See Further with the Sightings Ecosystem
Written by Sean Muehlenhardt Whitley and Lauren Parker.
Our lives are driven by data. From identifying the fastest driving route home to recommended shows to watch on our preferred streaming platforms, we rely on data to make informed decisions daily. For cyber defenders, it can be difficult to find sufficient and relevant data. MITRE’s ATT&CK® Framework tells defenders what they can look for, but contextual information is needed to make informed decisions.
The Center for Threat-Informed Defense (Center) created the Sightings Ecosystem in 2022 to overcome this challenge with data-driven insight into adversary behaviors in the wild. The project created an anonymized platform where providers can submit ATT&CK-specific detection data. Each sighting contains one or more ATT&CK techniques, along with additional information about the event. The Center analyzes the data across different fields, such as regions, platforms, and privilege levels, to provide data-driven analysis on ATT&CK techniques seen in the wild.
What’s in this release?
The first Sightings report, found here, focused on the top 15 techniques and groups of techniques that were seen occurring together, or co-occurrences. For this release, we expanded the data model to contain additional analysis for sectors, regions, software, platforms, and privilege levels.
Data. Data? Data!
In partnership with AttackIQ, Cyber Threat Alliance, Fortinet, JPMorgan Chase Bank, N.A., HCA Healthcare, and Verizon Business we compiled sightings over a two-year period, between August 2021 and September 2023. Based on our data model, each sighting contains information about the time of occurrence, detection source, and ATT&CK technique(s). Optionally, a sighting could include associated software and software hash, targeted sector, country or region, targeted platform, and used privilege level.
Most Commonly Seen Techniques
Out of the 353 unique techniques that were sighted, we analyzed the top 15 techniques. Across all sightings, the top 15 techniques comprised over 80% of events and spanned 9 of the 14 Enterprise ATT&CK Tactics.
Of those, the top 5 were:
1. Command and Scripting Interpreter [T1059]
2. Obfuscated Files or Information [T1027]
3. Ingress Tool Transfer [T1105]
4. Modify Registry [T1112]
5. Indicator Removal [T1070]
This top 5 list represents parent techniques. Dive deeper on our project website and you will see that these 5 techniques comprise 14 different sub-techniques within our data. Defenders can use this list of the most prevalent techniques seen in the wild to prioritize where to focus their efforts.
Region and Sector
Defenders may opt to focus on techniques seen in their specific region or sector or upon platforms within their environment. Our data spans across 198 countries, 20 sectors, and 4 platforms.
The above image represents a world view of our data set. The darker shading represents where more sightings were seen. Within the top countries, we can further identify which sectors were the most observed in our data (we’ve separated out the US from the next 4 for visibility).
Over 65% of US events occurred in the Manufacturing sector. The Administrative and Support and Waste Management and Remediation Services sector was the 2nd most observed sector.
Conversely, the Manufacturing sector was not in the top 5 sectors of any of the other top countries. Argentina and Australia had a significant portion of sightings in the Professional, Scientific, and Technical Services sector. Brazil’s and The United Arab Emirates’s top 5 sectors were more equally dispersed, with Other Services (except Public Administration) and Accommodation and Food Services sectors as the most seen, respectively. As evidenced, the distribution of sectors across countries can vary significantly.
We can go even more granular with our data. What were the top techniques per sector?
The above diagram shows the most common techniques seen across the top 10 sectors represented in our data. The thicker the line, the more sightings of the technique. This analysis provides defenders with specific information across distinct fields to better understand their environment. For example, a manufacturing company could look at the data and make a threat-informed decision to invest in defensive capabilities against a smaller, but more prominent set of techniques.
Start with Prevention and Detection
For the most prevalent techniques we detailed several prevention and detection options. For prevention, we enumerated the NIST 800–53r5 controls for the corresponding technique and sub-techniques. The most common NIST controls were in the Access Control, System and Information Integrity, and Configuration Management families. For detection, we included relevant Cyber Analytic Repository (CAR) analytics and Sysmon and Window Event Log (Winevtx) IDs from Sensor Mappings for ATT&CK. The top detections focused on collecting and refining logs for process creation. These preventions and detections are intended to be a starting point for defenders. We included several other resources for defenders to explore to assess their current security products and inform their security strategy.
Wrapping Up
This blog covers some of our findings and our project website includes plenty more. For future Sightings releases, we will provide updated and refined analysis to better inform the cybersecurity community. To become part of our Sightings community, please take a look at our data model and guidance for contributors. We welcome your comments and contributions to continue the Sightings Ecosystem project and enrich our analysis efforts. You are also welcome to contact the Center directly with any inquiries.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0103
