How security analysts detect advanced persistence threats such as Cozy Bear, Dark Halo, and NOBELIUM? We will learn how to apply the MITRE ATT&CK framework in 6 basic steps to get sophisticated techniques of nation-state hackers.
Once you got this information, your life is never going to be as before. We are going to dive into the most sophisticated techniques used to hack high-grade cyber-protection systems for all time.
You might have heard about SolarWind cyber breach that created a huge buzzing wave around the world. This attack affected over 17,000 systems globally, with an estimated number of threatened end-points close to an incredible 60,000,000 (but I am sure much more than this). And we are still speaking about the same group.
APT 29 is, according to different sources, the threat group attributed to the Russian National Intelligence Service. What are they? How they perform? Let's look together.
Even if you are not a computer expert, you will understand the scope and complexity of work done by hackers to achieve their goals. It is terrific and exciting at the same time.
Table of Contents
The term of APT – read Advance Persistent Threat – is coming from one US Air Force's Colonel, who started to use it in the meaning we know today.
And despite that fact, APT is the non-native definition, it really fits into the purpose.
We will look closer, particularly to APT29, in subsequent chapters.
Image source – wikipedia.org
As mentioned before, APT possesses a very serious danger to state existence pillars and all existing infrastructure around the state.
The list of most critical infrastructure subjects is varying from one country to another, but it usually includes the financial sector, energy sector, transportation, healthcare, and communication sectors.
There are many informational interconnections between them as well as logical-physical relations.
For instance, targeting the energy sector and causing outages and widespread blackouts could affect other industries. It is hardly imagined today anything working without electricity for few minutes. What if one group causes a few days outage?
It is crucially important to understand how APTs are acting for several factors:
Now, let us look at practical things. If you didn't hear about MITRE before, you could read about it on the official website.
What we are going to inspect and practicing is MITRE Adversaries Techniques Tactics and Common Knowledge Framework. This chapter focuses on how MITRE Framework helps to resolve challenges mentioned above in the previous chapter.
I am going to check exemplary through the MITRE toolset and explain their use cases.
Image source – attack.mitre.org
Image source – attack.mitre.org
Image source – attack.mitre.org
Image source – attack.mitre.org
Image source – attack.mitre.org
Image source – attack.mitre.org
At this point, we are working with a specific threat group only. The full functionality of MITRE ATT&CK is not possible to describe in the scope of one article, so we will leave some other case studies for future publications.
However, you might want to learn it on your own. It is not a wrong decision, taking into account professionally written instructions and online seminars available.
Unfortunately, such things as a "magic button" or an "all-in-one solution" for protection against different APTs are not existing yet. But suppose you have enough expertise and resources. In that case, it is possible to implement security controls helping to reduce risks associated with that threat.
You are likely to reduce present risks if you follow few general principles:
1. Think about security architecture first and not compensatory controls.
2. Don't overestimate the technology role. The human factor is still playing all 99,5% of success (or fail).
3. Apply technology smartly.
Even though APT is a very sophisticated threat to any critical infrastructure facility's information system and essential services, read it - for human well-being. There are still methods existing, which can help detect and react to APTs attack timely.
We have just learned one framework for the purpose of catching malicious actors before they will strike somebody's business and our calm lives. Of course, there are other commercially available methodologies and services from companies, who are dealing with such activities as their daily business.
I would be happy to continue this series of articles and bring more light on the deep live of state-sponsored actors and their techniques and tactics. I also touched many adjacent corners, which are connected to the military and politicians. I see sense going deeply in there too.
If you like me to put my hands on any specific stuff, please, let me know about this in the comments below.
Stay tuned and watch around!
Leave a comment