Most common attack techniques 2021 | Kaspersky official blog
Credit to Author: Hugh Aver| Date: Thu, 09 Jun 2022 22:19:46 +0000
The Kaspersky Managed Detection and Response (MDR) service allows companies to strengthen their own security team by monitoring corporate infrastructure around the clock. According to a recently published MDR analyst report, in 2021 the service processed about 414 thousand security alerts, resulting in 8479 incidents reported to customers. While analyzing those incidents, SOC experts identified the most common attacker techniques according to the MITRE ATT&CK classification. They calculated the ratio of incidents based on particular technique to the total number of incidents and named the three most “popular” of them.
User Execution
All incidents in which the attacker relies on the actions of a user inside the infrastructure fall into this category. That is, these are cases when attackers force an employee to click on a malicious link or open an email attachment. It also includes incidents in which a deceived user gives an attacker remote access to corporate resources.
Spearphishing Attachment
According to the MITRE ATT&CK classification, the Spearphishing Attachment tactic employs sending emails with a malicious file attached. As a rule, attackers rely on the abovementioned social engineering and user execution to carry out an attack. They can use executable files, MS Office documents, PDFs or archive files.
Exploitation of Remote Services
The Exploitation of Remote Services category includes incidents in which attackers use vulnerable or just unpatched services to access internal systems within a corporate network. Typically, this is done for lateral movement within the infrastructure. Attackers often target servers, but sometimes they also exploit vulnerabilities on other endpoints, including workstations.
How to protect your infrastructure from the most common attacker techniques
The MITRE ATT&CK website lists the most effective methods that can be used to mitigate each adversarial technique.
- In order to prevent unwitting participation of an employee in the attacker’s schemes, it is recommended to use security solutions with application control capabilities, that also can block network attacks, check the reputation of web sites and scan downloaded files. In addition, it would be useful to raise employees security awareness, telling them about modern adversarial tactics and techniques.
- The same protection mechanisms are valid against malicious attachments in targeted emails. As an additional level of protection, it is also recommended to use SPF, DKIM and DMARC technologies.
- Sandboxing and application isolation technologies work well against Exploitation of Remote Services. But first, you should remove or disable all unused remote services, segment networks and systems, and minimize the level of access and permissions of service accounts. It is also necessary to timely install security updates for critical systems and use security solutions with behavioral detection capabilities. Additionally, it doesn’t hurt to periodically scan the network for potentially vulnerable services and use up-to-date Threat Intelligence data.
In general, to protect your corporate infrastructure from complex attacks, you can resort to the help of external experts, who will protect your infrastructure, investigate security alerts, and notify you if there is something bad going on, providing response actions or recommendations.