Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023

Based on the popularity of last year's Macro-level ATT&CK Trending, we’ve updated the dataset for another year’s worth of insights. This data summarizes the frequency of MITRE ATT&CK technique observations across thousands of cyber incidents over the past four years. In this post, we’ll look at the contents of the updated dataset, using Splunk to pull out trends based on this ultra large-scale attacker landscape!

For this analysis, we've compiled four concurrent years of threat reporting, spanning 2020-2023, from some of the most trusted sources of threat intelligence:

• CISA Alerts & Advisories (2020-2023)
• The Center for Threat Informed Defense (CTID) Sightings Ecosystem (2022)
• Mandiant M-Trends Reports (2020-2023)
• Red Canary Threat Detection Reports (2020-2023)

^{ATT&CK Data in 3-D: by Technique ID, Frequency Percentage, Year}

Overall, this data contains references to the frequency of 462 ATT&CK techniques and sub-techniques from real-world cyber incidents. Below we can see how the concentration of these techniques fall across the different ATT&CK matrices overall, where “Referenced” represents the distinct count of techniques observed in reporting, and “Total” is the total count of techniques or sub-techniques in the particular ATT&CK matrix:

2023

Let's start with the latest updates, since the start of 2023. Everyone agrees: you should prioritize your defenses with regard to these four techniques, which were reported as consensus, top-used attacker techniques in 2023.

Top Consensus Technique Reporting in 2023

The Splunk Threat Research Team has you covered, with some great ideas on how to detect or hunt for each of these techniques, including a deep-dive on PowerShell detections.

PowerShell is once again at the top of the list for Command and Scripting Interpreter of choice. The data shows Windows Command Shell has been a close-second over the past four years, with some Python-based activity a distant third. Command and Scripting Interpreters are rich tools for attackers because they facilitate incredible functionality, like modifying the host operating system, launching scripts, executing payloads, or pulling down tools and files from the web.

^{Command and Scripting Interpreter Popularity (2020-2023)}

Command line activity logs are a critical source for detecting malicious activity in your network, and a very rich source for threat hunting.

Web Exploitation Rising?

T1190 Exploit Public-Facing Application was the highest reported Initial Access technique in 2023. Largely due to the technique being cited in ~60% of ATT&CK-mapped CISA alerts during the past year. 2023 was also the year of some persistent and critical vulnerabilities (e.g., CVE-2023-35708, CVE-2023-35078), and some high profile intrusions beginning with web-exploitation for initial access, e.g. Volt Typhoon.

^{Average Frequency of Initial Access Methods (2020-2023)}

By checking the CVE details, we can see a trend of a rising number of CVEs (Common Vulnerabilities and Exposures), which have steadily increased year-over-year for the past decade, particularly in the vein of cross-site scripting and memory-corruption vulnerabilities.

^{Total CVEs (2013-2023) [source: cvedetails.com]}

^{Total CVE’s by Type (2013-2023) [source: cvedetails.com]}

While CVEs are rising however, the count of new Known Exploited Vulnerabilities (KEV) is on track to be lower in 2023 (121 known exploited vulnerabilities as of September), than last year (557 known exploited vulnerabilities). The complete KEV data shows that most entries have a CVSS score above “4.0”. Known exploited vulnerabilities however, are otherwise pretty evenly distributed across CVSS scores.

^{Days between CVE release and Known Exploit vs. CVSS Score}

By enriching the KEV using the CIRCL API, we can use added date metadata to measure the length of the gap between when a vulnerability is disclosed, and when it is known to be actively exploited. When assessing this length of time however, we must consider that older vulnerability data will be overestimated, since the KEV only began in 2021. Using only the most recent year to counter this, the average gap from CVE to KEV entry is approximately 7 days.

These ideas about vulnerability exploitation are interesting for now, but we can’t make any firm conclusions about the overall population without more reports and diversity of data sources. Besides, we have other techniques to discuss!

Correlation Revisited

New data offers new insights into the possible correlation between ATT&CK techniques. By correlating how often techniques are cited within the same report, we can make some inferences about how attackers are operating, and how their activities may be related.

This heatmap visualizes the correlative relationship between all ATT&CK techniques cited in CISA alerts over the past four years. A higher correlation coefficient (yellow) means the techniques are often reported together. The first thing that jumps out is the cluster of highly correlated activity in the top left. These are ATT&CK for ICS techniques, which represent attackers conducting operations against Industrial Control Systems. At first, the activity looks largely disparate and self-contained from Enterprise ATT&CK techniques, but at a closer look, the highlighted vertical and horizontal lines in the “frame” around Enterprise techniques do reveal some overlap from adversaries reportedly crossing over from IT to OT, or using established enterprise techniques to facilitate ICS attacks.

^{ATT&CK Technique Correlation Matrix Heatmap}

These techniques present opportunities to detect attackers by looking for broader patterns of activity, or applying traditional IT-focused detections to activities in the OT enclave. These are the highest correlated ATT&CK techniques with ICS-focused attacks:

• T1584.004 Compromise Infrastructure: Server
• T1570 Lateral Tool Transfer
• T1560 Archive Collected Data
• T1555.003 Credentials from Password Stores: Credentials from Web Browsers
• T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1505.003 Server Software Component: Web Shell
• T1187 Forced Authentication
• T1082 System Information Discovery
• T1083 File and Directory Discovery
• T1033 System Owner / User Discovery
• T1036 Masquerading
• T1070.001 Indicator Removal on Host: Clear Windows Event Logs
• T1070.004 Indicator Removal on Host: File Deletion
• T1003.001 OS Credential Dumping: LSASS Memory
• T1003.003 OS Credential Dumping: NTDS

The Big Picture: 2020-2023

Taking a step back, we can look at the highest average frequency of ATT&CK techniques as reported over the past four years. Overall, the most frequently cited techniques have held pretty consistent with the addition of 2023 data:

Conclusions

Another cyber-year has gone by. Attackers have gotten a little older. Maybe they’re settling into their ways. Have the top sighted techniques stabilized, or will we see these new trends continue? Will public-facing application exploitation permanently overtake spear phishing as the primary means attackers use to gain initial access? Will Python-based malware experience an exploitation renaissance in 2024? Find out next year!

For more insights, check out some of the angles we explored last year, the RSA presentation, or explore the updated data for yourself! What trends can you find?

As always, security at Splunk is a family business. Credit to authors and collaborators: Johan Bjerke, Audra Streetman, and Dean Luxton.