ATT&CK Techniques and Trends in Windows Malware

Most cyber security practitioners are by now aware of the Mitre ATT&CK framework and the tremendous potential it holds for increasing the understanding and mitigation of adversary TTPs. Within the Computer Science realm however, the framework has caught less altitude than in the infosec blogosphere. Also, in academia mental models for cyber security seem to be less of an discussion (or concern perhaps). In theory, there is no difference between theory and practice. But in practice, there is of course.

To introduce ATT&CK to the scientific community as a useful standard, its usefulness needs to be proved in a scientifically sound way. I did this over the last couple of months, in which I have analyzed a labeled sample of 900+ unique families of Windows malware from 2003 until 2018 (thanks to Daniel Plohmann’s Malpedia). This provides overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years. Within the dataset, I have observed an increase in various techniques such as fileless execution, discovery of security software and DLL side-loading. A nice observation is that a (formerly) sophisticated technique, command and control (C&C) over IPC named pipes, is getting adopted by less sophisticated actor groups. Malware authors are innovating techniques in order to bypass established defenses (doh).

I wrote up the analysis results in a paper, using the uniform language offered by ATT&CK. This all turned out quite nice, as this paper is accepted into the 15th International Conference on Security and Privacy in Communication Networks, which will be held in Orlando this October. A few days later I will also be presenting the results during ATT&CKcon, Mitre’s ATT&CK-focused conference.

So, where’s the beef?

All of this results in the following graphical representation of most commonly implemented malware techniques (click for high-resolution version). For those interested in reading the full paper, it is available for download here. If you have any questions or remarks, just get in touch on the socials or via the contact form. I am happy to hear from you.

png

Avatar
Kris Oosthoek
PhD Candidate Cyber Threat Intelligence

My research interests include cyber security and specifically threat intelligence automation and methodology.

Related