Positive Technologies has published research on detecting and preventing attacks that involve the most popular MITRE ATT&CK® techniques1. The company’s experts successfullyused these techniques in the course of penetration tests conducted on Russian companies in 2022. The preventive measures proposed by Positive Technologies cover 29% of the information protection requirements set forth in the Order of the FSTEC of Russia of 11 February 2013 No. 17 on Approval of Requirements for the Protection of Information Not Constituting a Public Secret Contained in the State Information Systems.
The research describes the 10 most popular and successful attack methods used by the Positive Technologies pentesters.
| Tactic | Technique |
|---|---|
| Initial Access | Exploit Public-Facing Application |
| Execution | Command and Scripting Interpreter |
| Persistence | Account Manipulation |
| Credential Access | |
| Discovery | |
| Lateral Movement | Use Alternate Authentication Material |
| Persistence | Application Layer Protocol |
Our experts selected ways to detect the above techniques and proposed a list of attack prevention measures. The specialists named the main sources of events, the analysis of which may help to identify the use of a particular method by attackers:
- Operating system event log, including events related to security audits and system logins
- Network traffic
- Application event log
- Domain controller event log
Anton Kutepov, Head of Information Security Community Development at Positive Technologies, elaborates: "Let’s discuss the Unsecured Credentials technique used by attackers in 79% of the companies we studied. To minimize the odds of this technique being successfully used, we recommend that companies regularly search for files containing passwords and educate users on how to store confidential information. In addition, it is important to control access to shared resources so that some folders can only be accessed by particular employees. Set a corporate rule that prohibits storing passwords in files."
To prevent and detect attacks in a timely manner, it is necessary to implement a security information and event management system (SIEM), filter network packets using firewalls of different levels (WAF, NGFW), and analyze network traffic using NTA products. In addition, it is a good idea to purchase endpoint detection and response tools (EDR and XDR solutions).
Positive Technologies Senior Information Security Analyst Yana Yurakova adds: "Based on the D3FEND2 matrix, we identified functions of protection tools needed to prevent, detect, and respond to attacks that involve the 10 MITRE ATT&CK techniques3. These 10 techniques were chosen for a reason: combined with other methods, they helped our specialists to achieve their goals during penetration tests. We compared the measures proposed by our infosec experts with the official requirements and found that they cover 33 of the 113 requirements of Order No. 17 of the Federal Service for Technical and Export Control (FSTEC) of Russia. So, if you comply with official regulations not only at face value, the level of security at your company will significantly increase."
For a complete list of attack detection and prevention methods, see our research on the Positive technologies website.
- A knowledge base developed and supported by the MITRE corporation based on analysis of real APT attacks. This is a visual table of tactics, with a list of possible techniques for each tactic. It allows you to organize and structure knowledge about APT attacks and categorize actions of attackers.
- A knowledge base of cybersecurity countermeasures.
- This is a minimum set of measures. Modern information protection tools have many more useful features that can more quickly identify or respond to information security incidents.
