Plan Empowers Defenders to Emulate Cybercrime Group Targeting Retail, Hospitality

McLean, VA, and Bedford, MA, September 15, 2020 — MITRE Engenuity’s Center for Threat-Informed Defense has launched a public library of adversary emulation plans that enable defenders to replicate many of the tactics and techniques used by known cyber adversaries. The first entry features a curated selection of malicious behaviors used by the cybercrime group known as FIN6.

Security analysts believe that FIN6 is a financially motivated cybercrime group that has compromised high-volume point-of-sale systems in the hospitality and retail sectors since at least 2015. The group has focused on U.S. and European e-commerce sites and multinational organizations, though it has targeted companies based in other countries as well. FireEye estimates that the group has stolen $400 million via credit card data.

The FIN6 adversary emulation plan includes a detailed intelligence summary and a step-by-step guide for emulating the group. It gives red team operators a series of scripts and commands that can be easily extracted and used in a repeatable fashion to emulate adversary behavior.

While the FIN6 plan is the initial entry in the library, the Center and its research participants will be adding additional adversary emulation plans on a regular basis. “This library makes it much easier for defenders around the world to assess their own environments against the threat posed by specific adversaries and use the results to rapidly improve their organizations’ cybersecurity posture,” said Richard Struse, Center director. “Creating publicly available resources that empower organizations to make evidence-based decisions and investments is at the heart of the Center’s purpose.”

“Microsoft believes the key to getting ahead of attackers is to think as they do, and the only way to do that is by learning their techniques. This new library of attacker techniques will enable defenders to more quickly, efficiently, and accurately emulate attacks from a dangerous actor targeting financial services companies, FIN6,” said Dana Baril, senior security research lead at Microsoft Security. “Microsoft is honored to take part in contributing to and sponsoring this library that will help improve overall defense capabilities to detect and block these techniques at first sight.”

“This is an historic first, and as a founding research partner of the Center for Threat-Informed Defense, I am immensely proud that AttackIQ is working with MITRE and the Center team to make this emulation plan publicly available,” said Carl Wright, chief commercial officer at AttackIQ. “Too many organizations lack the resources to study adversaries and build these emulation plans. We are working in the public interest to help every organization become more resilient to cyberattacks.”

“We were excited to collaborate with other industry leaders through the Center to develop the FIN6 adversary emulation plan,” said Manabu Muramatsu, senior director of cybersecurity, Infrastructure Service Division in the Defense Systems Unit at Fujitsu Limited. “We plan to leverage the plan to help our customers better protect themselves.”

The adversary emulation library is available in the Center’s GitHub organization [] and is released under the Apache 2 license. The emulation plan is available for security teams to use themselves, as well as in machine-readable form for use with automated tools.

About MITRE Engenuity Center for Threat-Informed Defense
The Center is a nonprofit, privately funded research and development organization currently comprised of 23 organizations from around the globe with highly sophisticated security teams. Together with Research Participants, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.