Current experiences by Kaspersky consultants on the statistics of Managed Detection and Response (MDR) and Incident Response (IR) companies for 2023 reveal that the majority noticed cyberattacks make use of a handful of strategies which might be repeated again and again. These strategies are seen each in assaults which might be absolutely executed and trigger injury, in addition to in incidents which might be stopped of their early levels. We determined to checklist these strategies primarily based on the ATT&CK framework and summarize professional suggestions for neutralizing them. The frequency of use for every method and particular examples might be discovered within the experiences themselves.
Exploiting public-facing functions
ATT&CK Method: T1190, Tactic: TA0001 (Preliminary Entry)
What it’s: Exploiting vulnerabilities in one of many group’s functions that’s accessible from the web. Internet servers, Alternate servers, database servers, and VPN entry factors are the most well-liked targets. Attackers additionally actively search out and exploit publicly accessible IT infrastructure management panels – from SSH servers to SNMP.
Find out how to shield your self: Prioritize updating software program on the community perimeter and use further safety measures for perimeter companies. Shut management ports to exterior entry. Often scan the exterior perimeter for vulnerabilities and for functions which have by accident been granted exterior entry, and revoke it. Set up EDR brokers and safety instruments, together with on utility servers.
Phishing
ATT&CK Method: T1566, Tactic: TA0001 (Preliminary Entry)
What it’s: Mass or focused distribution of messages through e mail, SMS, and messaging apps designed to trick firm workers into disclosing their credentials or downloading malicious content material through a hyperlink.
Find out how to shield your self: Increase consciousness amongst all firm workers, conduct coaching periods, use the newest safety options for mail servers, and deploy EMM/UEM options to guard workers’ cell gadgets, together with private ones.
Legitimate accounts compromised by attackers
ATT&CK Method: T1078, Techniques: TA0001, TA0003, TA0004, TA0005 (Preliminary Entry, Persistence, Privilege Escalation, Protection Evasion)
What it’s: One of the crucial efficient strategies employed by attackers. Throughout preliminary community penetration, attackers use worker credentials obtained via bought leaks or phishing. They then use area and native accounts discovered on the compromised laptop to develop the assault.
Find out how to shield your self: Implement phishing-resistant multi-factor authentication (MFA) strategies, particularly for privileged accounts. Undertake the precept of least privilege. Deactivate default accounts (corresponding to “visitor”), and for native administrator accounts, set a novel password for every laptop. Use SIEM and XDR to detect anomalous person actions.
Brute pressure
ATT&CK Method: T1110, Tactic: TA0006 (Credential Entry)
What it’s: Attackers can uncover passwords for accounts of curiosity via brute-force assaults or password guessing primarily based on identified hashes. A variation of this assault is password spraying, the place the identical standard passwords are utilized to a lot of accounts within the hope of discovering a person who selected such a weak password.
Find out how to shield your self: Implement password insurance policies that forestall brute-force assaults and apply stricter insurance policies to accounts the place MFA can’t be enabled. Restrict the variety of login makes an attempt throughout all methods and block the account if the variety of makes an attempt is exceeded. Configure SIEM monitoring guidelines to detect an general enhance in failed authentication makes an attempt.
Trusted relationship
ATT&CK Method: T1199, Tactic: TA0001 (Preliminary Entry)
What it’s: Compromising a corporation via its companions and contractors. If a accomplice is hacked, attackers can use the found entry factors and instruments to infiltrate the group. In apply, hackers most frequently goal IT subcontractors (MSPs, authentication suppliers, technical assist specialists) with administrative entry to the group’s methods.
Find out how to shield your self: Often audit exterior entry, revoke outdated permissions, apply the precept of least privilege to them, and implement strict password insurance policies and MFA for such accounts. Use community segmentation to limit exterior contractors to solely the assets they want.
Command and scripting interpreter
ATT&CK Method: T1059, Tactic: TA0002 (Execution)
What it’s: Within the overwhelming majority of assaults, attackers have to execute their very own code on compromised computer systems. To keep away from attracting consideration and utilizing specialised malware, they usually use reputable scripting instruments which might be already put in on most company methods. The most well-liked of those is Microsoft PowerShell, however there are additionally assaults utilizing scripts in Visible Primary, Python, and AutoIT, in addition to primary Home windows and Unix shells (cmd and sh/bash/zsh).
Find out how to shield your self: Use allowlisting to limit the launch of functions not required on particular computer systems. Observe the launch of script interpreters utilizing XDR and EDR, however understand that the detection logic have to be repeatedly adjusted to the specifics of the group’s IT infrastructure.
Account manipulation
ATT&CK Method: T1098, Techniques: TA0003, TA0004 (Persistence, Privilege Escalation)
What it’s: A variety of modifications that attackers make to accounts they’ve entry to. These modifications can embody including an account to privileged teams, enabling deactivated accounts, altering passwords, and modifying permissions for accounts and teams.
Find out how to shield your self: Apply the precept of least privilege, carry out common account inventories, revoke outdated permissions, and block or delete pointless accounts.
Exploitation of distant companies
ATT&CK Method: T1210, Tactic: TA0008 (Lateral Motion)
What it’s: After compromising one of many computer systems on the community, attackers scan it for weak functions in an effort to infect further computer systems or achieve elevated privileges on them. In 2023, outdated vulnerabilities in SMB v1 and Alternate Server had been fairly standard, confirming that IT companies usually are not paying sufficient consideration to fixing vulnerabilities.
Find out how to shield your self: Replace shopper and server functions promptly, disable pointless companies on all computer systems, and use community segmentation and the precept of least privilege to restrict attackers’ capabilities even when they handle to take advantage of a vulnerability. Use safety options that may detect and block makes an attempt to take advantage of vulnerabilities.
Launching system companies
ATT&CK Method: T1569, Tactic: TA0002 (Execution)
What it’s: Along with utilizing command shells, attackers usually use the launch of system companies to execute malicious duties and set up persistence within the system. The undisputed chief right here is PsExec, which can be utilized to execute a desired activity on a distant Home windows laptop.
Find out how to shield your self: Use XDR or EDR methods that may monitor anomalous habits of system companies, configure insurance policies to limit low-privileged customers from launching privileged companies and putting in system software program.
Bonus monitor: LOLBins
In most levels of an assault, attackers attempt to use reputable IT administration instruments to mix in with regular community exercise and keep away from detection. Some instances have already been described above (PowerShell, PsExec), however in a big variety of assaults, attackers additionally use AnyDesk for administration and management, Superior IP Scanner and SoftPerfect Community Scanner for community scanning, and safety testing instruments: Mimikatz for privilege escalation, and Cobalt Strike and Metasploit for lateral motion throughout the community. You’ll be able to examine safety towards the usage of LOLBins in this publish.
