TLP:WHITE

MITIGATIONS FOR
RISK VULNERABILITY AND
45.5%
Defense Evasion
MSHTA
4.5%
4.5%
System Time Discovery
System Network Connections
TOP TECHNIQUES

ASSESSMENT (RVA) FY19 RVA RESULTS

MITRE ATT&CK Tactics and Techniques
36.4%
25.0%
Process Hollowing
Valid Accounts 4.5%
Discovery
Query Registry
The top ten mitigations shown here
are widely effective across the
top techniques.*

MAPPED TO THE MITRE The percent noted for each technique

represents the success rate for
20.5%
15.9%
Access Token Manipulation
Process Injection
2.3% Peripheral Device Discovery

Lateral Movement
M1017 User Training
Train users to be aware of access or

ATT&CK® FRAMEWORK that technique across all RVAs. For

example, spearphishing link was used
to gain initial access in 45.5% of the
FY19 RVAs.
11.4%
11.4%
9.1%
Scripting
Obfuscated Files or Information
Bypass User Account Control
61.4%
52.3%
Pass the Hash
Remote Desktop Protocol
manipulation attempts by an adversary
to reduce the risk of successful spear-
phishing and social engineering.
FISCAL YEAR 2019 (FY19) 22.7% Windows Admin Shares M1018 User Account Management
6.8% Indicator Removal from Tools
Risk and Vulnerability Assessment: Upon request, CISA can identify vulnerabilities 44 Total Number of Assessments 22.7% Remote Services Manage the creation, modification, use,
6.8% Hidden Window and permissions associated to user
that adversaries could potentially exploit to compromise security controls. 13.6% Exploitation of Remote Services accounts.
We collect data in an on-site assessment and combine it with national threat 6.8% File Deletion
information to provide customers with a tailored risk analysis report.
Initial Access 9.1% Pass the Ticket M1026 Privileged Account
4.5% Masquerading Management
45.5% Spearphishing Link 2.3% Remote File Copy
4.5% DLL Side-Loading Manage the creation, modification,
4.5% Exploit Public-Facing Application 2.3% Distributed Component Object
2.3% Process Dopplegänging use, and permissions associated to
2.3% Spearphishing Attachment Model privileged accounts, including SYSTEM
+ HOW WE LATERAL AND ESCALATE 2.3% Disabling Security Tools and root.
Execution Collection M1027 Password Policies
Credential Access 47.7% Screen Capture Set and enforce secure password
Attack Path 1: Gone Phishin’ 70.5% PowerShell
88.6% Credential Dumping policies for accounts.
63.6% Command-Line Interface 45.5% Data from Local System
» Spearphishing Link and MSHTA
Initial Access 68.2% LLMNR/NBT-NS Poisoning 36.4% Data from Network Shared Drive M1028 Operating System
45.5% MSHTA Configuration
Execution » PowerShell 38.6% Credentials in Files 22.7%
45.5% Service Execution Automated Collection
Make configuration changes to the
Defense Evasion » Process Injection and MSHTA 22.7% Kerberoasting 11.4% Man in the Browser operating system that result in system
43.2% Windows Management
Command & Control » Commonly Used Port 20.5% Brute Force hardening against techniques.
Instrumentation 11.4% Input Capture
18.2% 15.9% Network Sniffing M1030 Network Segmentation
Graphical User Interface 2.3% Email Collection
Attack Path 2: You’ve Poisoned My LLMNR 11.4% Scripting 11.4% Input Capture 2.3% Data from Information Repositories
Architect sections of the network to
isolate critical systems, functions, or
Credential Access » LLMNR/NBT-NS Poisoning and Relay 9.1% User Execution 9.1% Account Manipulation 2.3% Clipboard Data resources. Use physical and logical
Brute Force 4.5% Exploitation of Credential Access segmentation to prevent access to
9.1% Exploitation for Client Execution sensitive systems and information.
Discovery » Network Sniffing 2.3% Execution through API 2.3% Private Keys Command & Control
54.5% M1031 Network Intrusion
2.3% Forced Authentication Commonly Used Port Prevention
Attack Path 3: The Ol’ Discover & Dump Persistence 2.3% Credentials in Registry 20.5% Data Encoding Use intrusion detection signatures to
Discovery » Permissions Group Discovery 25.0% Valid Accounts 18.2% block traffic at network boundaries.
2.3% Bash History Remote Access Tools
System Owner/User Discovery 9.1% New Service 18.2% M1032 Multi-factor Authentication
Connection Proxy
Execution » Windows Management Instrumentation 4.5% Discovery Use two or more pieces of evidence to
Create Account 11.4% Standard Application Layer Protocol authenticate to a system.
Persistence/ » Valid Accounts 2.3% Windows Management 63.6% Account Discovery 9.1% Data Obfuscation
Defense Evasion/ Instrumentation Event Subscription M1037 Filter Network Traffic
Privilege Escalation 50.0% Network Service Scanning 9.1% Custom Command & Control
2.3% Use network appliances to filter ingress
Registry Run Keys/Startup Folder 47.7% File & Directory Discovery Protocol or egress traffic and perform protocol-
2.3% Launch Agent 4.5% based filtering.
Attack Path 4: I Like My Kerberos Well-Done 45.5% Network Share Discovery Standard Cryptographic Protocol

Initial Access » Kerberoasting 43.2% Remote System Discovery 2.3% Remote File Copy M1042 Disable or Remove Feature
Privilege Escalation or Program
Brute Force 40.9% Process Discovery 2.3% Multi-hop Proxy
25.0% Valid Accounts Remove or deny access to unnecessary
Persistence/ » Valid Accounts 31.8% Password Policy Discovery and potentially vulnerable software to
Defense Evasion/ 20.5% Exploitation for Privilege Escalation
27.3% System Owner/User Discovery
Exfiltration prevent abuse by adversaries.
Privilege Escalation
20.5% Access Token Manipulation 18.2% Scheduled Transfer M1047 Audit
27.3% Permission Groups Discovery
15.9% Process Injection 13.6% Exfiltration over Command & Perform audits or scans of systems,
Attack Path 5: Is That a Cleartext Password or SSH Key, I See? 9.1% New Service
18.2% System Service Discovery Control Channel permissions, software, configurations,
18.2% Security Software Discovery etc. to identify potential weaknesses.
Credential Access » Credentials in Files 9.1% Bypass User Account Control 11.4% Data Encrypted
Bash History 13.6% System Information Discovery 4.5% Data Compressed *Top techniques and mitigations vary by sector and
Private Keys 2.3% Sudo environment. Organizations should consider additional
11.4% System Network Configuration 4.5% Automated Exfiltration attack vectors and mitigation strategies based on their
Valid Accounts 2.3% Exploitation of Vulnerability Discovery
Persistence/ » Valid Accounts unique environment.
Defense Evasion/
Privilege Escalation This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks for referenced threat actor techniques.
For more information about CISA assessment services, please visit https://www.cisa.gov/ TLP:WHITE