Technique Co-Occurrences
For the purposes of this project, a co-occurrence means that a sighting event contains more than one technique. Within our data, around 19% of events contained co-occurrences. Interestingly, we discovered multiple events contained the same cluster of techniques.
This graphic shows several attributes of the top 15 co-occurrences. The size of each sphere represents how frequently the technique occurred within the top 15 events. In size order,
The color of the sphere shows how many events contained the co-occurred technique. Different lines were used to show each co-occurrence grouping. When an event contained only two techniques, a dashed, red line was used. When an event contained three or more techniques, a solid line was used. The different colors of the solid lines are associated with the different groupings of co-occurrences. For example, T1564.001 is a small, yellow sphere, indicating that it was seen the least number of times out of the top 15 co-occurrences and in less than 200 events; it is connected by a red, dashed line to T1496, indicating that it co-occurred only with this technique. Conversely, T1059.001 is a large, blue sphere, indicating that it was seen the greatest number of times and in over 200,000 events; it is connected by both types of lines and several colored lines. It was grouped with T1027 and T1105 in over 140,000 events (represented by the blue line), the most out of any co-occurrences, and seen nearly 40,000 times with T1105 and around 34,500 times with T1027. It is also included in the largest grouping we saw – T1059.001, T1021.006, T1027, T1047, T1055, T1074.001, and T1568.001, represented by the light green line. Similarly, the same cluster of techniques, without T1055, was seen just as frequently, represented by the black line.
Most co-occurrence events include region, sector, platform, and privilege level information, providing insight into how adversaries are using these techniques. Over 200,000 events occur in the United States, with much smaller amounts occurring in Ukraine, Turkey, and Bangladesh. This aligns with the broader regional trend in our data, with a significant majority of events occurring in the US. Additionally, over 98% of co-occurrence events are Windows-based, which also aligns with the overall trend in our data. Adversaries used co-occurring techniques mostly in the Manufacturing and Administrative and Support… sectors. This is semi-similar to our broader data trend, where Manufacturing constitutes around 24% of sighting events, the most of any sector, and Administrative and Support… comprises around 9% of sighting events, the 3rd most out of all sectors. Overall, our data shows around 91% of events using user-level privileges, with around 8% using SYSTEM level privileges. However, co-occurrences swap these amounts, with around 97% using SYSTEM level privileges and around 2% using user-level privileges. When comparing multiple attributes at once (e.g., co-occurrences by region and platform), these trends remain the same.
When reviewing the software for co-occurrences, Cobalt strike was seen most frequently, followed by AgentTesla. In our overall data trends, AgentTesla was seen the second most frequently; however, Cobalt Strike was not even in the top 50.
Out of the top 15 co-occurrences, only 6 techniques, or 7 sub-techniques, are not in the top 15 techniques. When we pivot to Tactics, co-occurrences are observed at a similar percentage as our top 15 techniques. However, co-occurrences cover 10% of Persistence tactics and around 5% of Collection tactics, neither of which are covered by our top 15 techniques.