1

Cyber security in higher education research institutes

 2

There is no regret in being fully prepared. As it is mentioned by CISO, higher education

research institutes are one of the targets of Cyberthreats, it is important to develop a brief

analysis of the foreign and local cyber threats that they face. It is necessary to know the potential

threat groups that target higher education research institutes, the tactics they use to attack, and

the mitigation practices towards the attack by utilizing frameworks like MITRE ATT & CK.

MITRE ATT & CK framework

According to Cyberpedia (2023), MITRE ATT & CK framework is designed in 2013 by the

non-profit organization MITRE. It is a worldwide-accessible, free resource that provides a

compressive guide to organizations on security incidents and controls based on security elements

of attacker perspective, threat model, and mitigation.

Crowd strike ( 2022) explained the importance of MIRE ATT & CK and how it is used by

organizations. MIRE ATT & CK framework is an extensive model of schemes and techniques

developed to identify and classify attacks and inspect cyber risks by threat defenders, hunters,

and security teams within an organization. It allows cybersecurity professionals to access, view,

identify, and respond to the myriad security risks with the appropriate management approach The

idea behind the framework is to understand the diverse ways cyber actors use to attack

organizations and make full preparation for the attacks.

In the past, detailed information and guidelines were only acquired weather through

incident response professionals with vast experience or a diligent cybersecurity workforce. The

MITRE ATT & CK is distinct from previously used models in the way it drops down into the

multiple adversary behaviors, details of attack techniques, procedures and techniques

implemented incidents, standardized languages for attacking methods, and proper mitigation

practices(Crowd strike, 2022)

 3

The MITRE ATT & CK framework serves as a reference spreadsheet on the structure of the

attacks and mitigation procedures at different stages of the attacks. It is implemented on

enterprises like windows, PRE, macOS, Cloud, Linux, and Mobile(Android and iOS) by

providing detection, regulation, intelligence, Security engineering, and risk

management(Cyberpedia,2023).

Threat groups that attack higher education institutions.

The threat group that attacks higher education research institutes is among the APTs

(advanced persistent threat) groups. Rosencrance (2023) stated APT is a hidden attack on a

network computer where attackers can gain unauthorized access and remain unknown for a

certain period in the targeted network. APT attackers intend to steal data not to damage their

target networks.

According to MITRE ATT&CK (2019), the first major cyber attackers groups that may

target higher education research institutions are Iron Hemlock, Noble Baron, Iron Ritual, Dark

Halo, Stellar Particle, Nobelium, Cozy Bear, and Cozy Duke, which found associated with

Russia’s Foreign Intelligence Service(SVR) APT29 cyber threat class group. These threat groups

have been active since 2008, frequently aiming at attacking NATO member countries, Europe,

think tanks, and research institutes.

Goel (2020) explained how this threat group attacks organizations like higher research

institutes. APT29 cyber threats tend to be hostile in the technique that they use their own custom

tools and malware for their spear phishing projects. Once they attack their target, they persist in

collecting and digging for the sensitive files and sending them to the cyber attackers. To achieve

their goals, they employ custom compilers, execution methods like WMI and PowerShell, and
 4

multiple operational measures such as smash-and-grab or slow-and-deliberate based on the

victim's security methods and the perceived intelligence data values.

APT29 threats are these groups that caused the cybersecurity threat to the COVID-19 vaccine

and attempted to hack data from pharmaceutical and research institutes as the medical experts

worked to develop the vaccine (Goel, 2020).

According to Bug crowd(n.d.), the other group that attacks higher institutes is APT19 with

the associate groups of Codoso, Codoso team, C0d0so0, and Sunshop. APT19 also targets

finance, defense, energy, high-tech, pharmaceutical, and manufacturing, in addition to higher

education institutions. This attack group located in mainland, China is known for using specific

attacking techniques like watering hole attacks where they use a survey about legitimate websites

to compromise the targeted network; droppers that seem valid installers related to Microsoft

ActiveX controls, Adobe Reader, and Junipers VPN; malicious Microsoft Excel macro-

embedded documents; and Rish Test format(RTF) attachments for phishing emails.

Tactics, Techniques, and Procedures (TTPs) used by APT attackers.

As MITRE ATT & CK (2022) indicates, there are Enterprise, Mobile, and Pre-Attack

matrices in MITRE ATT & CK framework. We'll discuss the main tactics, techniques, and

procedures (TTPs) of the Enterprise ATT&CK matrix as is related to corporate networks like

higher research institution networks. Cyberpedia (2023) stated tactics represent why the attacker

performs some action, techniques refer to how the attacker achieves the tactics, and procedures

are the specific details the attackers use to carry out the techniques to achieve their goal(tactics).

MITRE ATT & CK (2019), described the twelve tactics attackers perform with their general

techniques and procedures on how they attack cooperate networks like higher education research

institutes as follows:
 5

Reconnaissance: It has 10 techniques like active scanning, gathering identity, phishing, and

searching an open technical database that is implemented to gather information about the victim

infrastructure, passively or actively to plan for the other adversary life cycle.

