TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2022 Application Protection Report: In Expectation of Exfiltration

2022-02-15 · Read original ↗

ATT&CK techniques detected

36 predictions
T1486Data Encrypted for Impact
95%
"key that allowed them to write an eval - style php web shell to the file oauth. api. - mandiant analysts suspected the final payload, the dewmode web shell, was delivered by the initial web shell. - dewmode scanned the mysql database within fta and listed available files and meta…"
T1041Exfiltration Over C2 Channel
94%
"threat actors choose to exfiltrate data and sell it for fraud purposes ; others prefer to ransom data back to victims. in both cases, monetization strategies are driving ttps, as they usually do for criminal threat actors. the miscalculation in the 2021 hypothesis was underestima…"
T1486Data Encrypted for Impact
92%
"( figure 15 ). obviously, not all ransomware attacks follow this path. as an attack vector, malware probably has the greatest number of possible combinations. nonetheless, it is instructive to see the steps that one attacker took. the initial access technique was a drive - by com…"
T1190Exploit Public-Facing Application
91%
"but can ’ t end there. the preceding attacker behaviors, the methods of initial access, lateral movement, execution, persistence and exfiltration need to be controlled as well. application isolation and sandboxing this primarily takes the form of various forms of virtualization, …"
T1486Data Encrypted for Impact
91%
"frequently through misconfigurations, although the risk of third - party breaches materializing for cloud customers was significant as well. - more traditional attack vectors, such as web exploitation or credential stuffing attacks, were also common against cloud systems — more o…"
T1486Data Encrypted for Impact
89%
"##s materialized. ransomware attacks against nearly all kinds of organizations have continued to increase, and formjacking, though limited in scope, remains the clearest, most focused pattern of target attributes and attack techniques in the data. however, the growth of exfiltrat…"
T1657Financial Theft
87%
"frequently through misconfigurations, although the risk of third - party breaches materializing for cloud customers was significant as well. - more traditional attack vectors, such as web exploitation or credential stuffing attacks, were also common against cloud systems — more o…"
T1525Implant Internal Image
85%
"data exposures, and did not exfiltrate any data. the most likely explanation for the discrepancy is that both of these data sources are valid but partial. the breach data, which collects legally mandatory disclosure events, captures the increasingly complex business relationships…"
T1657Financial Theft
84%
"’ hypothesis from the 2021 application protection report that ransomware is a way to monetize data that is more difficult to monetize than payment cards through the traditional methods for digital fraud. the hypothesis was that if data — such as employee information, email inboxe…"
T1525Implant Internal Image
84%
"36 out of those 43 represent cloud storage with the wrong access control settings. of those 36, 25 are from aws s3, eight are from azure cloud storage, and three are from google cloud platform ( gcp ). the remaining misconfiguration events were github repositories containing data…"
T1486Data Encrypted for Impact
82%
"which is unsurprising given the frequency of ransomware events. after data backup, six mitigations are all tied for frequency. based on the prevalence of nonencrypting malware as well, all six of these should remain high priorities for any mature organization seeking a hardened e…"
T1486Data Encrypted for Impact
81%
"in 2019. as noted earlier, in 2021 a smaller proportion of these malware events were identifiable as ransomware events. of these nonransomware malware attacks, some clearly did not pursue a ransomware tactic, some were suspected but undisclosed ransomware attacks, and some were u…"
T1486Data Encrypted for Impact
81%
"’ hypothesis from the 2021 application protection report that ransomware is a way to monetize data that is more difficult to monetize than payment cards through the traditional methods for digital fraud. the hypothesis was that if data — such as employee information, email inboxe…"
T1048Exfiltration Over Alternative Protocol
76%
"data. also, a large number of attacks with unknown initial access techniques in stage 1 went on to exfiltrate in stage 2, and terminated there. this illuminates two findings that were visible but not obvious using the other models. figure 10. application - focused attack chains f…"
T1566.002Spearphishing Link
71%
"even more rapidly. - both malware strategies made heavy use of exfiltration methods to remove data from victims ’ environments. - web exploits for cybercrime declined in prevalence, dropping from 18. 9 % of known breach causes in 2019 to 14. 4 % in 2020 and 10. 4 % in 2021. formj…"
T1486Data Encrypted for Impact
69%
"breaches dropped by nearly a third. business email compromise and ransomware, the two most common breach characteristics in both years, saw a small dip. third - party breaches decreased by nearly a third, although the bulk of third - party breach notifications in both 2020 and 20…"
T1657Financial Theft
69%
"two highest - frequency attack chains visible are formjacking in the center and ransomware at the top. the attack chains from 2020 featured some variation, but most of the attack chains fell into one of two types : ransomware attack chains ( running across the top ) and formjacki…"
T1486Data Encrypted for Impact
67%
", but the cloud might turn out to be the perfect environment for them. recommended mitigations among the att & ck framework ’ s many strengths is mitre ’ s mapping between attack techniques and mitigations. this makes it straightforward to pivot from the observed frequency of att…"
