Open in app

Sign in

Write

Sign in

Analyzing Advanced Persistent Threats Using the MITRE ATT&CK Framework: A Case Study of APT10

ReZa AdineH
4 min readMar 3, 2023

--

Advanced Persistent Threats (APTs) are complex and sophisticated cyber-attacks, often carried out by nation-state actors or well-funded criminal organizations. APTs typically involve a series of stages, each of which is designed to achieve a specific objective within the overall attack. In this paper, we will use the MITRE ATT&CK framework to describe an APT and its various stages.

Stage 1: Reconnaissance

The first stage of an APT involves the gathering of information about the target organization. This can include information such as employee names, email addresses, job titles, and social media profiles. The attackers will also attempt to identify the organization’s network topology, security controls, and any vulnerabilities that may be present.

This stage typically involves a range of techniques, including social engineering, open-source intelligence gathering, and network scanning. Some common techniques used in this stage include:

  • Spearphishing: Sending targeted emails to employees with malicious attachments or links to phishing websites.
  • Port Scanning: Scanning the target network for open ports and services.
  • Network Mapping: Creating a map of the target organization’s network infrastructure.

Stage 2: Initial Access

Once the attackers have gathered enough information about the target organization, they will attempt to gain access to the network. This can be achieved through a variety of techniques, including exploiting vulnerabilities in software or hardware, leveraging weak passwords, or compromising third-party software.

Some common techniques used in this stage include:

  • Exploiting Vulnerabilities: Exploiting known vulnerabilities in software or hardware to gain access to the network.
  • Password Attacks: Using techniques such as brute force or password spraying to gain access to user accounts.
  • Supply Chain Attacks: Compromising a third-party software vendor or supplier to gain access to the target network.

Stage 3: Command and Control

Once the attackers have gained access to the target network, they will establish a command and control (C2) channel. This allows the attackers to communicate with the compromised systems, issue commands, and receive information about the target environment.

Some common techniques used in this stage include:

  • Remote Access Trojans (RATs): Installing a RAT on the compromised system to establish a persistent backdoor.
  • Domain Generation Algorithms (DGAs): Using DGAs to generate unique domains that can be used to communicate with the compromised systems.
  • Covert Channels: Using covert channels such as DNS or HTTP to communicate with the compromised systems.

Stage 4: Lateral Movement

Once the attackers have established a C2 channel, they will begin to move laterally through the target network. This involves compromising additional systems and escalating privileges to gain access to sensitive data or systems.

Some common techniques used in this stage include:

  • Pass-the-Hash: Using stolen credentials to authenticate to additional systems.
  • Exploiting Misconfigured Services: Exploiting misconfigured services or applications to gain access to additional systems.
  • Brute Force Attacks: Using brute force attacks to gain access to additional systems.

Stage 5: Data Exfiltration

The final stage of an APT involves exfiltrating sensitive data from the target organization. This can involve stealing intellectual property, customer data, or financial information.

Some common techniques used in this stage include:

  • Steganography: Hiding data within legitimate files to avoid detection.
  • Encryption: Encrypting stolen data to avoid detection.
  • Exfiltration through C2 Channels: Using the established C2 channels to exfiltrate stolen data from the target network.

here’s an example of an APT attack described using the MITRE ATT&CK framework:

Stage 1: Reconnaissance In 2017, the Chinese hacking group known as APT10 (also called Stone Panda) was found to be conducting reconnaissance on several US-based companies in the aerospace, telecommunications, and technology sectors. The attackers used spearphishing emails to deliver malicious attachments to employees, which when opened, would install a backdoor onto the victim’s computer. APT10 also used open-source intelligence gathering techniques to gather information about the target companies and their networks.

Stage 2: Initial Access Once the backdoor was installed on the victim’s computer, APT10 used the stolen credentials to move laterally through the target network. They also used a technique called “pass the ticket” to bypass the target company’s authentication mechanisms.

Stage 3: Command and Control APT10 established a C2 channel using a RAT called RedLeaves, which allowed them to issue commands to the compromised systems and steal data.

Stage 4: Lateral Movement APT10 used several techniques to move laterally through the target network, including “pass the hash,” exploiting vulnerabilities in software, and stealing credentials. They also used tools such as Mimikatz to harvest credentials from the target network.

Stage 5: Data Exfiltration APT10 exfiltrated stolen data using multiple techniques, including using custom malware and legitimate file-sharing services such as Dropbox.

In this example, we can see how APT10 used the different stages of an APT attack to successfully compromise multiple US-based companies. By using the MITRE ATT&CK framework to analyze the attack, organizations can gain a better understanding of the tactics and techniques used by APT actors and develop more effective defenses against them.

Conclusion

APTs are complex and sophisticated cyber-attacks that involve multiple stages, each of which is designed to achieve a specific objective within the overall attack. By using the MITRE ATT&CK framework to describe the various stages of an APT, organizations can better understand the tactics and techniques used by attackers and develop a more comprehensive defense strategy against them. The MITRE ATT&CK framework provides a comprehensive and structured way to analyze and categorize the tactics and techniques used by APT actors, allowing organizations to develop a threat-informed defense strategy.

By identifying the different stages of an APT attack and the associated tactics and techniques used by attackers, organizations can improve their detection and response capabilities. For example, by monitoring network traffic and analyzing logs, organizations can detect and respond to suspicious activity associated with the initial access, command and control, lateral movement, and data exfiltration stages of an APT attack.

In conclusion, the MITRE ATT&CK framework provides a valuable tool for organizations to better understand and defend against APT attacks. By leveraging the framework to analyze the tactics and techniques used by attackers, organizations can develop a more comprehensive defense strategy and better protect their critical assets and information from cyber threats.

Mitre Attack
Mitre Attack Framework
Apt
Advanced Persistent
Cybersecurity

--

--

ReZa AdineH
ReZa AdineH

Written by ReZa AdineH

22 Followers
104 Following

Hey, this is Reza Adineh, SOC Architect and consultant, SIEM Engineer, Threat Detection Engineer. follow me on RezaAdineh.info

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams