In a historic first, industry leaders have collaborated to produce an attack emulation plan built specifically to help the public defend itself against a major cybercrime group. As part of MITRE’s Center for Threat Informed Defense, AttackIQ is committed to educating the public about cybersecurity.
Carl Wright, Chief Commercial Officer; Jose Barajas, Technical Director, AttackIQ; and Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy
Today the MITRE Corporation’s Center for Threat-Informed Defense released a groundbreaking, detailed plan for security teams to emulate the cybercrime group FIN6.
It is a historic first. Today’s announcement marks the first time that industry leaders have collaborated to produce an attack emulation plan built specifically to help the public. The MITRE team worked with global companies including AttackIQ to apply research from the cybersecurity community to emulate FIN6, a group that has proven to be an adaptive and dangerous threat. The goal of this project, the first of many the Center has planned, is to give security teams a detailed emulation plan that they can use to evaluate their cyberdefense capabilities from a threat-informed perspective. You can find the full plan here.
This plan emerges from a powerful body of work that the MITRE Corporation has produced around cyberthreat intelligence and threat-informed defense, beginning with the ATT&CK framework. MITRE is a federally funded non-profit research and development organization working in the public interest. In 2015, it built the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to help defenders all over the world focus on the threats that matter most. Since it was first released in 2015, ATT&CK has helped expose the tactics, techniques, and procedures of many of the world’s most dangerous cyberadversaries. ATT&CK provides a collaborative means for sharing threat information, a baseline analytic foundation for security teams to defend themselves.
Today’s FIN6 emulation plans furthers that transformative process. Historically, most organizations lacked the resources and personnel to study adversaries and build emulation plans; only Fortune 1000 companies or government agencies had the resources to do so. As a founding research partner of the Center for Threat-Informed Defense, we are immensely proud that AttackIQ is working with MITRE and the Center team to make this emulation plan publicly available. It is a part of our mission to work in the public interest and help every organization become more resilient to cyberattacks.
This blog post describes FIN6’s operations, the research process that went into building the emulation plan, and outlines how users can incorporate the emulation plan into their security operations.
What is FIN6 and how does it operate?
Based in Russia but unaffiliated with the Russian government, FIN6 is a cybercrime group that has traditionally stolen payment card data and sold it for profit on underground marketplaces. “FIN” stands for financial, and the group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2015. Beginning in 2018, FIN6 expanded its monetization schemes to include ransomware attacks, such as Ryuk and LockerGoga (S0372). More about FIN6’s tactics can be found within the emulation plan itself.
Project Research Process
The project was built around open-source cyberthreat intelligence that the research team collected. To reflect the adversary’s behavior, AttackIQ built a cyberrange for the project team to ensure that the emulation plan performs effectively in a production environment — as close to the real world as possible. Throughout the project development process, participants offered observations and intelligence on threat group tradecraft, including lower-level procedures commonly used by the adversary.
The development process occurred through four phases. The team:
- Researched, decomposed, and documented adversary behaviors from available cyberthreat intelligence; this intelligence served as the foundation of the emulation;
- Developed and tested adversary behaviors so that human operators can atomically execute the threat actor’s behavior;
- Researched the order of the threat actor’s operations, and engineered the data into a red team operational plan, building a flowchart of relevant behaviors;
- Published a comprehensive end-to-end emulation plan that red teams and developers of automated adversary emulation tools can use to secure their data.
What did the cyberrange achieve?
To mirror a real-world production environment, AttackIQ built a virtual environment with security controls and leading commercial security products embedded within it. Corporations regularly use cloud-based, virtual cyberranges to explore how new security policies might work in practice; a real-world corporate production environment allows researchers to validate the emulation plan and run security control testing. The participants used the cyberrange to execute the emulation and ensure that it behaved properly, making changes where required. The FIN6 range mirrors the approach that AttackIQ takes for all of its emulation plans. Anything that emerges from AttackIQ goes through a content lab first.
How is AttackIQ leveraging the FIN6 research for the public and our customers?
In conjunction with the announcement of this emulation plan, AttackIQ Academy has developed a detailed course, Introduction to FIN6 Emulation Plans, to study FIN6, learn about how to gather and consume threat intelligence, construct and operate an emulation plan, and use the Center for Threat-Informed Defense’s Adversary Emulation Library to improve cyberdefense effectiveness. This course is available to the public as an on-demand lecture starting today and will help anyone interested in learning how to build an emulation plan. Click here to register for the course on demand and to sign up for other AttackIQ Academy courses.
FIN6 Emulation Planning is taught by Jose Barajas, a malware researcher with over a decade of experience and AttackIQ’s lead participant in the FIN6 research and development process. Jose has spent his career studying the adversary and building cyberdefense capabilities to secure global enterprises.
For our customers, AttackIQ has already built the FIN6 emulation into the Security Optimization Platform, which can deploy adversary emulations and test security controls against FIN6’s tactics, techniques, and procedures, including ransomware attacks. If you are interested in learning more about the platform, you can sign up for a demo here.
Think Bad, Do Good Podcast
Episode 4: FIN6 and the Center for Threat-Informed Defense
Join Jose Barajas and Jonathan Reiber for Episode 4 of “Think Bad, Do Good” as they explore the FIN6 emulation plan and the work at the Center for Threat-Informed Defense that led to its development. What is the broad utility of this emulation plan, and how can cybersecurity teams best take advantage of all that it has to offer? How can emulation plans help organizations improve their cybersecurity by taking on a threat-informed defense approach more broadly? Tune in to learn more from our experts.
Download the Podcast Transcript about the CTID and the emulation plan here.