T1486Data Encrypted for Impact
65%
"this control objective can be implemented well or poorly, and it is often difficult to assess the robustness of a backup program until it is tested. many good backup programs employ several different modes, with longer - term backups air - gapped, stored on physical media off - s…"
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
65%
"data. also, a large number of attacks with unknown initial access techniques in stage 1 went on to exfiltrate in stage 2, and terminated there. this illuminates two findings that were visible but not obvious using the other models. figure 10. application - focused attack chains f…"
T1080Taint Shared Content
63%
"which is unsurprising given the frequency of ransomware events. after data backup, six mitigations are all tied for frequency. based on the prevalence of nonencrypting malware as well, all six of these should remain high priorities for any mature organization seeking a hardened e…"
T1657Financial Theft
58%
"##s materialized. ransomware attacks against nearly all kinds of organizations have continued to increase, and formjacking, though limited in scope, remains the clearest, most focused pattern of target attributes and attack techniques in the data. however, the growth of exfiltrat…"
T1078.004Cloud Accounts
57%
"##promised and the dangers of declaring victory too soon. in one case, it took a few months for the breached organization to realize they ’ d been hit a second time, indicating that if they tried to improve detection capabilities after the first attack, they didn ’ t succeed. clo…"
T1190Exploit Public-Facing Application
57%
"the public. the site would query the third - party feed, which returned information about the person. crucially, the feed also returned the person ’ s state driver ’ s license number, which did not appear on the screen but in the page ’ s html, where bots could scrape it. one bre…"
T1486Data Encrypted for Impact
56%
"in the cloud. the necessary virtualization layers and growing ecosystem for automation and orchestration mean that even dynamic environments full of ephemeral resources can be properly managed — as long as organizations recognize the new paradigm as truly new and build these mana…"
T1486Data Encrypted for Impact
55%
"partly due to trends within malware tactics, which will be covered in the “ malware growth ” section. however, this apparent trend downward in ransomware also provides a clue as to why numbers dipped across the board. in many breach disclosures in 2021, the organization disclosed…"
T1048Exfiltration Over Alternative Protocol
53%
"att & ck tactics leading to u. s. data breaches, 2020 - 2021. note growth in exfiltration as well as impact and execution to a lesser degree ( n = 455 ). this view also demonstrates that exfiltration grew significantly more than any other tactic between 2020 and 2021. impact grew…"
T1486Data Encrypted for Impact
42%
"att & ck tactics leading to u. s. data breaches, 2020 - 2021. note growth in exfiltration as well as impact and execution to a lesser degree ( n = 455 ). this view also demonstrates that exfiltration grew significantly more than any other tactic between 2020 and 2021. impact grew…"
T1078.004Cloud Accounts
40%
"list, given how ransomware approaches have changed the threat landscape since the pandemic began. this control objective can shut down a huge number of attack vectors, five of which were observed in the 2021 data : exploit public - facing application, automated exfiltration, exfi…"
T1665Hide Infrastructure
40%
"indicate that third - party data loss is the most likely source of a legally significant cloud incident. - open - source intelligence and news reports indicate that access control misconfiguration is more likely to lead to data exposure than any other cause. - scans of ip address…"
T1657Financial Theft
37%
"breaches dropped by nearly a third. business email compromise and ransomware, the two most common breach characteristics in both years, saw a small dip. third - party breaches decreased by nearly a third, although the bulk of third - party breach notifications in both 2020 and 20…"
T1567Exfiltration Over Web Service
37%
"variants. while automated exfiltration is common in malware, none of the breach disclosures reporting ransomware mentioned this technique, so for this study, automated exfiltration is limited to formjacking or other web exploits. figure 13. att & ck techniques leading to u. s. da…"
T1048Exfiltration Over Alternative Protocol
36%
"variants. while automated exfiltration is common in malware, none of the breach disclosures reporting ransomware mentioned this technique, so for this study, automated exfiltration is limited to formjacking or other web exploits. figure 13. att & ck techniques leading to u. s. da…"
T1657Financial Theft
35%
"variants. while automated exfiltration is common in malware, none of the breach disclosures reporting ransomware mentioned this technique, so for this study, automated exfiltration is limited to formjacking or other web exploits. figure 13. att & ck techniques leading to u. s. da…"
T1657Financial Theft
33%
"partly due to trends within malware tactics, which will be covered in the “ malware growth ” section. however, this apparent trend downward in ransomware also provides a clue as to why numbers dipped across the board. in many breach disclosures in 2021, the organization disclosed…"
T1190Exploit Public-Facing Application
30%
"effectiveness coefficient. this is intended to incorporate both coverage and frequency to provide a more balanced prioritization. table 3. mitigation recommendations ranked by arbitrary effectiveness coefficient ( frequency x coverage ). after backups, network segmentation and re…"

Summary

Learn how the threat landscape evolved in 2021 so you can tune your defenses to suit.