Recent reports by Kaspersky experts on the statistics of Managed Detection and Response (MDR) and Incident Response (IR) services for 2023 reveal that most observed cyberattacks employ a handful of techniques that are repeated time and again. These techniques are seen both in attacks that are fully executed and cause damage, as well as in incidents that are stopped in their early stages. We decided to list these techniques based on the ATT&CK framework and summarize expert recommendations for neutralizing them. The frequency of use for each technique and specific examples can be found in the reports themselves.
Table of Contents
Exploiting public-facing applications
ATT&CK Technique: T1190, Tactic: TA0001 (Initial Access)
What it is: Exploiting vulnerabilities in one of the organization’s applications that is accessible from the internet. Web servers, Exchange servers, database servers, and VPN access points are the most popular targets. Attackers also actively seek out and exploit publicly accessible IT infrastructure control panels – from SSH servers to SNMP.
How to protect yourself: Prioritize updating software at the network perimeter and use additional security measures for perimeter services. Close control ports to external access. Regularly scan the external perimeter for vulnerabilities and for applications that have accidentally been granted external access, and revoke it. Install EDR agents and security tools, including on application servers.
Phishing
ATT&CK Technique: T1566, Tactic: TA0001 (Initial Access)
What it is: Mass or targeted distribution of messages via email, SMS, and messaging apps designed to trick company employees into disclosing their credentials or downloading malicious content via a link.
How to protect yourself: Raise awareness among all company employees, conduct training sessions, use the latest security solutions for mail servers, and deploy EMM/UEM solutions to protect employees’ mobile devices, including personal ones.
Valid accounts compromised by attackers
ATT&CK Technique: T1078, Tactics: TA0001, TA0003, TA0004, TA0005 (Initial Access, Persistence, Privilege Escalation, Defense Evasion)
What it is: One of the most effective techniques employed by attackers. During initial network penetration, attackers use employee credentials obtained through purchased leaks or phishing. They then use domain and local accounts found on the compromised computer to develop the attack.
How to protect yourself: Implement phishing-resistant multi-factor authentication (MFA) methods, especially for privileged accounts. Adopt the principle of least privilege. Deactivate default accounts (such as “guest”), and for local administrator accounts, set a unique password for each computer. Use SIEM and XDR to detect anomalous user actions.
Brute force
ATT&CK Technique: T1110, Tactic: TA0006 (Credential Access)
What it is: Attackers can discover passwords for accounts of interest through brute-force attacks or password guessing based on known hashes. A variation of this attack is password spraying, where the same popular passwords are applied to a number of accounts in the hope of finding a user who chose such a weak password.
How to protect yourself: Implement password policies that prevent brute-force attacks and apply stricter policies to accounts where MFA cannot be enabled. Limit the number of login attempts across all systems and block the account if the number of attempts is exceeded. Configure SIEM monitoring rules to detect an overall increase in failed authentication attempts.
Trusted relationship
ATT&CK Technique: T1199, Tactic: TA0001 (Initial Access)
What it is: Compromising an organization through its partners and contractors. If a partner is hacked, attackers can use the discovered access points and tools to infiltrate the organization. In practice, hackers most often target IT subcontractors (MSPs, authentication providers, technical support specialists) with administrative access to the organization’s systems.
How to protect yourself: Regularly audit external access, revoke outdated permissions, apply the principle of least privilege to them, and implement strict password policies and MFA for such accounts. Use network segmentation to restrict external contractors to only the resources they need.
Command and scripting interpreter
ATT&CK Technique: T1059, Tactic: TA0002 (Execution)
What it is: In the vast majority of attacks, attackers need to execute their own code on compromised computers. To avoid attracting attention and using specialized malware, they often use legitimate scripting tools that are already installed on most corporate systems. The most popular of these is Microsoft PowerShell, but there are also attacks using scripts in Visual Basic, Python, and AutoIT, as well as basic Windows and Unix shells (cmd and sh/bash/zsh).
How to protect yourself: Use allowlisting to restrict the launch of applications not required on specific computers. Track the launch of script interpreters using XDR and EDR, but keep in mind that the detection logic must be continuously adjusted to the specifics of the organization’s IT infrastructure.
Account manipulation
ATT&CK Technique: T1098, Tactics: TA0003, TA0004 (Persistence, Privilege Escalation)
What it is: A wide range of changes that attackers make to accounts they have access to. These changes can include adding an account to privileged groups, enabling deactivated accounts, changing passwords, and modifying permissions for accounts and groups.
How to protect yourself: Apply the principle of least privilege, perform regular account inventories, revoke outdated permissions, and block or delete unnecessary accounts.
Exploitation of remote services
ATT&CK Technique: T1210, Tactic: TA0008 (Lateral Movement)
What it is: After compromising one of the computers on the network, attackers scan it for vulnerable applications in order to infect additional computers or gain elevated privileges on them. In 2023, old vulnerabilities in SMB v1 and Exchange Server were quite popular, confirming that IT services are not paying enough attention to fixing vulnerabilities.
How to protect yourself: Update client and server applications promptly, disable unnecessary services on all computers, and use network segmentation and the principle of least privilege to limit attackers’ capabilities even if they manage to exploit a vulnerability. Use security solutions that can detect and block attempts to exploit vulnerabilities.
Launching system services
ATT&CK Technique: T1569, Tactic: TA0002 (Execution)
What it is: In addition to using command shells, attackers often use the launch of system services to execute malicious tasks and establish persistence in the system. The undisputed leader here is PsExec, which can be used to execute a desired task on a remote Windows computer.
How to protect yourself: Use XDR or EDR systems that can track anomalous behavior of system services, configure policies to restrict low-privileged users from launching privileged services and installing system software.
Bonus track: LOLBins
In most stages of an attack, attackers try to use legitimate IT administration tools to blend in with normal network activity and avoid detection. Some cases have already been described above (PowerShell, PsExec), but in a significant number of attacks, attackers also use AnyDesk for management and control, Advanced IP Scanner and SoftPerfect Network Scanner for network scanning, and security testing tools: Mimikatz for privilege escalation, and Cobalt Strike and Metasploit for lateral movement within the network. You can read about protection against the use of LOLBins in this post.
Leave a Reply