TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2021 Application Protection Report: Of Ransom and Redemption

2021-05-18 · Read original ↗

ATT&CK techniques detected

38 predictions
T1486Data Encrypted for Impact
98%
“a significant ( and perhaps still underestimated ) vector, the ability to pivot from a vulnerability like this into the full - blown compromise that happened to this campaign ’ s real targets is not common. solarwinds is, therefore, a hugely significant event from which we all mu…”
T1486Data Encrypted for Impact
98%
“##ypt only working data and leave operating systems alone. some encrypt everything, shutting down all operations. in both cases, once the actual encryption is deployed, it ’ s probably time to bring out the backups, after performing some forensics to find out which backup is clea…”
T1486Data Encrypted for Impact
96%
“sensitive information to the dark web for greater leverage. other than the ransomware events, stage 4 tactics and techniques included a small number of events with alternate attack chains : a handful in which the exfiltration occurred prior to encryption, and another handful in w…”
T1486Data Encrypted for Impact
96%
“to identify the moment of infection with reasonable certainty. attackers have also recognized that the safest way to ensure victims pay the ransom is to also exfiltrate data from the environment. this gives attackers a bit of leverage in their negotiations. attackers tend to give…”
T1486Data Encrypted for Impact
96%
“insurance, educational services, and health care and social assistance — were hit harder than retail, as was the sector that represents a bit of a hodgepodge, professional, scientific, and technical services. this sector includes law firms, accountants, and consultants of all str…”
T1486Data Encrypted for Impact
96%
“##es, it has significant depth, and it also would potentially mitigate five separate techniques that we observed among the breaches. outside of our own data, it is also a broad mitigation approach within the att & ck framework itself, covering 35 techniques, not counting subtechn…”
T1657Financial Theft
93%
“least hard with ransomware. what this tells us is that the innovative part of ransomware is in monetizing stolen data — not malware. the kinds of information that attackers are stealing in ransomware events are employee paperwork, emails, and maybe the odd bit of financial or per…”
T1110.003Password Spraying
92%
“, and password spraying all trying to weasel their way in. you ’ ll observe the full range of human endeavor, from stupid login attempts that seem to make no sense, like admin / admin combinations, to freshly stolen spear - phished credentials from your own organization. web logi…”
T1486Data Encrypted for Impact
91%
“the approach that it is equally important to understand why attackers do things as well as how. from a delivery standpoint, ransomware isn ’ t substantively different from a keylogger or cryptominer. rather, it is the nature of the encrypted data and the characteristics of the vi…”
T1486Data Encrypted for Impact
86%
“compete with amazon. ransomware places cryptocurrency in unwelcome light we also note in the “ 2020 data breach analysis ” section that the relationship between nonfinancial information and ransomware suggests that ransomware is more innovative on a monetization level than at mal…”
T1486Data Encrypted for Impact
84%
“##ware needs to be deployed inside an environment, which raises questions about how it got there in the first place. we explore this further in the “ attack chain analysis ” section. figure 3. data breaches by cause, 2006 - 2020 ( unknowns removed ). in 2020, ransomware surged in…”
T1657Financial Theft
84%
“insurance, educational services, and health care and social assistance — were hit harder than retail, as was the sector that represents a bit of a hodgepodge, professional, scientific, and technical services. this sector includes law firms, accountants, and consultants of all str…”
T1486Data Encrypted for Impact
83%
“still the responsibility of the entity doing the notifying. out of the 142 events like this, 117 were associated with the blackbaud ransomware event, which we explore in the “ blackbaud ” sidebar. the remainder of third - party data - loss events in our data set came from a compr…”
T1657Financial Theft
83%
“disinformation. formjacking / payment card skimming in the united states, the impact of stolen payment cards falls on the vendors. the fair credit billing act limits customer liability for fraudulent charges as long as customers report them within a reasonable timeframe. 14 when …”
T1566.002Spearphishing Link
82%
“. given the higher frequency of phishing being called out in disclosures, and the general prevalence of credential stuffing, we ’ re inclined to say that most of those 41 becs were probably, but not definitively, credential stuffing. authentication attacks at the government and p…”
T1486Data Encrypted for Impact
80%
“least hard with ransomware. what this tells us is that the innovative part of ransomware is in monetizing stolen data — not malware. the kinds of information that attackers are stealing in ransomware events are employee paperwork, emails, and maybe the odd bit of financial or per…”
T1566.002Spearphishing Link
79%
“focused attack chain visualization showing only attacks against applications. with this view, it becomes possible to pick out tactics and techniques that occur often, such as executing scripts or malware, encrypting data ( that is, ransomware ), and phishing. stage 1 analysis loo…”
T1110.004Credential Stuffing
76%
“stage 1 technique, figuring in 16 % of all application attacks, between undifferentiated phishing, phishing with a link, and phishing with an attachment. we also found that internal spear phishing was a prominent technique for lateral movement in later stages of attacks but was n…”
T1657Financial Theft
72%
“the approach that it is equally important to understand why attackers do things as well as how. from a delivery standpoint, ransomware isn ’ t substantively different from a keylogger or cryptominer. rather, it is the nature of the encrypted data and the characteristics of the vi…”
