants in our sandbox results, the top referenced malware variants were Trickbot (4,328 results), Coinminer (3,441 results), and njRAT/Bladabindi (1,123 results).
Top 10 ATT&CK Techniques in Action
1. T1063: Security Software Discovery | Tactic: Discovery
Security Software Discovery (T1063) is the most prevalent technique in this year’s Top 10 list. As part of the Discovery tactic, T1063 is indicative of adversaries understanding the security controls in place in order to bypass them. However, it is also an essential precursor to Defense Evasion tactics. This technique was seen in use across a wide range of malware types and families.
T1063 in Action
- Common remote access tools, such as njRAT, can list security software, such as by using the Windows-based WMIC to identify antivirus products installed on the victim’s machine and to obtain firewall details.
- Empire, an open source, cross-platform remote administration and post-exploitation framework, is also able to enumerate anti-virus software prevalent on a target machine.
T1063 is difficult to mitigate since the technique is an abuse of legitimate network actions. However, detection is possible should remote access tools with built-in features interact directly with the Windows API to gather information. Collecting information on when data was requested may indicate adverse behavior.
2. T1027: Obfuscated Files or Information | Tactic: Defense Evasion
One of the primary methods that adversaries can employ to make detection or follow-up research difficult is obfuscation — encrypting or otherwise manipulating the structure of a file, such as using a standard cryptographic protocol (which appears as number 10 on this list).
T1027 in Action
- Some PowerShell modules, like those in the Empire framework or Don’t Kill My Cat payload evasion tool, are able to run “Invoke-Obfuscation” commands to encode files or strings in Base64.
- Many prominent malware families rely on obfuscation to evade detection. In December 2018, for example, Emotet was observed using obfuscated VBA codes as part of a Christmas card-themed phishing campaign.
Unless the artifacts left behind by the obfuscation process are uniquely detectable with a signature, the detection of T1027 may be challenging. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity — if the method was used to write, read, or modify the file on the file system — that created the obfuscated file. Additionally, obfuscation used in payloads for Initial Access techniques can be detected at the network level. Network intrusion detection systems (IDS) and email gateway filtering are additional ways to identify compressed and encrypted attachments and scripts.
3. T1055: Process Injection | Tactic: Defense Evasion
Process Injection (T1055) is a technique of running custom code within the address space of another process. It is a technique within Defense Evasion, Privilege Escalation, and in some instances, Persistence. The popularity of T1055 can be attributed to the benefits of hiding behind legitimate processes, which includes, but is not limited to: dynamic-link library (DLL) injection, portable executable injection, ptrace system calls, VDSO hijacking, and others.
T1055 in Action
- The threat group Turla has previously performed DLL injections against legitimate processes for C2 communication, and has used PowerSploit to reflectively load a PowerShell payload into a random process on the victim system.
Mitigating T1055 is possible by using endpoint security solutions and heuristic tools to identify and halt processes based on known patterns of behavior.
4. T1082: System Information Discovery | Tactic: Discovery
Similar to T1063, System Information Discovery (T1082) is an additional way for an adversary to get detailed information about an operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This informs adversary decisions and shapes the vectors in which an adversary pursues an attack.
T1082 in Action
- Like other Discovery techniques, the use of T1082 abuses legitimate processes to gain information. In a Windows system, that means using commands like “ver,” “systeminfo,” and “dir” to identify files and directories, or on macOS, “systemsetup” or “system_profiler,” to deliver a detailed breakdown of the system, configurations, firewall rules, and so on.
- Though some of these commands require admin privileges, T1082 can still be used prior to any Privilege Escalation techniques. AWS, GCP, or Azure infrastructure is also likely a candidate for this technique if an adversary is looking to exploit misconfigurations.
The data set needed for detecting T1082 may be noisy, as there are legitimate uses for System Information Discovery. However, monitoring command arguments (or native logging in cloud-based systems) that capture system and network information used in conjunction with other techniques can help identify adversary behavior.
5. T1057: Process Discovery | Tactic: Discovery
Similar to other Discovery techniques, enumeration of system configurations can be a key part of informing adversary decisions. The technique is platform-agnostic aside from minor changes in command format.
T1057 in Action
- Using the “tasklist” utility in Windows or “ps” command on Mac and Linux is a feature that has been seen in malware such as Winnti.
- Threat actors have used Process Discovery to uncover and turn off security researcher tools. For example, in late 2018, the likely-Iranian threat group MuddyWater was observed checking for running processes on a victim system for evidence of common malware researcher tools.
Like the detection method for T1082, monitoring command arguments that enumerate processes used in conjunction with other techniques can provide indicators of potentially malicious activity.
6. T1045: Software Packing | Tactic: Defense Evasion
Software Packing (T1045), which is associated with runtime or software packers, involves compressing an initial file or executable. While benign programmers have used software packing to cut down on storage costs, adversaries favor this technique because packing an executable changes its file signature and reduces its size, making signature- or footprint-based detection more difficult.
T1045 in Action
- Noteworthy APT-related malware variants that have been seen using software packing are Uroburos (which has used a custom packer from its operator Turla), and APT28’s Zebrocy (which has been observed using the open source packer UPX).
