Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mitre ATTACK and the North Korean Regime-Backed Programmer


Published on

On 6th September the US Department of Justice (DOJ) unsealed an indictment against a North Korean regime-backed programmer who is a suspect in many significant network intrusions. We map details of these intrusions the MITRE ATT&CK™ framework.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mitre ATTACK and the North Korean Regime-Backed Programmer

  1. 1. 0. Reconnaissance 11. Command and Control MITRE ATT&CK and the North Korean Regime-Backed Programmer MITRE ATT&CK Stage Tactics, Techniques and Procedures Mitigation Advice • Inform employees that their social media profiles may be of interest to adversaries. Provide advice on how to lock down profiles if requested. • Ensure that network services are patched and running supported versions of software. • Credentials, especially for admin accounts, should use strong passwords and two factor authentication (2FA) should be enabled wherever possible. • Use of an email filtering system or service can help to identify some spearphishing threats, particularly around malicious attachments. • Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. • 2FA is essential for email accounts, especially with a security key where possible. • Application whitelisting can be used to limit which bina- ries are executed in an environment. • Browser sandboxing solutions can be used to ensure that malware only executes in a low privilege environment without any further access to an organization’s assets. • Hardening browsers and operating systems to prevent script execution and reduce the number of plugins and/or extensions can further serve to mitigate this risk. • In certain circumstances, SSL inspection can be used to have visibility into encrypted communications. If SSL inspection is deployed, traffic that cannot be inspected should not be able to egress the network unless explicitly whitelisted. • Educate users about the dangers of URL shorteners alongside general security awareness training may help with mitigating this common technique. • Provide avenues for users to report attempting phishing attacks • Provide additional training for employees who regularly deal with the public and have a business requirement to open attachments Spearphishing attachment; Spearphishing link; Spearphishing via Service People Information Gathering; Organizational Information Gathering; Organizational Weakness Identification; People Weakness Identification Drive-by Compromise 1. Initial Access 2. Execution User execution Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Encoding, Multi-hop Proxy, Remote File Copy • Some email filtering technologies provide the capability to block password-protected zip files. Where there is no business requirement to allow such attachments, they should be blocked. Deobfuscate/Decode Files or Information 5. Defense Evasion • Advanced EDR (Endpoint Detection and Response) systems should be deployed to detect in-memory patching attacks being used by malware to manipulate existing code. In general, code should not be attempting to interfere with other processes and this behavior can be considered as suspicious. • Application whitelisting can be used to restrict which code can execute inside an environment. This can be used to detect the attempted installation of malware by an adver- sary and prevent the execution of this malware. Exploitation for Defense Evasion Masquerading 8. Lateral Movement • Apply the principle of least privilege and restrict admin account access. • Once an attacker has admin privileges, detection can be used to uncover malicious behavior. • Windows event logs register the creation, updating and re- moval of scheduled tasks. • Application whitelisting can be used to restrict the execu- tion of certain file types in an environment. Windows Admin Shares 9. Collection • Security reviews of log files of critical systems, such as payment systems, is important to detect malicious activity. • Anomalous behavior, such as log deletion, should warrant closer inspections. Automated Collection, Data from Local System