Most common cyberattack techniques on Windows networks for 2020

Recent research breaks down the preferred techniques attackers use to gain access to Windows networks. Use this information to monitor your logs for these methods.

vulnerable breach cyberattack hacker
Thinkstock

Red Canary recently unveiled its 2021 Threat Detection Report. Included in the report is a mapping of many of the top cyberattack techniques to the MITRE ATT&CK framework. The findings presented by Red Canary researchers underscore the need to fully understand your network. Take the time to monitor what is normal in your firm. Review and document what scripts are used on a regular basis and what event IDs are thrown off in the event logs, especially those relevant to the most used attack techniques.

Deploy Sysmon and save the log files to an external location. Ensure that you are logging events that will expose what attackers might be doing in your network. The Australian Cyber Security Centre has documentation and guidance on setting up Windows event logging.

Here are the top attack techniques that Red Canary saw in 2020:

1. Command and scripting interpreters, better known as PowerShell (24%)

Red Canary’s customers were most impacted by attacks using PowerShell and Windows Command Shell. Because these tools are native to Windows, it is much harder for firms to determine that they are being attacked. This is called “living off the land,” where the attacker doesn’t have to bring attack tools to your network. Rather they use the existing PowerShell that is already installed. To monitor for PowerShell and command line-based attacks, use such tools as Sysmon to ensure that you are capturing the logging.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.