Macro ATT&CK for a TTP Snack

As we step through 2024, it’s time for another deep dive into the macro-level cyber incident trends using the MITRE ATT&CK framework. Over the past five years, Splunk’s SURGe team has meticulously gathered and analyzed cyberattack data from various open sources, building a robust dataset that offers a comprehensive view of global attacker tactics, techniques, and procedures (TTPs). This year’s report expands on the insights from previous years (2022, 2023) by examining more than 2,400 observations. By integrating this data with leading reports such as Mandiant’s M-Trends, Red Canary’s Threat Detection Report, CTID’s Sightings Ecosystem, and CISA’s cybersecurity alerts, the goal is to help security teams prioritize their detection and threat hunting strategies effectively. To paraphrase the late, great northeastern American poet Christopher George Latore Wallace: “More data, more problems”—and understanding these problems is crucial for defending against evolving threats.

For this project, we wanted to summarize the most prevalent attacker techniques, shifts in tactics, and emerging trends that have shaped the cyber threat landscape over the last year. We’ll dig into the five-year dataset to identify key concentration areas, visualize attacker behaviors, and discuss the top techniques dominating various tactics. From analyzing commonly exploited vulnerabilities in public-facing applications, to mapping out the dominant command line interpreters used by adversaries, our goal is to provide actionable insights that blue teams can use to reinforce their defenses. By synthesizing this information, we aim to deliver a clearer picture of the current cyber threat environment, helping organizations stay one step ahead in their security efforts.

This work is about answering one question that is relevant for every role in the SOC – from CISO, to manager, to analyst: which threats do I prioritize? While there are many roads you may take in answering this question, a macro-level, data-driven analysis is always a good starting point to get you up and running. If you want a short-list of top techniques, we recommend starting with these:

• T1027 - Obfuscated Files or Information
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1082 - System Information Discovery
• T1105 - Ingress Tool Transfer

Based on the compiled data, these techniques have been used, on average, in more than 20% of incidents over the past five years, and appeared as top-ranked adversary behaviors by at least three out of four reporting sources in 2024. Start by developing an understanding of your capabilities and limitations when it comes to these techniques: Are we collecting the data that provides visibility into these actions? Do we know what “bad” looks like in the context of our environment? Can we put controls in place to mitigate our risk? Can we align these priorities across our alerting and response? Can we proactively hunt when this behavior is difficult to classify? ATT&CK is not a bingo card – having appropriate “coverage” for a technique requires a nuanced approach and understanding built on the answers to these questions!

^{5-years of ATT&CK Technique & Frequency over Time}

This data may confirm your assumptions about what is popular: “We do need to keep an eye on PowerShell…”, “We really should catch up in patching those servers…”. However, these are just a starting point for deeper analysis. In previous years we have explored how we can use statistical correlation, or recommender systems, to trace these behaviors into longer, common chains of activity, revealing the broader context and providing more opportunities for detection and hunting.

This year, we introduced a new metric focused on technique concentration. That is, where is the adversary hyper-focused on a single technique, relative to the amount of options available for accomplishing a specific objective (i.e., ATT&CK Tactic), such as:

• T1190 - Exploit-Public Facing Application
• T1133 (Enterprise) | T0822 (ICS) - External Remote Services
• T1078 - Valid Accounts

These are frequently used techniques from the tactics with the highest calculated concentration:

^{Concentration Score (Size-Adjusted Metric) by Tactic}

Defending these areas require robust, multi-disciplinary defensive efforts. That’s right: you need vulnerability management, security engineering, and incident response staff all talking to each other!

Don’t worry; we’re here to help you sleep a little easier at night. Using our analysis, you can be confident that you’re chasing threats that matter. Using Splunk’s out-of-the box detections, you can get a head start on identifying them, and using our dataset on GitHub, you can | stats on the topics that matter to you the most!