Look at this Graph:
Prioritizing Initial Access Threats & TTPs via Link Analysis
Supriya Mazumdar | Scott Small
This session provides a wide overview of top threats currently used to gain initial victim access, analysis of TTP overlaps and differences among them, and a link analysis of the later-stage crimeware payloads these threats are frequently used to deliver.
For the first time, we have aggregated the recent TTPs associated with a large number of notable loader, trojan, and other initial access threats (SocGholish, Gootloader, Raspberry Robin, IcedID, BumbleBee, Emotet, etc.), and aligned them to MITRE ATT&CK® for quicker orientation, context, and pivoting into defensive actions. Most of these threats represent sophisticated operations, with access sales often arranged ahead of time, distinguishing them from more commoditized current threats like information stealers.
Although many of these threats are responsible for high infection volumes and are notoriously adept at modifying their TTPs, there has yet to be a comprehensive survey of how techniques might be shared (or differ) among the various operations, campaigns, & malware. Identifying top commonly used TTPs and commonly delivered payloads helps defenders identify opportunities to prioritize the countermeasures they might deploy and tune and make the most efficient use of finite time & resources.