Center Releases FIN6 Adversary Emulation Plan

Published in

MITRE-Engenuity

5 min readSep 15, 2020

Written by Jon Baker and Forrest Carver.

We are excited to announce the publication of the Center for Threat-Informed Defense’s (Center) FIN6 adversary emulation plan. On September 10, 2020 we announced the establishment of a public library of adversary emulation plans designed to enable red teams and cyber defenders to systematically test their defenses based on real-world adversary Tactics, Techniques, and Procedures (TTPs). Today, both the library and our first emulation plan are live and ready for use.

As we discussed in last week’s blog, we have brought together the combined knowledge and expertise of our Center Participants to create these intelligence driven resources. Our structured library of adversary emulation plans is now available in the Center’s GitHub organization with an Apache 2 license to maximize the use and adaptation of the plans by the community. Ultimately this library aims to enable any team or organization to easily assess their own environments using emulation plans, and then use the results to prioritize improvements to their organization’s cybersecurity posture.

In addition to announcing the release of the Center’s adversary emulation library and the FIN6 plan, this blog provides an overview of the FIN6 plan. The plan itself is now available on GitHub.

Intelligence Summary

Each adversary emulation plan includes a curated summary of available cyber threat intelligence, composed of an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). The FIN6 Intelligence Summary outlines 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries.

FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015. FIN6 has targeted e-commerce sites and multinational organizations. Most of the group’s targets have been located in the United States and Europe, but include companies in Australia, Canada, Spain, India, Kazakhstan, Serbia, and China¹.

The Intel Summary further describes the typical FIN6 Operation along with their publicly attributed TTPs and their most often used software, mapped to MITRE ATT&CK®. Finally, the Intelligence Summary provides ATT&CK Navigator layers, separately illustrating FIN6 interactive TTPs (seen below) from the TTPs associated with each of their Software platforms.

[1] https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24

Operations Flow

The operations flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.). The FIN6 Operations Flow chains techniques together into a logical flow of the major steps that commonly occur across FIN6 operations. In the case of FIN6, we describe their operations in two major Phases:

Phase 1: This phase consists of the initial access and placement objectives, ensuring that FIN6 is postured for follow-on actions in Phase 2. Specifically, Phase 1 includes: Initial Access, Discovery, Privilege Escalation, and Exfiltration of Phase 1 data.
Phase 2: This phase consists of the specific objectives of a given operation. Based on publicly available reporting, we found that FIN6 operations over time have typically been directed against: Point of Sale (POS) systems, e-commerce web-facing systems, and deploying ransomware to enterprise environments. We provide three corresponding scenarios within Phase 2, one for each of these major areas of focus.

Emulation Plan

Each entry in the Center’s library includes a detailed adversary emulation plan based on the Intelligence Summary and the Operations Flow. The Emulation Plan is a human-readable, step-by-step / command-by-command implementation of the adversary’s TTPs organized into phases defined in the Operations Flow. The Emulation Plan includes an overview of each phase, an administrative section describing pre-requisites (toolsets required, supporting infrastructure, etc), and the Emulation Plan itself.

The FIN6 Emulation Plan is organized into two phases. Phase 1 describes the techniques reported to have been used by FIN6 to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. At that point, it walks the practitioner through discovery, privilege escalation, collection, and exfiltration TTPs reported to have been used by FIN6.

Phase 2 , the operational effects phase, describes lateral movement, persistence, collection, and exfiltration, in 3 distinct scenarios as defined in the Operations Flow. These scenarios can be executed end-to-end, or individual behaviors can be tested. Organizations can also choose to further customize the scenarios and/or behaviors within each emulation plan to better fit their specific environment, priorities, or to be shaped by additional intelligence.

Each Emulation Plan includes a YAML representation, providing a machine-readable version of the overall plan that mirrors the human-readable plan. The FIN6 YAML file includes all steps, commands, and syntax for both Phase 1 and Phase 2.

Feedback and What’s Next?

This FIN6 Plan is the first of what is planned to be a library of many adversary emulation plans, all focused on adversaries prioritized by Center Participants. We welcome your feedback on the FIN6 plan as issues on the library’s git repository.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Currently comprised of 23 Participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.