Professional Documents
Culture Documents
research institutes are one of the targets of Cyberthreats, it is important to develop a brief
analysis of the foreign and local cyber threats that they face. It is necessary to know the potential
threat groups that target higher education research institutes, the tactics they use to attack, and
the mitigation practices towards the attack by utilizing frameworks like MITRE ATT & CK.
According to Cyberpedia (2023), MITRE ATT & CK framework is designed in 2013 by the
compressive guide to organizations on security incidents and controls based on security elements
Crowd strike ( 2022) explained the importance of MIRE ATT & CK and how it is used by
organizations. MIRE ATT & CK framework is an extensive model of schemes and techniques
developed to identify and classify attacks and inspect cyber risks by threat defenders, hunters,
and security teams within an organization. It allows cybersecurity professionals to access, view,
identify, and respond to the myriad security risks with the appropriate management approach The
idea behind the framework is to understand the diverse ways cyber actors use to attack
In the past, detailed information and guidelines were only acquired weather through
incident response professionals with vast experience or a diligent cybersecurity workforce. The
MITRE ATT & CK is distinct from previously used models in the way it drops down into the
implemented incidents, standardized languages for attacking methods, and proper mitigation
The MITRE ATT & CK framework serves as a reference spreadsheet on the structure of the
enterprises like windows, PRE, macOS, Cloud, Linux, and Mobile(Android and iOS) by
management(Cyberpedia,2023).
The threat group that attacks higher education research institutes is among the APTs
(advanced persistent threat) groups. Rosencrance (2023) stated APT is a hidden attack on a
network computer where attackers can gain unauthorized access and remain unknown for a
certain period in the targeted network. APT attackers intend to steal data not to damage their
target networks.
According to MITRE ATT&CK (2019), the first major cyber attackers groups that may
target higher education research institutions are Iron Hemlock, Noble Baron, Iron Ritual, Dark
Halo, Stellar Particle, Nobelium, Cozy Bear, and Cozy Duke, which found associated with
Russia’s Foreign Intelligence Service(SVR) APT29 cyber threat class group. These threat groups
have been active since 2008, frequently aiming at attacking NATO member countries, Europe,
Goel (2020) explained how this threat group attacks organizations like higher research
institutes. APT29 cyber threats tend to be hostile in the technique that they use their own custom
tools and malware for their spear phishing projects. Once they attack their target, they persist in
collecting and digging for the sensitive files and sending them to the cyber attackers. To achieve
their goals, they employ custom compilers, execution methods like WMI and PowerShell, and
4
APT29 threats are these groups that caused the cybersecurity threat to the COVID-19 vaccine
and attempted to hack data from pharmaceutical and research institutes as the medical experts
According to Bug crowd(n.d.), the other group that attacks higher institutes is APT19 with
the associate groups of Codoso, Codoso team, C0d0so0, and Sunshop. APT19 also targets
education institutions. This attack group located in mainland, China is known for using specific
attacking techniques like watering hole attacks where they use a survey about legitimate websites
to compromise the targeted network; droppers that seem valid installers related to Microsoft
ActiveX controls, Adobe Reader, and Junipers VPN; malicious Microsoft Excel macro-
embedded documents; and Rish Test format(RTF) attachments for phishing emails.
As MITRE ATT & CK (2022) indicates, there are Enterprise, Mobile, and Pre-Attack
matrices in MITRE ATT & CK framework. We'll discuss the main tactics, techniques, and
procedures (TTPs) of the Enterprise ATT&CK matrix as is related to corporate networks like
higher research institution networks. Cyberpedia (2023) stated tactics represent why the attacker
performs some action, techniques refer to how the attacker achieves the tactics, and procedures
are the specific details the attackers use to carry out the techniques to achieve their goal(tactics).
MITRE ATT & CK (2019), described the twelve tactics attackers perform with their general
techniques and procedures on how they attack cooperate networks like higher education research
institutes as follows:
5
Reconnaissance: It has 10 techniques like active scanning, gathering identity, phishing, and
searching an open technical database that is implemented to gather information about the victim
infrastructure, passively or actively to plan for the other adversary life cycle.
Resource Development: It consists of seven techniques like account access removal, data
destruction, and data manipulation that involve developing, purchasing, or stealing resources that
Initial Access: It consists of nine techniques like drive-by compromise, exploit public facing
applications, hardware additions, and default accounts to gain the first foothold in the targeted
Execution: It incorporates thirteen techniques that involve running or executing malicious codes
on local or remote systems to complete the general goals of stealing data or exploring the
execution, compromise client software, and others that help to maintain the attacking accesses
over changed credentials, restarts, and good security practices of the corporate by appending
Privilege Escalation: It consists of thirteen techniques that help to attain high-level authorized
permissions. This involves abusing control mechanisms, access token manipulations, boot or
security software, encryption, and deploying containers that aid the attackers to remain
undetected.
6
and web cookies that help to steal or compromise passwords and account names that benefit the
attackers to create accounts, access the system fully and help achieve their tactics by remaining
undetected.
Discovery: It includes thirteen techniques that give knowledge to the attackers on the internal
network system of the corporate before they decide how to act. This involves account discovery,
Lateral Movement: This involves nine techniques such as internal spear phishing, lateral tool
transfer, remote service hijacking, and more, that make adversaries access and control remote
systems.
Collection: It consists of seventeen techniques that are implemented to collect data of interest
from the targeted sources such as browsers, video, audio, email, and drive. The common
Command and Control: This tactic implements sixteen techniques such as application layer
protocol, data encoding, dynamic resolution, and more, that allow attackers to communicate with
systems on their control by mimicking normal traffic through the victim network.
Exfiltration: It implements nine techniques including encryption and compressing to steal and
remove the data from the network through packaging that helps to protect it from detection.
Impact: It consists of thirteen techniques such as account access removal, data destruction, data
manipulation, defacement, and more that enable the attackers to interrupt, disrupt, and manipulate
the operating system of the victim network to cover up the confidentiality of the attack.
There are multiple mitigation practices based on the MITRI ATT&CK framework that
higher education research institutions can benefit from to secure their network. Cyberpedia
(2023) noted the most common mitigation practices based on TTPs and MITRI ATT&CK
framework. One is setting up an account use policy. Account use policies are related to policies
on login attempts, login times, and lockouts. Second, antivirus or antimalware. These detect
configurations. System integrity is the other best practice. Always verifying the loading
mechanisms and operating system by using secure methods keeps the network protected.
Credential access protection is a mitigation tactic. Access protection like sealing forms of
credential dumping can prevent intruders from accessing the credential information.
traffic is the other security tactic. Utilizing network appliances, undergoing configuration
software, and using protocol-based filtering on the endpoint help to protect the network. Finally,
successful operating system configurations, strong passwords, encryptions the other mitigation
Conclusion
If we are lucky, we learn from our own mistakes, but we are the luckiest we learn from
others’ mistakes. The MITRI ATT&CK framework offers the luckiest chance to corporates who
diligently implement its matrix. It provides a corporate with a full idea of preparation based on
the details and experiences of another corporate that went through the pain of cyber threats.
8
MITRI ATT&CK framework is an attacker brain reader that gives the benefit of heading up to
References
https://www.techtarget.com/searchsecurity/persistent-threat-APT
https://www.paloaltonetworks.com/cyberpedia/mitre-attack-framework#
https://www.crowdstrike.com/mitre-attack/