Red Canary recently unveiled its 2021 Threat Detection Report. Included in the report is a mapping of many of the top cyberattack techniques to the MITRE ATT&CK framework. The findings presented by Red Canary researchers underscore the need to fully understand your network. Take the time to monitor what is normal in your firm. Review and document what scripts are used on a regular basis and what event IDs are thrown off in the event logs, especially those relevant to the most used attack techniques.
Deploy Sysmon and save the log files to an external location. Ensure that you are logging events that will expose what attackers might be doing in your network. The Australian Cyber Security Centre has documentation and guidance on setting up Windows event logging.
Here are the top attack techniques that Red Canary saw in 2020:
1. Command and scripting interpreters, better known as PowerShell (24%)
Red Canary’s customers were most impacted by attacks using PowerShell and Windows Command Shell. Because these tools are native to Windows, it is much harder for firms to determine that they are being attacked. This is called “living off the land,” where the attacker doesn’t have to bring attack tools to your network. Rather they use the existing PowerShell that is already installed. To monitor for PowerShell and command line-based attacks, use such tools as Sysmon to ensure that you are capturing the logging.