On 6th September the US Department of Justice (DOJ) unsealed an indictment against a North Korean regime-backed programmer who is a suspect in many significant network intrusions. We map details of these intrusions the MITRE ATT&CK™ framework.

1. 0. Reconnaissance
11. Command and
Control
MITRE ATT&CK and the North Korean Regime-Backed Programmer
MITRE ATT&CK Stage Tactics, Techniques and Procedures Mitigation Advice
• Inform employees that their social media profiles may be
of interest to adversaries. Provide advice on how to lock
down profiles if requested.
• Ensure that network services are patched and running
supported versions of software.
• Credentials, especially for admin accounts, should use
strong passwords and two factor authentication (2FA)
should be enabled wherever possible.
• Use of an email filtering system or service can help to
identify some spearphishing threats, particularly around
malicious attachments.
• Office365 users should consider Microsoft’s Advanced
Threat Protection (ATP), a cloud-based email filtering
service.
• 2FA is essential for email accounts, especially with a
security key where possible.
• Application whitelisting can be used to limit which bina-
ries are executed in an environment.
• Browser sandboxing solutions can be used to ensure that
malware only executes in a low privilege environment
without any further access to an organization’s assets.
• Hardening browsers and operating systems to prevent
script execution and reduce the number of plugins and/or
extensions can further serve to mitigate this risk.
• In certain circumstances, SSL inspection can be used
to have visibility into encrypted communications. If SSL
inspection is deployed, traffic that cannot be inspected
should not be able to egress the network unless explicitly
whitelisted.
• Educate users about the dangers of URL shorteners
alongside general security awareness training may help
with mitigating this common technique.
• Provide avenues for users to report attempting phishing
attacks
• Provide additional training for employees who regularly
deal with the public and have a business requirement to
open attachments
Spearphishing attachment;
Spearphishing link;
Spearphishing via Service
People Information Gathering;
Organizational Information Gathering;
Organizational Weakness Identification;
People Weakness Identification
Drive-by Compromise
1. Initial Access
2. Execution
User execution
Commonly Used Port, Custom
Command and Control Protocol,
Custom Cryptographic Protocol,
Data Encoding, Multi-hop Proxy,
Remote File Copy
• Some email filtering technologies provide the capability
to block password-protected zip files. Where there is no
business requirement to allow such attachments, they
should be blocked.
Deobfuscate/Decode Files
or Information
5. Defense Evasion
• Advanced EDR (Endpoint Detection and Response) systems
should be deployed to detect in-memory patching attacks
being used by malware to manipulate existing code. In
general, code should not be attempting to interfere with
other processes and this behavior can be considered as
suspicious.
• Application whitelisting can be used to restrict which code
can execute inside an environment. This can be used to
detect the attempted installation of malware by an adver-
sary and prevent the execution of this malware.
Exploitation for Defense Evasion
Masquerading
8. Lateral Movement
• Apply the principle of least privilege and restrict admin
account access.
• Once an attacker has admin privileges, detection can be
used to uncover malicious behavior.
• Windows event logs register the creation, updating and re-
moval of scheduled tasks.
• Application whitelisting can be used to restrict the execu-
tion of certain file types in an environment.
Windows Admin Shares
9. Collection
• Security reviews of log files of critical systems, such as
payment systems, is important to detect malicious activity.
• Anomalous behavior, such as log deletion, should warrant
closer inspections.
Automated Collection,
Data from Local System