We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


New research from Red Canary has indicated that by developing robust detection coverage for the techniques adversaries abuse most often, security teams can achieve defense-in-depth against the many threats that leverage those techniques and the broader trends that dominate the infosec landscape.

The report is organized into three cascading sections: trends, the threats that comprise those trends and the MITRE ATT&CK® techniques that are leveraged by those threats. Each section includes extensive guidance that security teams can use to mitigate, prevent or detect the malicious activity described in the report. 

The biggest trend in 2021, not surprisingly, was ransomware. Counterintuitively, Red Canary doesn’t detect much ransomware, and the reason for that is probably the single most important takeaway from the report. Ransomware is almost always the eventual payload delivered by earlier-stage malicious software or activity; if you detect the threats that deliver the ransomware, you stop the ransomware before it arrives. So, how do you detect those threats? Focus on the techniques that adversaries are most likely to leverage. 

Graphic. Ransomware is split into three threats: cobalt strike, Qbot, and SocGholish. Cobalt Strike can be combatted with Powershell, Rundll32, and obfuscated files or info. Qbot can be defended against with ingress tool transfer, masquerading, and Rundll32. SocGholish can be fought against with masquerading, Powershell, and Ingress Tool Transfer.

Of the top 10 threats Red Canary observed in 2021, 60% are ransomware precursors (i.e., threats that’ve been known to deliver ransomware as a follow-on payload). More staggering is that a full 100% of the top ATT&CK techniques have been used during an attempted ransomware infection. 

Event

Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

Register Here

As an example, a significant plurality of ransomware infections involve the use of a command and control (C2) product called Cobalt Strike — Red Canary’s second-ranked threat. Cobalt Strike, in turn, leverages ATT&CK techniques like PowerShell, Rundll32, Process Injection, Obfuscated Files or Information and DLL Search Order Hijacking, all of which are in the top 10. If you develop broad detection coverage for those techniques, then you’ve got a great shot of detecting Cobalt Strike and preventing ransomware infections.

The report is based on analysis of the more than 30,000 confirmed threats detected across Red Canary’s customer base in 2021. 

Read the full report by Red Canary.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.