Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023

Based on the popularity of last year's Macro-level ATT&CK Trending, we’ve updated the dataset for another year’s worth of insights. This data summarizes the frequency of MITRE ATT&CK technique observations across thousands of cyber incidents over the past four years.

This article provides an overview of the updated dataset of MITRE ATT&CK techniques, which summarizes the frequency of observations across thousands of cyber incidents over the past four years. The data contains references to the frequency of 462 ATT&CK techniques and sub-techniques from real-world cyber incidents. The Splunk Threat Research Team has identified four consensus, top-used attacker techniques in 2023, which are PowerShell, Windows Command Shell, Python-based activity, and Exploit Public-Facing Application. The data also shows that the count of new Known Exploited Vulnerabilities (KEV) is on track to be lower in 2023 than last year, and the average gap from CVE to KEV entry is approximately 7 days.

The article also provides a heatmap visualizing the correlative relationship between all ATT&CK techniques cited in CISA alerts over the past four years. It reveals that ICS-focused attacks are largely disparate and self-contained from Enterprise ATT&CK techniques, but there is some overlap from adversaries reportedly crossing over from IT to OT, or using established enterprise techniques to facilitate ICS attacks. The highest correlated ATT&CK techniques with ICS-focused attacks are T1584.004 Compromise Infrastructure: Server, T1570 Lateral Tool Transfer, T1560 Archive Collected Data, T1555.003 Credentials from Password Stores: Credentials from Web Browsers, T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1505.003 Server Software Component: Web Shell, T1187 Forced Authentication, T1082 System Information Discovery, T1083 File and Directory Discovery, T1033 System Owner / User Discovery, T1036 Masquerading, T1070.001 Indicator Removal on Host: Clear Windows Event Logs, T1070.004 Indicator Removal on Host: File Deletion, T1003.001 OS Credential Dumping: LSASS Memory, and T1003.003 OS Credential Dumping: NTDS.

Finally, the article looks at the highest average frequency of ATT&CK techniques as reported over the past four years. The most frequently cited techniques have held pretty consistent with the addition of 2023 data, which are PowerShell, Windows Command Shell, Python-based activity, and Exploit Public-Facing Application. The article concludes by asking readers to explore the updated data for themselves

📓 Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023

👉🏽 Based on the popularity of last year's Macro-level ATT&CK Trending, we’ve updated the dataset for another year’s worth of insights. This data summarizes the frequency of MITRE ATT&CK technique observations across thousands of cyber incidents over the past four years. 👉🏽 Overview of updated dataset of MITRE ATT&CK techniques from real-world cyber incidents. 👉🏽 Identification of top-used attacker techniques in 2023. 👉🏽 Decrease in count of new Known Exploited Vulnerabilities (KEV) compared to last year. 👉🏽 Average gap from CVE to KEV entry is approximately 7 days. 👉🏽 Heatmap visualizing correlative relationship between ATT&CK techniques in CISA alerts. 👉🏽 Disparity between ICS-focused and Enterprise ATT&CK techniques. 👉🏽 Overlap of adversaries crossing over from IT to OT or using enterprise techniques. 👉🏽 Highest correlated ATT&CK techniques with ICS-focused attacks. 👉🏽 Highest average frequency of ATT&CK techniques reported over the past four years. 👉🏽 Encouragement to explore the updated data for a deeper understanding.

🔗 source link: https://www.splunk.com/en_us/blog/security/revisiting-the-big-picture-macro-level-att-ck-updates-for-2023.html

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/revisiting-the-big-picture-macro-level-att-ck-updates-for-2023

#MITREATTACK #CyberIncidents #ThreatResearch #ICSAttacks #DataAnalysis