Multi Source Analysis of Top MITRE ATT&CK Techniques
A collaborative report between the Cyentia Institute and TidalCyber
MultiSource Analysis of the Top MITRE ATT&CK Techniques by Cyentia and TidalCyber tackles a fundamental question in cybersecurity: How do adversaries attack, and which defenses should we prioritize? This report acknowledges the growing availability of data on MITRE ATT&CK techniques in the cybersecurity industry. However, it highlights the challenge of achieving consensus among these sources due to variations in visibility, metrics, and reporting methods.
To address this issue, the study comprehensively analyzes data from 22 public sources to identify common trends. The ultimate aim is to empower organizations in building more threat-informed and effective cybersecurity defenses. MultiSource Analysis of the Top MITRE ATT&CK Techniques is an essential resource for anyone in the cybersecurity field looking to enhance their understanding of prevalent attack techniques and improve their security strategies.
Key Findings
- Lack of Reporting: A significant portion of ATT&CK techniques (one-third) was not reported by the sources studied within the timeframe. Conversely, 23% of these techniques were reported by at least five sources, indicating variability in coverage.
- Sub-Technique Reporting: An overwhelming 85% of ATT&CK sub-techniques were never reported by any source. Only 1% of sub-techniques received reports from at least five sources, underlining the challenge of sub-technique visibility.
- Variability by Source Type: Managed service or incident response providers reported two to three times more techniques compared to other source types, indicating differences in reporting capacity.
- Source Coverage: The coverage of ATT&CK techniques varied by tactics. It was most comprehensive for tactics spanning from Initial Access to Defense Evasion. However, there was less visibility for tactics related to Reconnaissance & Resource Development.
- Most Reported Techniques: Valid Accounts (T1078) and Exploit Public-Facing Application (T1190) emerged as the most frequently reported and observed techniques used by adversaries for Initial Access, highlighting their prevalence.
- Challenges for Security Professionals: The report identifies challenges faced by security professionals and analysts in leveraging ATT&CK, including the rapid pace of updates, ambiguity in tactic-technique relationships, under-reporting of sub-techniques, and a lack of reporting by specific segments, such as industries or ICS environments.
Read the report to see who provides the most comprehensive reporting of techniques and sub-techniques, and who closely follows in the top five!
The figure shows varying source reporting across tactics, with sparse coverage for pre-intrusion tactics, see the full figure and analysis in the report!
The chart highlights substantial variations in reported frequency, but these differences often result from non-comparable data.
The comparison of technique-level coverage involves tallying the number of reporting sources for each technique, revealing that a dozen or so techniques have notably higher source-level coverage
Ready to delve into the intricate world of MITRE ATT&CK? Discover more about these findings and their implications by downloading the full report now.
Our recent analysis of MITRE ATT&CK techniques uncovered significant gaps in reporting, emphasizing the need for a more comprehensive threat-informed defense. The findings from the report underscore the challenges within the cybersecurity landscape, including rapid updates, tactic-technique ambiguities, and the underreporting of sub-techniques.
To empower your cybersecurity strategies, download our full report for an in-depth understanding of ATT&CK techniques.
Exploring a Multi-Source Analysis of Top MITRE ATT&CK Techniques
Rewatch the companion webinar with Wade Baker and Frank Duff.
Get Involved
We plan to expand this research with future studies. If you’re interested in sponsoring or contributing data, please reach out!
Stay Up-To-Date With Cyentia!
Sign-up to be notified when we release new research!
In the ever-evolving cyber security landscape, it’s more important than ever to stay up-to-date with the latest cyber security research and analysis so you can be better prepared. Our IRIS series is a rapidly growing series of reports dedicated to clearing away these fears by leveraging real-world data and rigorous analysis focused on key aspects and challenges of managing cyber risk.
Sign up today to be notified when we publish new research so you don’t miss out!
© Copyright 2024 Cyentia Institute