Splunk: Cybercriminals Use These Types of TTPs

A report published by Splunk that analyzed three years of data showed a marked increase in the number of cyberattacks that employ four specific types of techniques.

Based on analysis of data collected from 2020 to 2022, the report found a steady increase in the number of cyberattacks using a command and scripting interpreter, such as PowerShell from Microsoft, in addition to techniques involving obfuscated files or information, ingress tool transfer and some type of system service execution.

The report itself is based on tags that various reporting agencies have used to identify tactics, techniques and procedures (TTPs), including the Mandiant M-trends Report, the Red Canary Threat Detection Report and the CTID ATT&CK Sightings Ecosystem. These reports rank ATT&CK techniques by the frequency (percentage) that they are seen in the incidents analyzed.

Ryan Kovar, distinguished security strategist for Splunk, said the report from Splunk is significant in that it provides cybersecurity teams with insights using big data that enable them to better focus their efforts on thwarting the wide range of attacks that rely on these techniques. Once these techniques are recognized, it becomes possible to predict the next step in the attack chain that cybercriminals have constructed, he added.

The Splunk report found most of the attacks involved relatively simply techniques that cybersecurity teams should be able to thwart, noted Kovar. However, across the cybersecurity sector there tends to be too much focus on advanced cybersecurity techniques that are only being used by a small handful of apex predators. Most cybercriminals are not going to work any harder than they need to, so they tend to focus their efforts on a narrow range of TTPs they can easily master using tools such as PowerShell, added Kovar.

How much TTP analytics will help cybersecurity teams will naturally vary by the level of maturity, but at a time when most organizations are experiencing a skills shortage it’s more important than ever to prioritize efforts. Focusing on attacks based on TTPs enables organizations to more easily thwart a wider range of attacks that use a common set of core attack vectors, noted Kovar.

In the longer term, of course, the ability to analyze TTPs should also provide the foundation for automating cybersecurity once a specific technique is identified. The challenge organizations face today is that aggregating the data required to automate cybersecurity defenses remains a fairly daunting task. In theory, at least, big data analytics should surface trendlines that make it possible to create more effective cybersecurity playbooks.

In the meantime, cybersecurity teams clearly need to share more information. There’s always a natural hesitancy to share sensitive data, but it’s not going to be possible to defeat adversaries that regularly share insights with one another unless cybersecurity teams do the same. Cybercriminals, in fact, brazenly share TTPs with one another in ways that almost anyone who cares can easily see. The challenge and the opportunity is to take advantage of that hubris to develop a set of defenses that make whole classes of TTPs much less effective than they are today.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard