Macro ATT&CK 2024: A Five Year Perspective

New year, new data. Welcome to our continuation of Macro-level ATT&CK trending! To recap, this is the third year running that Splunk's SURGe team has compiled macro-level cyber incident data from open-sources (2022, 2023), resulting in a five-year window to analyze global attacker TTPs (Tactics, Techniques, and Procedures) based on the MITRE ATT&CK framework. We review this data annually to synthesize what is happening with cyber adversaries and their behaviors at the broadest possible level, so we can help you prioritize your detection, threat hunting, and defensive resource planning.

This post will cover topics like the most commonly used attacker techniques, changes from the past year to the top trends in attacker behaviors, deep-dives to analyze and visualize the data, and topics for blue teams to check out in their own environments.

This data is available on our GitHub, where it can easily be imported into Splunk and builds on the reporting and transparency provided by:

• Red Canary's annual Threat Detection Report,
• Mandiant's yearly M-Trends Report,
• The Center for Threat Informed Defense (CTID) Sightings Ecosystem project, and
• The Cybersecurity and Infrastructure Security Agency (CISA)'s cybersecurity alerts.

This collection of data from multiple public and private organizations helps balance any particular concentrations that may arise from specific attack-lifecycle emphasis or customer focus, providing a useful resource for comparing and contrasting perspectives, and searching for broader consensus. The dataset now contains more than 2,400 observations of a technique or a sub-technique, the frequency it was used in cyber incidents, the year of the observation, and the reporting organization. Almost every technique in the ATT&CK framework now has a datapoint to reference.

^{5-years of ATT&CK Technique & Frequency over Time}

Getting Tactical

This year we've enriched the dataset with the Tactic for each technique. Tactics are a higher-level category for Techniques. They represent the "why" of the underlying behavior. Adding the tactic enables broad analysis with regard to actors' motivations, or changes across the categories. This treemap visualization represents the percentage each technique was reported within each tactic, with the tactic scaled-to-size within the dataset.

^{ATT&CK Tactic & Technique Treemap Distribution (2020-2024)}

This graph poses new questions about the concentration of specific techniques within a tactic. How often do we see any single technique relative to the amount of options an attacker has at their disposal for accomplishing a specific objective (i.e., within a tactic)? To answer this, we can construct a simple "concentration" score. This size-adjusted metric assesses the spread or concentration of technique reporting within each tactic.

^{Concentration Score (Size-Adjusted Metric) by Tactic}

Higher scores in the output mean the activity within the tactic is concentrated around a few key techniques, whereas a low score suggests that activity is spread across many techniques with none dominating. So which techniques are super-concentrated relative to the options for a single adversary objective?:

• T1190 - Exploit-Public Facing Application
• T1133 (Enterprise) | T0822 (ICS) - External Remote Services
• T1078 - Valid Accounts

These techniques disproportionately dominate their tactics, and the causes are likely multi-fold. For starters, these are great focus areas for detections - we have many examples of malicious activity. They are also exceptionally broad categories in terms of describing specific behavior. This is not necessarily a short-fall of the ATT&CK framework, but more likely due to the great diversity between network environments, where the specifics of how remote services, account management, and the footprint of public-facing applications cannot be more specifically defined into techniques. This ambiguity means these techniques are worth special attention from Blue Teams to develop a plan best-suited for their environment.

Top-15 Techniques By Average (%) 2020-2024:

If we step back and look at the big picture across the five-year period, we can continue to trend the top techniques based on their average frequency % in cyber incidents. Additionally, we look at the values of these averages last year (2023), this year (2024), and the year-over-year (YoY) difference:

^{Average Technique % by Tactic (2020-2024) - [GoAhead D3-Bubble]}

The top mover in this year's ranking was an increase in T1083 - File and Directory Discovery, supported by reporting in ~50% of alerts from CISA, and ~40% from M-Trends 2024. This is a broad technique that fits the archetype for a high concentration-score for the Discovery tactic. To see the finer details of how the technique is implemented, we can pivot to the source reporting from the relevant CISA alerts. These reports show a versatile collection of implementations, demonstrating how the technique is used alongside ransomware deployment, overlaps with exploitation attempts via path traversal attacks, or can even be accomplished via purpose-built enumeration tooling.

Top Consensus Techniques for 2024:

In statistics, underlying outliers in data can skew the mean, misrepresenting the highest averages as true "consensus". Let's use a different method to double-check for broad consensus on the important techniques.

