Foreword
At the beginning of this report, we would like to quote “Intelligence Driven Incident Response” by Scott J. Roberts & Rebekah Brown, “Intelligence – is the glue that can bind together multiple diverse teams operating at different levels with different priorities”. That is precisely why the Kaspersky Threat Intelligence Team has decided to combine the best practice of all teams in our organisation to create this report.
This report uses data from recent investigations by our coworkers in the Threat Research team and the Global Emergency Response Team (GERT), and selected research efforts by the Kaspersky Global Research and Analysis Team (GReAT). We also used best practice from the Escal Institute of Advanced Technologies (SANS), the National Cybersecurity Centers and The National Institute of Standards and Technology (NIST).
We drew on our statistics to select the most popular groups, analysed in detail the attacks they perpetrated and employed techniques and tactics described in MITRE ATT&CK to identify a large number of shared TTPs. By tracking all the groups and detecting attacks, we see that the core techniques remain the same throughout the cyber kill chain.
The attack patterns thus revealed are not accidental, because this class of attack requires the hackers to go through certain stages, such as penetrating the corporate network or victim’s computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups, and finally, achieving their objective.
