Top APT groups in 2021
Hi everyone, what would you say are the top threat groups in 2021 and what TTP's companies should be able to detect them?
I would recommend to continue monitoring the usual suspects, Iran, Russia, North Korea and China. China is more difficult to track but the other 3 are often in many threat intel reports throughout the year. These same reports provide you with the TTPs to build the detections.
By chance I stumble upon the following report by Red Canary.
Is their 2021 Threat Detection Report and It mentions the threat groups you likely want to fix your target.Furthermore the report supports the TTPs detection through the ATT&CK framework. I haven't started reading it but it seems a sensible answer to your question.
#1 TA551 79
#2 Cobalt Strike 84
#3 Qbot 88
#4 IcedID 92
#5 Mimikatz 96
#6 Shlayer 100
#7 Dridex 103
#8 Emotet 107
#9 TrickBot 112
#10 Gamarue 115
#1 T1059 Command and Scripting Interpreter 11
T1059.001 PowerShell 12
T1059.003 Windows Command Shell 16
#2 T1218 Signed Binary Process Execution 20
T1218.011 Rundll32 21
T1218.005 Mshta 26
#3 T1543 Create and Modify System Process 33
T1543.003 Windows Service 34
#4 T1053 Scheduled Task/Job 39
T1053.005 Scheduled Task 40
#5 T1003 OS Credential Dumping 47
T1003.001 LSASS Memory 48
#6 T1055 Process Injection 53
#7 T1027 Obfuscated Files or Information 58
#8 T1105 Ingress Tool Transfer 64
#9 T1569 System Services 69
T1569.002 Service Execution 70
#10 T1036 Masquerading 73
T1036.003 Rename System Utilities 74
Happy hunting! ?
PS: report attached!
My team consumes reports from many threat Intel vendors.Depending on your needs and threat profile you should be considering many of these vendors as input into your detection strategy. You can also consult the following thread as it was very useful for me.
Which APT should take priority depends on your organisation, recent activity of the APT etc.
In regard to the detection is not always possible to find the ATT&CK TTPs so you will need human analysis to breakdown the Intel reports and build the detection.
Crowdstrike also releases a yearly threat report, but it is not technical. This report and the one shared above should give you an idea of the direction you should take to develop your defenses. As socpuppet mentioned you will need human analysis, the industry is still catching up and very few providers are looking at this challenge through the lens of the technical defender, so do not expect these reports to discuss TTPs in the ATT&CK.