TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Application Protection Report 2019, Episode 4: Access Attack Trends in 2018

2019-06-25 · Read original ↗

ATT&CK techniques detected

23 predictions
T1110Brute Force
99%
“it is a method to drop malware, which presents a wide range of options, including escalation of privilege, keylogging or other forms of surveillance, network traversal, and more. depending on how robust your monitoring capabilities are, brute force attacks can appear innocuous, l…”
T1110Brute Force
98%
“leading tool in 2019 for brute force and credential stuffing, sentry mba. 6 this new brute forcer adds features like “ low and slow ” timing, ocr support, and keyword matching. figure 6a. brutus web brute forcer, the state of the art in brute force in 2000. figure 6b. sentry mba,…”
T1110Brute Force
98%
“only way that organizations even knew they were under attack. many organizations go weeks, months or years between looking at log data, which is where the context necessary to identify this kind of attack resides. we regret to say that this is all too common in the security indus…”
T1110Brute Force
91%
“than a minute, or 100 or more failed attempts in one 24 - hour period. however, attackers realize that these kinds of behaviors are easily monitored and so have begun to alter behavior. one of the biggest threat intelligence sources we have for brute force attacks comes from our …”
T1110Brute Force
91%
“9. sirt brute force attacks by industry as a percentage of reported 2018 sirt incidents. figure 10. sirt brute force attacks by region from reported 2018 sirt incidents. email hacks we mentioned above that 20 % of the confirmed breaches in 2018 started by targeting email access. …”
T1110.004Credential Stuffing
87%
“that we can ’ t possibly keep track of that many unique credential pairs, which is why we all reuse passwords quite a lot. according to a 2017 survey by another password manager, keeper security, 87 % of respondents ages 18 - 30 and 81 % of respondents ages 31 and older reuse pas…”
T1566Phishing
87%
“it is increasingly important to train everybody on phishing techniques because it is no longer just executives or owners of sensitive intelligence who are being phished. figure 5. a screenshot of a phishing tool available for free download from github. other than inducing a victi…”
T1110.004Credential Stuffing
86%
“, multi - part attacks. credential stuffing and brute force attacks in addition to phishing, we are seeing access attacks take less surgical forms. in these cases, attackers either try known passwords from stolen databases of credentials, or enter passwords that are known to be c…”
T1114Email Collection
81%
“email is directly attributed as a factor in over a third of all breach reports. a typical breach notification letter goes something like “ unauthorized persons used stolen credentials to gain access to emails containing confidential records … ” by accident or design oversight, or…”
T1114.002Remote Email Collection
78%
“email is directly attributed as a factor in over a third of all breach reports. a typical breach notification letter goes something like “ unauthorized persons used stolen credentials to gain access to emails containing confidential records … ” by accident or design oversight, or…”
T1190Exploit Public-Facing Application
78%
“application protection report 2019, episode 4 : access attack trends in 2018 intro in episode 2 ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / application - protection - report - 2019 - - episode - 2 - - 2018 - breach - trend. html ) of our 2019 app…”
T1566Phishing
76%
“##histicated attack, and we used to laugh over the obvious grammatical errors and desultory attempts to spoof a known entity. however, it has grown significantly in sophistication, particularly with regard to targeting. highly targeted phishing using detailed intelligence to craf…”
T1078.004Cloud Accounts
66%
“from the standpoint of an individual security practitioner, there is much that you can do to control the current manifestation of this risk. we hope that the mitigation section above provides a strong platform for that. however, the underlying questions that access attacks pose a…”
T1114.002Remote Email Collection
64%
“, but for now, we ’ ll just say that mailboxes are not a good long - term storage option for private information. large - volume, unencrypted mailboxes can be an unexpected magnet for lawsuits, as they often contain information that is equal or greater in value to assets that are…”
T1566.002Spearphishing Link
51%
“it is increasingly important to train everybody on phishing techniques because it is no longer just executives or owners of sensitive intelligence who are being phished. figure 5. a screenshot of a phishing tool available for free download from github. other than inducing a victi…”
T1566.002Spearphishing Link
48%
“to dive into the various forms of access attacks we saw in 2018, how they work, and what kind of threat actors use them. phishing phishing is a form of social engineering in which attackers use email or another form of electronic communication to impersonate an entity whom the vi…”
T1566Phishing
47%
“to dive into the various forms of access attacks we saw in 2018, how they work, and what kind of threat actors use them. phishing phishing is a form of social engineering in which attackers use email or another form of electronic communication to impersonate an entity whom the vi…”
T1556.006Multi-Factor Authentication
43%
“adversaries to make connections and draw conclusions about what steps to take next. for instance, between the opm and the equifax datasets, an adversary could get a very clear picture not only of whom to target but how – whether to use blackmail, financial incentives, ideological…”
T1098.002Additional Email Delegate Permissions
41%
“and effectively function as a sort of digital quarantine. some cloud providers have suspicious activity alert capability for their customer accounts. specifically, microsoft azure has a mechanism to flag and block the use of known bad passwords in ad cloud deployments. 9 the same…”
T1110.003Password Spraying
40%
“log in to a large number of accounts using a small number of known passwords, or a small number of accounts using a large number of passwords. over the years, most organizations have implemented some kind of password rotation policy with the intent of reducing the risk that a lea…”
T1110.001Password Guessing
37%
“log in to a large number of accounts using a small number of known passwords, or a small number of accounts using a large number of passwords. over the years, most organizations have implemented some kind of password rotation policy with the intent of reducing the risk that a lea…”
T1114Email Collection
37%
“, but for now, we ’ ll just say that mailboxes are not a good long - term storage option for private information. large - volume, unencrypted mailboxes can be an unexpected magnet for lawsuits, as they often contain information that is equal or greater in value to assets that are…”
T1564.008Email Hiding Rules
37%
“and effectively function as a sort of digital quarantine. some cloud providers have suspicious activity alert capability for their customer accounts. specifically, microsoft azure has a mechanism to flag and block the use of known bad passwords in ad cloud deployments. 9 the same…”

Summary

The tactic that featured most prominently in U.S. data breaches in 2018 was access attacks, such as phishing or credential stuffing. We identified the changing patterns, and provided some tips on how to prevent them.