In today’s digital world, cyber threats are growing rapidly, making businesses more vulnerable than ever. From ransomware attacks and phishing scams to insider threats, companies of all sizes face serious security risks. Without strong cybersecurity measures, businesses can suffer financial losses, reputational damage, and legal trouble. This blog covers the biggest cyber threats businesses face today and practical ways to protect against them.
The MITRE Framework outlines common attack techniques that cybercriminals use to target organizations. To reduce the risks these threats pose, businesses need a clear plan with strong security measures to detect, prevent, and respond to attacks effectively.
Here’s how TOP 25 techniques which contribute to different attack stages:
Initial Access & Execution
Phishing (T1566) – Attackers trick users into executing malicious payloads via emails or fake websites.
Valid Accounts (T1078) – Use of stolen credentials to gain unauthorized access.
User Execution (T1204) – Malicious files or scripts requiring user interaction for execution.
Command and Scripting Interpreter (T1059) – Running malicious commands via PowerShell, Bash, or scripting languages.
Ingress Tool Transfer (T1105) – Downloading and executing malicious payloads into the victim’s system.
Privilege Escalation & Credential Access
Process Injection (T1055) – Injecting code into legitimate processes to evade detection.
Credentials from Password Stores (T1555) – Extracting stored credentials from browsers, password managers, or system utilities.
Credential Dumping (T1003) – Harvesting credentials from memory (LSASS) or SAM databases.
Access Token Manipulation (T1134) – Impersonating user accounts to escalate privileges.
Persistence & Defense Evasion
Scheduled Task/Job (T1053) – Maintaining persistence by scheduling malicious tasks.
Modify Registry (T1112) – Altering registry keys for persistence and evasion.
Obfuscated Files or Information (T1027) – Encrypting or encoding malicious payloads to bypass security solutions.
Windows Management Instrumentation (T1047) – Using WMI to execute commands stealthily.
System Binary Proxy Execution (T1218) – Using legitimate Windows utilities (LOLbins) for malicious execution.
Discovery & Lateral Movement
Account Discovery (T1087) – Identifying users and roles within the environment.
Account Manipulation (T1098) – Modifying user accounts for privilege escalation.
System Network Configuration Discovery (T1016) – Gathering network information for lateral movement.
Remote Services (T1021) – Exploiting RDP, SSH, or SMB for remote access.
Impact & Data Exfiltration
Endpoint Denial of Service (T1499) – Overloading systems to disrupt operations.
Application Layer Protocol (T1071) – Using common protocols like HTTP/S, DNS, or FTP for communication and exfiltration.
Input Capture (T1056) – Keylogging or capturing user inputs.
Screen Capture (T1113) – Taking screenshots of sensitive information.
Data Obfuscation (T1001) – Encrypting or disguising stolen data to avoid detection.
Indicator Removal on Host (T1070) – Clearing logs and evidence of compromise.
Inhibit System Recovery (T1490) – Disabling recovery options to prevent remediation.
Strategy for Implementing Mitigation Measures
This is now essential to draft strategy for implementing bare minimum mitigation measures to address the risk is key factor. Providing this mapping, which can help an organization to implement or customize it further according to their requirements or needs:
Rank | Technique ID | MITRE ATT&CK Technique | Tactic | Mapped CIS Control | CIS Benchmark Reference ID | Rationale | CIS Impact |
1 | T1055 | Process Injection | Defense Evasion | CIS Control 6: Access Control Management | 2.9, 2.19 | Prevents unauthorized code execution within legitimate processes | Reduces risk of stealthy malware execution and privilege escalation |
2 | T1059 | Command and Scripting Interpreter | Execution | CIS Control 8: Audit Log Management | 2.18 | Detects malicious script execution | Improves visibility into potential execution-based attacks |
3 | T1555 | Credentials from Password Stores | Credential Access | CIS Control 5: Account Management | 2.10, 2.23 | Prevents unauthorized access to stored credentials | Limits exposure to credential theft and unauthorized access |
4 | T1003 | Credential Dumping | Credential Access | CIS Control 6: Access Control Management | 2.9, 2.19 | Prevents unauthorized credential harvesting | Reduces risk of privilege escalation and unauthorized access |
