Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints

Cisco examines MITRE ATT&CK data to suggest the threat vectors enterprise security staff should focus their efforts on.
Written by Charlie Osborne, Contributing Writer

The threat landscape is under a constant state of evolution, with enterprise players hard-pressed to keep up with a frequent barrage of vulnerability disclosures, security updates, and the occasional zero-day. 

Analysts estimate that by 2021, 3.5 million cybersecurity roles will be unfulfilled, and so not only do existing security professionals need to deal with a seemingly endless fight against cyberattackers, they may also have to do so while short-staffed -- not to mention the disruption caused by COVID-19. 

See also: Cloud security: 'Suspicious superhumans' behind rise in attacks on online services

There are tools out there to help with the strain. Automatic scanners, artificial intelligence (AI) and machine learning (ML)-based algorithms and software that can manage endpoint security and risk assessments, feeds providing real-time threat data, and more. 

Frameworks also exist, such as MITRE ATT&CK, which provides a free knowledge base compiling tactics and techniques observed in current, real-world attacks.

It is this data repository that Cisco has examined in a new report describing current attack trends against enterprise endpoints and networks. 

On Monday, Cisco published a data set based on MITRE ATT&CK classifications combined with Indicators of Compromise (IoCs) experienced by organizations that receive alerts through the company's security solutions within specific time frames. 

According to the company, over the first half of 2020, fileless threats were the most common attack vector used against the enterprise. Fileless attacks include process injections, registry tampering, and threats such as Kovter, a fileless Trojan; Poweliks, a code injector that operates on the back of legitimate processes; and Divergent, fileless Node.js malware. 

In second are dual-use tools including Metasploit, PowerShell, CobaltStrike, and Powersploit. Legitimate penetration testing tools such as Metasploit are of benefit to cybersecurity as a whole, but unfortunately, cyberattackers may also abuse these solutions for criminal gain. 

Tools such as Mimikatz come in third place -- as software turned toward credential stuffing attacks. 

Over the first half of 2020, Cisco says these attack vectors make up roughly 75% of critical severity IoCs observed. 

If you apply these threats to MITRE ATT&CK classifications, this means defense evasion appears in 57% of all IoC alerts, and execution comes in at 41%. 

CNET: Lawsuit accuses Instagram of peeping with iPhone camera

As modern malware will often include obfuscation, movement, and concealment techniques -- as well as the ability to launch payloads and tamper with existing processes -- this is hardly a surprise, and IoCs may relate to more than one overall classification. 

"For example, an attacker that has established persistence using a dual-use tool may follow up by downloading and executing a credential dumping tool or ransomware on the compromised computer," Cisco notes. 

When it comes to critical severity alerts, however, the top three categories -- defense evasion, execution, and persistence -- undergo a reshuffle. 

Execution stole the top spot away from defense evasion in critical severity attacks, with a bump of 14%, bringing total IoC alerts to 55%. Defense evasion dropped by 12% to 45%, whereas persistence, lateral movement, and credential access spiked by 27%, 18%, and 17%, respectively. 


TechRepublic: CISOs top traits revealed in report: Improvement needed

In addition, some classifications dropped off the list entirely or accounted for less than one percent of critical IoC alerts, including initial access, privilege escalation, and discovery -- otherwise known as reconnaissance -- revealing a shift in focus when it comes to critical attacks in comparison to overall IoCs.  

To protect against high-level threats, Cisco recommends that administrators use group policies or whitelists for file execution, and if dual-use tools are required by an organization, temporary access policies should be implemented. In addition, connections made between endpoints should be frequently monitored. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards