Professional Documents
Culture Documents
Risk Vulnerability Assessment (Rva) Mapped To The Mitre Att&Ck Framework
Risk Vulnerability Assessment (Rva) Mapped To The Mitre Att&Ck Framework
ATT&CK® FRAMEWORK
access in 49% of the FY20 RVAs. representative of those in the FY20 RVAs.
Attack Path 3: Discover & Unlock Privilege Escalation Lateral Movement Command & Control
Initial Access » Trusted Relationship
Execution » Windows Management Instrumentation
Discovery » Permission Groups Discovery
Valid Accounts 37.5% Pass the Hash 29.8% Web Protocols 42%
Collection » Data from Local System
Remote Desktop Remote Access
Command & Control » Remote Access Software Exploitation for 15.9%
Privilege Escalation 21.9% Protocol 25% Software
Attack Path 4: Take Into Account: Good Guy or Bad Guy? Make & Exploitation of
Standard
15.6% 11.9% Application Layer 8.7%
Initial Access » User Execution Impersonate Token Remote Services Protocol
Execution » Windows Management Instrumentation
Discovery » Account Discovery
Collection » Data from Local System/
Data from Network Shared Drive Defense Evasion Collection Exfiltration
Command & Control » Remote Access Software
Exfiltration » Exfiltration over C2 Channel Data from Exfiltration Over
Process Hollowing 18.5% Local System 32.2% C2 Channel 68.2%
Attack Path 5: Credential Convenience Has Its Cost
Data from Network Archive Collected
Initial Access » Valid Accounts Mshta 12.3% 30.5% Data 9.1%
Execution » Windows Management Instrumentation Shared Drive
Credential Access » OS Credential Dumping Automated
Valid Accounts 12.3% Screen Capture 22% Exfiltration 9.1%
Discovery » Account Discovery
Collection » Data from Local System/
Data from Network Shared Drive This advisory uses the MITRE ATT&CK® v9.0 and Pre-ATT&CK frameworks. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks at https://attack.mitre.org/versions/v9/ for referenced threat
Command & Control » Remote Access Software actor techniques. For more information about CISA assessment services, please visit https://www.cisa.gov/cyber-resource-hub. TLP:WHITE
TLP:WHITE
ASSESSMENT (RVA)
or manipulation attempts by an policies for accounts. Remove or deny access to
The top ten mitigations shown here adversary to reduce the risk of
successful spear- phishing and M1030 Network Segmentation unnecessary and potentially
are widely effective across the top vulnerable software to prevent abuse
social engineering. Architect sections of the network to
ATT&CK® FRAMEWORK Manage the creation, modification, sensitive systems and information. software up to date and configured to
Provide secure software best use, and permissions associated to Network Intrusion recognize and remove malicious files
practice guidance and training to M1031
user accounts. Prevention that have been downloaded or created
application developers to avoid on the host.
FISCAL YEAR 2020 (FY20) introducing security weaknesses M1026 Privileged Account Configure Network Intrusion
Risk and Vulnerability Assessment: Upon request, CISA can identify vulnerabilities through code. Management Prevention systems to block M1051 Update Software
that adversaries could potentially exploit to compromise security controls. CISA Manage the creation, modification, malicious file signatures and file Periodically perform software updates,
use, and permissions associated types at the network boundary. including vendor patches, OS updates,
collects data in an onsite assessment and combines it with national threat and firmware upgrades, to mitigate
information to provide customers with a tailored risk analysis report. To schedule to privileged accounts, including
SYSTEM and root. exploitation risk.
an RVA or learn more, contact CISAServiceDesk@cisa.dhs.gov.
*Top techniques and mitigations vary by sector and environment. Organizations should consider additional attack vector and mitigation strategies based on their unique environment.