Resource Development: It consists of seven techniques like account access removal, data

destruction, and data manipulation that involve developing, purchasing, or stealing resources that

help to attack the targeted entity.

Initial Access: It consists of nine techniques like drive-by compromise, exploit public facing

applications, hardware additions, and default accounts to gain the first foothold in the targeted

network to establish continuous access.

Execution: It incorporates thirteen techniques that involve running or executing malicious codes

on local or remote systems to complete the general goals of stealing data or exploring the

network. Techniques include command interpreter (PowerShell, AppleScript), administration

command, dynamic data exchange, and more.

Persistence: It involves nineteen techniques such as account manipulation, boot autostart

execution, compromise client software, and others that help to maintain the attacking accesses

over changed credentials, restarts, and good security practices of the corporate by appending

startup code or hijacking the legitimate code.

Privilege Escalation: It consists of thirteen techniques that help to attain high-level authorized

permissions. This involves abusing control mechanisms, access token manipulations, boot or

login initialization scripts, and more.

Defense Evasion: It consists of forty-seven techniques that include disabling or uninstalling

security software, encryption, and deploying containers that aid the attackers to remain

undetected.
 6

Credential Access: it has seventeen techniques like adversary-in-the-middle, password cracking,

and web cookies that help to steal or compromise passwords and account names that benefit the

attackers to create accounts, access the system fully and help achieve their tactics by remaining

undetected.

Discovery: It includes thirteen techniques that give knowledge to the attackers on the internal

network system of the corporate before they decide how to act. This involves account discovery,

debugger evasion, domain trust discovery, and other techniques.

Lateral Movement: This involves nine techniques such as internal spear phishing, lateral tool

transfer, remote service hijacking, and more, that make adversaries access and control remote

systems.

Collection: It consists of seventeen techniques that are implemented to collect data of interest

from the targeted sources such as browsers, video, audio, email, and drive. The common

techniques are keyboard input and capturing screenshots.

Command and Control: This tactic implements sixteen techniques such as application layer

protocol, data encoding, dynamic resolution, and more, that allow attackers to communicate with

systems on their control by mimicking normal traffic through the victim network.

Exfiltration: It implements nine techniques including encryption and compressing to steal and

remove the data from the network through packaging that helps to protect it from detection.

Impact: It consists of thirteen techniques such as account access removal, data destruction, data

manipulation, defacement, and more that enable the attackers to interrupt, disrupt, and manipulate

the operating system of the victim network to cover up the confidentiality of the attack.

Mitigation Controls based on TTPs and MITRI ATT&CK

 7

There are multiple mitigation practices based on the MITRI ATT&CK framework that

higher education research institutions can benefit from to secure their network. Cyberpedia

(2023) noted the most common mitigation practices based on TTPs and MITRI ATT&CK

framework. One is setting up an account use policy. Account use policies are related to policies

on login attempts, login times, and lockouts. Second, antivirus or antimalware. These detect

malicious activities or software by implementing heuristics or signatures. Third, Auditing. It

helps to detect security weaknesses by assessing software, permissions, systems, and

configurations. System integrity is the other best practice. Always verifying the loading

mechanisms and operating system by using secure methods keeps the network protected.

Credential access protection is a mitigation tactic. Access protection like sealing forms of

credential dumping can prevent intruders from accessing the credential information.

Additionally, network intrusion prevention contributes to a secure network. Filtering network

traffic is the other security tactic. Utilizing network appliances, undergoing configuration

software, and using protocol-based filtering on the endpoint help to protect the network. Finally,

successful operating system configurations, strong passwords, encryptions the other mitigation

practices based on TTPs and MITRI ATT&CK framework.

Conclusion

If we are lucky, we learn from our own mistakes, but we are the luckiest we learn from

others’ mistakes. The MITRI ATT&CK framework offers the luckiest chance to corporates who

diligently implement its matrix. It provides a corporate with a full idea of preparation based on

the details and experiences of another corporate that went through the pain of cyber threats.
 8

MITRI ATT&CK framework is an attacker brain reader that gives the benefit of heading up to

any cyber threat from occurring.

References

Rosencrance, L. (2023). APT. Tech Target.

https://www.techtarget.com/searchsecurity/persistent-threat-APT

Bugcrowd. (n.d.). APT. Bugcrowd. https://www.bugcrowd.com/apt/

Cortex. (2023). MITRE ATT&CK Framework. Cyberpedia.

 9

https://www.paloaltonetworks.com/cyberpedia/mitre-attack-framework#

Crowdstrike. (2022, October 7). MITRE ATT&CK. Crowdstrike.

https://www.crowdstrike.com/mitre-attack/

Goel, S. (2020, July 30). APT29. Exabeam https://www.exabeam.com/apt29/

MITER. (2019). Enterprise. MITER. Retrieved from https://attack.mitre.org/enterprise/