The following techniques were ranked in the Top-15 by at least three of four reporting organizations in 2024. As always the Splunk Threat Research Team (STRT) has your back, with multiple detections, analytic stories, and threat hunting starters for all techniques:

• T1027 - Obfuscated Files or Information
• T1003 - OS Credential Dumping
• T1047 - Windows Management Instrumentation
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1082 - System Information Discovery
• T1105 - Ingress Tool Transfer
• T1112 - Modify Registry

In previous years, we have explored using statistical correlation as a means of pivoting from popular techniques to other closely-related activities. A new Technique Inference Engine (TIE) from CTID takes this a step further, using underlying recommender systems to probabilistically connect any technique to the next most likely actions. By plugging in any or all techniques in our consensus list, the engine can extend our analysis to another level of probable activity:

^{ATT&CK Navigator Layer for TIE on Consensus Top Techniques, Heatmap by % confidence}

The techniques heat-mapped in the navigator layer are good targets for developing more sophisticated detection or threat hunting content, and understanding typical adversary patterns of behavior.

TID = 1059* (Command Line Trends)

Last year we started looking at the market-share of specific Command Line Interpreters (CLI) at the macro-level. The big three remain PowerShell, the Windows CLI, and Python, with PowerShell and Windows CLI about twice as common as Python.

^{Adversary Command Line Market Share (2020-2024)}

Blue Teams should be aware of the valid CLIs used in their environment, and consider opportunities to use intersections of top techniques like 'file & directory discovery', 'process discovery' when implemented via these different CLIs. These are likely not uncommon events. Can they be contextualized in ways that make them good threat hunting targets? Can you add them as notable events to your risk index? Don't rule out that the adversaries will bring their own tools (e.g. portable python installs, pre-compiled executables, Bring-Your-own-Interpreter).

A Deeper Look: Public-Facing App Exploitation

Last year we saw a steep increase in the use of Public-Facing Application Exploitation for Initial Access. This year we will double-down on our analysis due to the high score via our concentration metric, and its continued hold on the #1 technique spot across a five-year average.

Last year we explored exploitation activity through the underlying vulnerabilities using CVE (Common Vulnerability and Exposure) data, and CISA's KEV (Known Exploited Vulnerabilities) list. Together, these details helped contextualize the relationship between the volume of exploit attempts in our data, with the timeline and severity of known-exploited vulnerabilities. But, it turns out there is an even deeper layer for analysis, Common Weakness Enumeration (CWE).

CVE identifies specific instances of vulnerabilities found in software, while CWE describes the underlying software weaknesses that make those vulnerabilities possible. Many CVEs are caused by known CWEs. Are you lost yet? This analysis is definitely deeper in the weeds, but can guide some of our thinking with regard to the types of vulnerabilities and attacks we're most likely to see targeting our applications and services. The takeaway is that this data categorizes and pinpoints the most common, specific weaknesses adversaries are actually using to break into public-facing applications:

^{Most Frequent Categories of CWEs in KEV}

Recently on the SURGe Security Detail Podcast, Application Security expert Tanya Janca called out that "26 to 40%" of security incidents at most organizations are caused by insecure software, underscoring the criticality of software asset and vulnerability management. For more help on sorting out vulnerability prioritization, the SURGe team has a few tips.

Final Thoughts

Phew…we covered a lot of ground. We introduced a new metric called technique concentration that revealed where adversaries are disproportionately focused on specific techniques for single objectives. These techniques are often broad in options of how they are procedurally implemented. This means the techniques are opportune, but challenging, for detection, and can be good targets for threat hunting, as they often require context-dependent analysis to separate legitimate from illegitimate activity.

We reviewed the consensus top ATT&CK techniques for 2024, and changes in the top techniques by average across five years. Both serve as great-short lists for Blue Team prioritization, and regular review.

We highlighted the market share trends for attacker CLI preference, including some recommendations about how you can use the intersection of these preferences with other top techniques as points of emphasis for your detection and hunting.

Lastly, we looked into the underlying trends of the top technique, Exploitation of Public-Facing Applications. This is an area I expect SURGe will have more to say on in the future…

For more insights, Splunk the updated data for yourself - we're tired! What trends can you find?

As always, security at Splunk is a team effort. Credit to authors and collaborators: Tamara Chacon

Public link

Please use the above public link if you want to share this noodl on another website.