Execution Defense Evasion 3.1% Exploitation of Credential Access 1.2% System Time Discovery 8.7% Data Obfuscation
24.4% PowerShell 18.5% Process Hollowing 3.1% Credentials in Registry 0.8% Network Sniffing 7.2% Data Encoding
13.0% Windows Management 12.3% Mshta 1.9% Brute Force 0.4% Browser Bookmark Discovery 5.8% Encrypted Channel
FY20 RVA RESULTS Instrumentation 12.3% Valid Accounts 1.3% Bash History 4.3% Proxy
MITRE ATT&CK Tactics and Techniques 12.2% Command and Scripting Interpreter 10.8% Obfuscated Files or Information 0.6% Unsecured Credentials 2.9% Web Service
Lateral Movement
11.4% Service Execution 9.2% File Deletion 0.6% Private Keys 1.4% Custom Command &
The percent noted for each technique 29.8% Pass the Hash Control Protocol
represents the success rate for that 11.4% Windows Command Shell 6.2% Default Accounts 0.6% Pass the Ticket 25.0% Remote Desktop Protocol 1.4% Standard Cryptographic
technique across all RVAs. For example, 8.9% User Execution 4.6% Access Token Manipulation 0.6% Input Prompt
a phishing link was used to gain initial 11.9% Exploitation of Remote Services 1.4% Protocol
access in 49% of the FY20 RVAs. 7.3% Mshta 4.6% Web Service 0.6% Two-Factor Authentication 10.7% Remote Services 1.4% Ingress Tool Transfer
3.3% Remote Services Interception
3.1% Hidden Window 10.7% SMB/Windows Admin Shares
2.4% Exploitation for Client Execution 3.1% Bypass User Account Control
37 Total Number of Assessments 6.0% Windows Admin Shares
1.6% Rundll32 3.1% Process Injection Discovery Exfiltration
2.4% Pass the Ticket
0.8% Native API 3.1% 12.1% Account Discovery
Rundll32 2.4% Windows Remote Management 68.2% Exfiltration over C2 Channel
0.8% Regsvr32 1.5% 10.9% Network Service Scanning
DLL Side-Loading 1.2% Ingress Tool Transfer 9.1% Archive Collected Data
0.8% Remote Desktop Protocol 1.5% 8.1% File & Directory Discovery
Initial Access Group Policy Modification 9.1% Automated Exfiltration
0.8% Shared Modules 1.5% 8.1% Permission Groups Discovery
49.0% Phishing Link Masquerading 9.1% Scheduled Transfer
0.8% Windows Remote Management 1.5% Software Packing 7.7% Password Policy Discovery Collection 4.5% Data Transfer Size Limits
11.8% Exploit Public-Facing Application
1.5% 6.9% Remote System Discovery 32.2% Data from Local System
9.8% Phishing Attachment Indicator Removal from Tools
1.5% 6.0% Network Share Discovery 30.5% Data from Network Shared Drive
11.8% Valid Accounts Regsvr32
6.0% Process Discovery 22.0% Screen Capture
5.88% User Execution
5.6% Domain Trust Discovery 5.1% Keylogging
3.92% Trusted Relationship Credential Access
Privilege Escalation 4.4% Network Share Discovery 1.7% Data from Information Repositories
1.96% Drive-by Compromise 17.0% OS Credential Dumping
37.5% Valid Accounts 4.0% System Owner/User Discovery 3.4% Man-in-the-Middle
1.96% Exploitation of Remote Application 17.0% LLMNR/NBT-NS Poisoning &
21.9% Exploitation for Privilege Escalation 4.0% System Service Discovery 1.7% Man in the Browser
1.96% Exploitation of Remote Services SMB Relay
15.6% Make & Impersonate Token 3.6% System Network Connections 3.4% Automated Collection
13.2% Kerberoasting
9.4% Process Injection Discovery
9.4% Credentials in Files
6.3% Sudo and Sudo Caching 3.2% System Information Discovery
8.8% Password Cracking Command & Control
3.1% Access Token Manipulation 2.4% Security Software Discovery
7.5% Password Guessing 42.0% Web Protocols
3.1% Bypass User Account Control 2.4% System Network Configuration
7.5% Network Sniffing Discovery 15.9% Remote Access Software
3.1% Default Accounts
6.9% Forced Authentication 2.0% Query Registry 8.7% Standard Application Layer Protocol
This advisory uses the MITRE ATT&CK® v9.0 and Pre-ATT&CK frameworks. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks at https://attack.mitre.org/versions/v9/ for referenced threat actor techniques.
For more information about CISA assessment services, please visit https://www.cisa.gov/cyber-resource-hub. TLP:WHITE