FIN6 Adversary Emulation Plan

Published

Problem

Understanding defenses from the perspective of the adversary is critical, but often teams lack the resources (expertise and funding) to conduct the adversary emulation exercises.

Solution

Establish a library of standardized intellingence driven adversary emulation plans that can be easily leveraged by cyber defenders.

Impact

Enables cyber defenders to see thier defenses from the perspective of the adversary.

Funding Research Participants

Project Summary

FIN6 is a cyber-crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. This project developed an adversary emulation plan for FIN6 and added it to the Adversary Emulation Library.

The Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.

Watch the FIN6 Walkthrough