Most prevalent adversarial techniques applied in 2021 incidents

The Kaspersky Managed Detection and Response (MDR) service allows companies to strengthen their security teams by externally monitoring corporate infrastructure around the clock. According to a recently published MDR analyst report, in 2021 the service processed about 414,000 security alerts, resulting in 8479 incidents reported to customers. While analyzing those incidents, our SOC experts identified the most common attack techniques under the MITRE ATT&CK classification; they calculated the ratio of incidents based on those techniques to the total number of incidents and named the three most popular.

User Execution

This category includes all incidents in which the attacker relies on the actions of a user inside the infrastructure. That is, these are the cases when attackers force an employee to click on a malicious link or open an e-mail attachment. This group also includes incidents in which a deceived user gives an attacker remote access to corporate resources.

Spearphishing Attachment

According to the MITRE ATT&CK classification, the Spearphishing Attachment tactic involves sending e-mails with a malicious file attached. Most commonly, attackers also rely on social engineering and user execution to carry such out an attack. Typical payload includes executable files, MS Office documents, PDFs and archive files.

Exploitation of Remote Services

The Exploitation of Remote Services category includes incidents in which attackers use vulnerable services to access internal systems within a corporate network. Typically, this is used for lateral movement within the infrastructure. Attackers often target servers, but sometimes they also exploit vulnerabilities on other endpoints, including workstations.

How to protect your infrastructure from the most common techniques of the attackers

The MITRE ATT&CK website lists the most effective methods that can be used to mitigate each adversarial technique.

• To automatically prevent the unwitting participation of an employee in attack on your company’s infrastructure, it’s recommended to use security solutions with application control capabilities, which can also block network attacks, check the reputation of websites, and scan downloaded files. It’s also useful to raise employees’ security awareness, explaining to them modern adversarial tactics and techniques.
• The same protection mechanisms are effective against malicious attachments in targeted e-mails. As an additional level of protection for your corporate e-mail system, it’s also recommended to use SPF, DKIM and DMARC technologies.
• Application isolation technologies work well against Exploitation of Remote Services. However, there are certain steps that should be even higher on your priority list: it’s recommended to remove or disable all unused remote services, segment networks and systems, and minimize the level of access and permissions of service accounts. It’s also necessary to timely install security updates for critical systems, and use security solutions with behavioral detection capabilities. Additionally, it doesn’t hurt to periodically scan the network for potentially vulnerable services and use up-to-date Threat Intelligence data.

In general, to protect your corporate infrastructure from complex attacks, you should rely on the help of external experts, who can protect your infrastructure, investigate security alerts, and notify you about dangerous activity and provide response actions and recommendations.