5 | T1566 | Phishing | Initial Access | CIS Control 9: Email and Web Browser Protections | 2.2 | Reduces risk of email-based threats and malicious links | Prevents social engineering attacks and malware infection |
6 | T1078 | Valid Accounts | Defense Evasion | CIS Control 5: Account Management | 2.10, 2.23 | Ensures only authorized accounts are used | Limits exposure to compromised or misused credentials |
7 | T1027 | Obfuscated Files or Information | Defense Evasion | CIS Control 13: Network Monitoring and Defense | 2.22 | Detects obfuscated malware and hidden payloads | Enhances threat detection and response capabilities |
8 | T1204 | User Execution | Execution | CIS Control 14: Security Awareness and Skills Training | 2.14, 2.15 | Trains users to recognize and avoid malicious content | Reduces risk of user-driven compromises and social engineering |
9 | T1105 | Ingress Tool Transfer | Command and Control | CIS Control 12: Network Infrastructure Management | 2.11, 2.12 | Prevents unauthorized file transfers | Limits malware distribution and unauthorized tool deployment |
10 | T1087 | Account Discovery | Discovery | CIS Control 6: Access Control Management | 2.9 | Restricts attacker reconnaissance efforts | Prevents unauthorized enumeration of user accounts |
11 | T1098 | Account Manipulation | Persistence | CIS Control 5: Account Management | 2.10, 2.23 | Prevents attackers from modifying accounts | Reduces risk of persistent unauthorized access |
12 | T1499 | Endpoint Denial of Service | Impact | CIS Control 13: Network Monitoring and Defense | 2.24 | Ensures detection of DoS attempts | Enhances availability and resilience against service disruptions |
13 | T1047 | Windows Management Instrumentation | Execution | CIS Control 8: Audit Log Management | 2.18 | Detects misuse of WMI for malicious purposes | Improves detection of lateral movement and remote execution attempts |
14 | T1218 | System Binary Proxy Execution | Defense Evasion | CIS Control 6: Access Control Management | 2.9, 2.19 | Prevents misuse of trusted system binaries for malicious execution | Reduces risk of defense evasion through trusted processes |
15 | T1053 | Scheduled Task/Job | Persistence | CIS Control 5: Account Management | 2.10, 2.23 | Detects unauthorized task scheduling for persistence | Limits adversaries' ability to maintain persistent access |
16 | T1112 | Modify Registry | Defense Evasion | CIS Control 8: Audit Log Management | 2.18 | Detects unauthorized registry modifications | Prevents persistence and defense evasion through registry alterations |
17 | T1071 | Application Layer Protocol | Command and Control | CIS Control 12: Network Infrastructure Management | 2.11, 2.12 | Monitors use of common protocols for malicious communication | Enhances detection of covert command and control channels |
18 | T1056 | Input Capture | Credential Access | CIS Control 9: Email and Web Browser Protections | 2.2 | Prevents unauthorized capture of user input | Reduces risk of credential theft through keylogging or input sniffing |
19 | T1134 | Access Token Manipulation | Defense Evasion | CIS Control 6: Access Control Management | 2.9, 2.19 | Prevents misuse of access tokens for unauthorized actions | Reduces risk of privilege escalation and unauthorized resource access |
20 | T1016 | System Network Configuration Discovery | Discovery | CIS Control 13: Network Monitoring and Defense | 2.22 | Detects unauthorized network configuration discovery | Limits attackers' understanding of network topology and defenses |
21 | T1490 | Inhibit System Recovery | Impact | CIS Control 8: Audit Log Management | 2.18 | Prevents disabling of system recovery features | Ensures availability of recovery options after an attack |
22 | T1070 | Indicator Removal on Host | Defense Evasion | CIS Control 8: Audit Log Management | 2.18 | Detects attempts to erase forensic evidence | Enhances ability to investigate and respond to security incidents |
23 | T1021 | Remote Services | Lateral Movement | CIS Control 12: Network Infrastructure Management | 2.11, 2.12 | Monitors use of remote services for lateral movement | Limits adversaries' ability to move laterally within the network |
24 | T1113 | Screen Capture | Collection | CIS Control 9: Email and Web Browser Protections | 2.2 | Prevents unauthorized screen capturing | Protects sensitive information from being captured and exfiltrated |
25 | T1001 | Data Obfuscation | Command and Control | CIS Control 13: Network Monitoring and Defense | 2.22 | Detects attempts to disguise malicious communication | Improves detection of covert data exfiltration and stealthy malware |
Comments