The most prominent technique is the analysis of existing security controls in order to bypass them, new insight from Recorded Future reveals

The use of methods to discover the presence of security software in exploit chains is now one of the most common tactics employed by cyber-attackers, new research suggests.

On Tuesday (March 31), Recorded Future published a report exploring the most common cyber-attacker tactics, techniques, and procedures (TTPs) in 2019.

The research is based on the Mitre ATT&CK knowledge base, a library used by the cybersecurity community to keep a finger on the pulse of emerging threats.

Recorded Future’s Insikt Group compiled a list of the top 10 most frequently referenced techniques, of which ‘security software discovery’ secured the top spot.

Defense bypass

Security software discovery (T1063) is “indicative of adversaries understanding the security controls in place in order to bypass them”, the researchers say.

This technique includes common remote access tools (such as trojans including njRAT) and open source administration frameworks that are used to scan and list protective software on a target machine.

“Since this type of activity isn’t malicious on its own, the way to approach it is not so much to keep it from happening, but to identify when it is happening and be able to differentiate it from normal network or host activity,” David Carver, manager of Recorded Future’s Analyst on Demand Services, told The Daily Swig.

“One of the best defenses against T1063 is a generally robust security approach – I doubt there is a single policy or tool that people can rely on for mitigation here.”


READ MORE Mitre launches ATT&CK for industrial control systems knowledge base


The detection of security software is what Recorded Future calls “an essential precursor” to defense evasion elements in an attack chain, of which one method, ‘obfuscated files or information’, has secured the second spot in the list.

Obfuscation is a tactic employed by countless malware families to avoid the scrutiny of researchers.

PowerShell modules found in tools including the Empire framework are able to run commands to encode files and strings in Base64, and malware strains using this method include Emotet and Conficker.

In third place is ‘process injection’ (T1055), a defense evasion technique that employs custom code within the address space of another process to maintain persistence on a compromised machine or as part of a privilege escalation chain.

The top 10 adversary tactics and techniques

  1. Security Software Discovery (T1063) – The use of remote access tools and open source administration frameworks used to scan and list protective software on a target machine.

  2. Obfuscated Files or Information (T1027) – Obfuscating code and files to avoid detection and analysis.

  3. Process Injection (T1055) – Hiding malicious code within the address space of another process.

  4. System Information Discovery (T1082) – The means to harvest detailed information on an operating system, hardware, and software security status.

  5. Process Discovery (T1057) – The platform-agnostic enumeration of system configurations, useful when deciding on a particular attack vector.

  6. Software Packing (T1045) – A defense evasion tactic, T1045 is linked to the use of runtime or software packers that hide unsavory files, including malicious executables.

  7. DLL Side-Loading (T1073) – DLL side-loading involves spoofed, malicious DLLs that are placed in directories to make sure they are loaded rather than legitimate resources.

  8. Data Encrypted (T1022) – The encryption of data prior to theft, used to mask the content of stolen data in network traffic.

  9. Execution Through API (T1106) – The malicious use of legitimate APIs to exfiltrate data and tamper with programs and scripts at critical levels.

  10. Standard Cryptographic Protocol (T1032) – Cryptographic protocols such as RC4 and AES can be used to conceal command-and-control traffic, a technique often used within the final stages of an attack.

Mitigating the risk

Recorded Future recommends that IT admins take a multifaceted approach to mitigating the risk of exploitation, including monitoring for changes in common processes and networks, checking for unusual or frequent command arguments, and maintaining regular patch schedules.

Carver said that it is unlikely the tactics employed across 2019 “will change too greatly” this year, as the “competing aspects of malware development and network defense improvement – which together are the most likely impetus for the 2019 trends – aren’t likely to stop anytime soon”.

”The Mitre ATT&CK knowledge base provides a common language for the cybersecurity community to use when describing adversary behaviors,” added Jon Baker, Mitre department head for adversary emulation and orchestration.

“We continue to be inspired by the ways the entire community is using ATT&CK to improve their defenses.”


RELATED Using the ATT&CK framework to discover exploit dependency chains