T1045 can usually be mitigated with an antimalware or antivirus software configuration. Detecting Software Packing can be done by scanning for known software packing tools, such as Aspack, or artifacts of those packing techniques. However, Software Packing has legitimate uses as well and alone is not an indicator for malicious behavior.
7. T1073: DLL Side-Loading | Tactic: Defense Evasion
DLL Side-Loading (T1073), which can only be conducted in Windows operating systems, occurs when a spoofed malicious DLL file is placed in a directory so the malicious file is loaded in place of the legitimate DLL. The technique helps threat actors evade defenses by smuggling malicious code into legitimate services or processes, as opposed to running new and unrecognized processes.
T1073 in Action
- Several APT groups are known to use the technique, including APT19 and APT32. In January 2020, the Winnti threat group was reported to have used DLL Side-Loading as part of intrusion attacks against universities in Hong Kong.
DLL Side-Loading abuses a legitimate process, thus making mitigation and detection difficult, but not impossible. By restricting permission for users attempting to access files and directories, security teams can mitigate the number of users capable of executing the technique. When attempting to detect T1073, teams can compare DLL process execution times to spot differences that are abnormal and cannot be attributed to patches.
8. T1022: Data Encrypted | Tactic: Exfiltration
Data Encrypted (T1022), a technique under Exfiltration, is another highly popular technique used by adversaries. By encrypting data prior to exfiltrating information, actors can more effectively hide the content of the stolen data. There are a variety of encryption methods in use today.
T1022 in Action
- Lazarus Group uses Zlib compression and XOR operations to encrypt and exfiltrate the data to a C2 server.
- WARZONE RAT (also known as Ave Maria Stealer) is a remote access trojan sold on the criminal underground, primarily by Solmyr on Hack Forums and Nulled. The malware’s features include encryption techniques as well as UAC bypass, password stealing, and RDP access.
Creating rules or alerting on unusual encryption commands or using heuristic tools to identify unusual behavior regarding encryption of data is one way to detect T1022. Network traffic entropy may also reveal the exfiltration of encrypted data.
9. T1106: Execution Through API | Tactic: Execution
Adversary use of Execution Through API (T1106) demonstrates an adversarial abuse of legitimate application interfaces. This technique more specifically allows users to extract data, and interface at a macro level with programs and scripts.
T1106 in Action
- LightNeuron, used by Turla Group, is a sophisticated backdoor that abuses Microsoft Exchange Mail servers. One of the associated processes is CreateProcess, an API command.
- Malicious use of APIs does not only occur for direct execution of functions. Since API calls can be monitored by network defenders for malicious activity, threat actors have used redundant API calls to create additional noise.
Monitoring all API calls all the time is a noisy and likely wasteful use of time for network defenders. Instead, organizations can mitigate malicious API calls by using application whitelisting tools. They can also use intelligence on novel API abuse to more quickly pinpoint suspect API usage.
10. T1032: Standard Cryptographic Protocol | Tactic: Command and Control
Not unlike the Data Encrypted (T1022) technique, adversaries can use the Standard Cryptographic Protocol (T1032) technique to conceal C2 traffic behind regularly used encryption mechanisms. T1032 is a part of the Command and Control tactic, which is considered one of the final stages of an attack.
T1032 in Action
- RC4 and AES are common encryption methods for C2 traffic or configuration across a number of different malware variants, including the banking trojan IcedID (for RC4) and the Glupteba botnet (for AES). In August 2019, the malware xRAT, which masqueraded as an income tax calculator, was observed encrypting C2 traffic using AES.
Fortunately for security teams trying to detect T1032, some implementations of this technique may be vulnerable to reverse engineering if artifacts or keys are generated within sample configuration files. Network IDS and prevention technology can help mitigate activity at a network level, and SSL/TLS inspection can help look for encrypted sessions.
Outlook and Recommendations
Discovery and Defense Evasion represented the two frontrunner tactics in Recorded Future’s sandbox data set for 2019. In many cases, the operation of these techniques involves the use of legitimate software capabilities, which can make purely signature-based detection difficult, if not impossible, in recognizing malicious activity. Overall, effective mitigation of these techniques requires a defense-in-depth approach and high familiarity with normal network configurations and activity. More specifically, the following general actions can serve as a start for detecting and thwarting cyberattacks that rely on these techniques:
- Monitor for new instances of, or unusual changes to, common processes, configuration files, API calls, or file systems.
- Monitor for unusual or frequent command arguments, which are often used as part of Discovery techniques.
- Keep antivirus and antimalware programs updated to stay ahead of newly packaged or encrypted malware.
- Turn on automatic updates to software to prevent cyberattackers from identifying and exploiting vulnerable systems or software.
In 2020, we expect to see frequent use of these same Discovery and Defense Evasion tactics, with new developments likely to occur in response to better detection methods from security solutions. We anticipate that, as in 2019, these techniques will be observed in association with many different types of malware deployed by a variety of threat actors.
Recorded Future’s integration with ATT&CK can assist with risk mitigation for these various techniques. As new information and tools emerge, Insikt Group research and automated source collection gets updated in the Recorded Future platform with the latest details and IOCs surrounding these TTPs. You can visit the Recorded Future website for more information about these and other features of the Recorded Future platform.