T1048Exfiltration Over Alternative Protocol
63%
“stage 3 tactics were dominated by a single goal : exfiltrating data. after gaining initial access and executing in the prior stages, the vast majority of ransomware attacks exfiltrated data in this stage prior to encrypting data in stage 4. we also noted many notifications that c…”
T1486Data Encrypted for Impact
62%
“a single event from start to finish, but in return we gained the ability to map the entire breach landscape in a single form, as shown in figure 7. figure 7. attack chain visualization for the entire data set. note the large number of events that start with unknown or terminate i…”
T1486Data Encrypted for Impact
59%
“the vast majority of attacks we talk about, money. attackers have always striven to find the most profitable buyers for stolen data. they have now optimized this process to the point where they sell our data back to us. ransomware is best understood as a market phenomenon, not a …”
T1566.002Spearphishing Link
52%
“techniques. between 2006 and 2017, web exploits were the predominant cause of data breaches, followed by access breaches ( credential stuffing, brute force, phishing, and other social engineering ). from 2018 to 2019, access breaches were by far the most prevalent breach cause we…”
T1566.002Spearphishing Link
49%
“, credential stuffing or phishing for everyone else. this was the clear pattern in 2018 and 2019. in 2020, however, a significant number of notifications went out for other platforms and other reasons. while formjacking made up 87 % of web breaches in 2019, it only accounted for …”
T1566.002Spearphishing Link
48%
“. 2 this taxonomy between what an attacker is trying to accomplish ( tactic ) and how they accomplish it ( technique ) is important for taking advantage of att & ck ’ s strengths, and this distinction will feature prominently in our attack chain analysis. also of note is that, fo…”
T1566Phishing
46%
“focused attack chain visualization showing only attacks against applications. with this view, it becomes possible to pick out tactics and techniques that occur often, such as executing scripts or malware, encrypting data ( that is, ransomware ), and phishing. stage 1 analysis loo…”
T1566.002Spearphishing Link
46%
“low - quality cloud storage service, most email inboxes include at least some sensitive information, such as tax documents from correspondence with human resources, customer information, and occasionally banking information. when a mail breach happens, exposures of this type are …”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
40%
“stage 3 tactics were dominated by a single goal : exfiltrating data. after gaining initial access and executing in the prior stages, the vast majority of ransomware attacks exfiltrated data in this stage prior to encrypting data in stage 4. we also noted many notifications that c…”
T1657Financial Theft
39%
“compete with amazon. ransomware places cryptocurrency in unwelcome light we also note in the “ 2020 data breach analysis ” section that the relationship between nonfinancial information and ransomware suggests that ransomware is more innovative on a monetization level than at mal…”
T1657Financial Theft
39%
“in the application attacks was, predictably, ransomware. considering that a significant number of the ransomware notifications were removed from this analysis because of the third party, this illustrates the degree to which ransomware has exploded in popularity. after this, the n…”
T1657Financial Theft
37%
“the vast majority of attacks we talk about, money. attackers have always striven to find the most profitable buyers for stolen data. they have now optimized this process to the point where they sell our data back to us. ransomware is best understood as a market phenomenon, not a …”
T1657Financial Theft
36%
“. - encrypt traffic using transport - level security. - don ’ t expose more data than necessary. - enforce rate limiting. - always validate user input. strategic conclusions in the course of processing an entire year ’ s worth of security intelligence that occurred at different l…”
T1486Data Encrypted for Impact
35%
“in the application attacks was, predictably, ransomware. considering that a significant number of the ransomware notifications were removed from this analysis because of the third party, this illustrates the degree to which ransomware has exploded in popularity. after this, the n…”
T1080Taint Shared Content
35%
“sensitive information to the dark web for greater leverage. other than the ransomware events, stage 4 tactics and techniques included a small number of events with alternate attack chains : a handful in which the exfiltration occurred prior to encryption, and another handful in w…”
T1566.002Spearphishing Link
34%
“injection attacks, known as formjacking. formjacking accounted for more than half of breaches in the retail sector, but also targeted any organization that took payment information over the web, whether it was selling a product or only taking payments. - business email compromise…”
T1657Financial Theft
32%
“attack against ecommerce organizations known as formjacking, cloud incidents, and api attacks. we explore the outcomes of these attacks in the “ impacts ” section as well as the 2020 explosion in ransomware. finally, we conclude with recommendations for controls based on the quan…”
T1586.002Email Accounts
31%
“low - quality cloud storage service, most email inboxes include at least some sensitive information, such as tax documents from correspondence with human resources, customer information, and occasionally banking information. when a mail breach happens, exposures of this type are …”
T1566Phishing
31%
“in the application attacks was, predictably, ransomware. considering that a significant number of the ransomware notifications were removed from this analysis because of the third party, this illustrates the degree to which ransomware has exploded in popularity. after this, the n…”

Summary

The 2021 version of F5’s continuing analysis of the application security threat landscape explores ransomware, payment card theft, and account takeover.