FIN6 Emulation Plan

September 15, 2020

Project Summary

FIN6 is a cyber-crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. This project developed an adversary emulation plan for FIN6 and added it to the Adversary Emulation Library.

The Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.

Problem

Understanding defenses from the perspective of the adversary is critical, but often teams lack the resources (expertise and funding) to conduct the adversary emulation exercises.

Solution

Establish a library of standardized intelligence-driven adversary emulation plans that can be easily leveraged by cyber defenders.

Impact

Enables cyber defenders to see their defenses from the perspective of the adversary.

Project Resources:

Project Announcement GitHub

---

Funding Research Participants

---