MITRE is a leading light in the current cyber threat intelligence (CTI) scene being the pioneer of the MITRE ATT&CK framework and the associated data sources. For those unfamiliar with MITRE ATT&CK take a look at the website as the first port of call; however, as a very brief summary, MITRE ATT&CK maps an adversary’s tactics, techniques and procedures (TTPs) to defensive controls.
Within MITRE ATT&CK TTPs are broken down into 222 techniques (plus even more sub-techniques) that allow the analyst to model a threat actor’s unique modus operandi. Within MITRE ATT&CK 133 groups are modelled; however, these models are not exhaustive models of the groups being profiled.
Take for example the profile of APT37, a less well-known North-Korean state-sponsored cyber-espionage group. Having been active since 2012, its latest documented activity involved targeting journalists in South Korea with a novel malware.
Viewing the TTPs for APT37 in MITRE’s navigator gives the below profile (TTPs associated with APT37 are highlighted in red)
Fig 1: APT37, based on MITRE’s intelligence alone.
Whilst the data in Fig 1 may be accurate, it also is almost certainly incomplete – is it truly viable that APT37, with its ten years of activity, had pulled off its endeavours using just 15 techniques? Given that even a minor state-sponsored cyber espionage group such as APT37 would rapidly expand its abilities to include more TTPs, there logically must be more we can add to Figure 1 to model this threat better.
Finding open-source reports for APT37 is easy, but rapidly extracting the TTPs is hard. Elemendar’s READ. tool specialises in this and can be configured to just extract MITRE ATT&CK (“T-Codes” in MITRE terminology). Taking five separate open-source documents in APT37 and passing them through READ. generates the graph shown below.
Fig 2: APT37 TTPs extracted by READ.
To summarise Figure 2: across the 5 reports, 27 unique techniques were extracted by READ. Whilst some of the TTPs extracted by READ. where shared with the MITRE matrix of APT37 shown earlier in Figure 1 many of the TTPs are new and add to the profile of APT37.
Shown below are the TTPs extracted by READ. integrated into MITRE’s APT37 navigator layer. Extracted READ. TTPs are shown in blue, MITRE ATT&CK in red and shared ones in purple.
Fig 3: A MITRE layer showing the combined techniques list of APT37 from MITRE and READ.
What this blog has shown is how easy it is to use Elemendar’s READ. to enhance the data around any threat actor presented within MITRE ATT&CK. However, don’t take our word for it, try both READ. and the MITRE ATT&CK navigator for yourself.
Reach out for a demonstration with one of our CTI experts via this contact form.
List of reports utilised for Fig 2:
- https://www.mandiant.com/resources/apt37-overlooked-north-korean-actor, 2018
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/, 2021
- https://threatpost.com/scarcruft-apt-desktop-mobile-attacks/176620/, 2021
- https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/, 2021
- https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf, 2018