The use of worms, TrickBot and/or remote admin tools doesn’t account for the prevalence of these techniques entirely, but they play a major role.
Anecdotally, worms became increasingly common throughout the latter half of the 2010s. This trend was underscored first by a rash of ransomware incidents affecting hospitals in 2016, WannaCry and NotPetya outbreaks in 2017, and more recently by large-scale ransomware attacks on municipal government organizations in 2019. The 2020 Threat Detection Report not only backs this trend up with data, it also offers specific examples of how this new paradigm often plays out.
Thanks for all the adventures, TrickBot
TrickBot is frequently part of a trio of infections that starts with the Emotet trojan and ends in a Ryuk ransomware infection. In essence, Emotet infects its hosts and loads TrickBot, which steals credentials from infected machines as it moves laterally around a network. Once TrickBot has run its course, it drops the Ryuk ransomware, which encrypts all of the infected hosts on a network and demands a ransom payment to unlock them.
Given how these attacks play out, one might expect Emotet, the preeminent first stage, to appear with higher prevalence across our detections. So why is Process Injection, a technique leveraged by TrickBot to run arbitrary code through the Windows Service Host, so much more prevalent than Emotet-related behaviors like Spearphishing Attachments or PowerShell?
Red Canary’s findings are a function of our visibility, and an increasing percentage of Red Canary’s visibility comes from incident response engagements. Many of the engagements that came to us via our incident response partners landed us in environments where Emotet had run its course, and where TrickBot subsequently infected large numbers of computers. Irrespective of the later-stage payloads, this phenomena meant that we did not have the opportunity to detect initial access vectors or other early-stage payloads.
The above is in stark contrast to customer environments where we perform ongoing monitoring. In these cases, Red Canary is generally able to detect and automate interdiction of threats like Emotet before they can be used to gain a foothold and spread.
How to use this report
The 2020 Threat Detection Report was produced by and for security practitioners. It doesn’t merely take a high-level view of the trends and forces that shaped detection throughout 2019; each of the 10 ATT&CK techniques listed above has its own analysis section in the report. Those sections attempt to answer questions such as:
- Why and how do adversaries leverage this technique?
- What log sources do you need to collect from to observe this technique?
- What specific behavioral patterns should you look for to detect this technique?
Security leaders can use the report as a resource to understand the merits of a behavioral-based approach to threat detection and a roadmap for setting priorities as their teams attempt to improve detection coverage. Security engineers and analysts can use the report to develop their own detection logic and to help interpret the signals they receive from their security tools respectively.