Project Summary

Published : Sep 15, 2020

FIN6 is a cyber-crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. This project developed an adversary emulation plan for FIN6 and added it to the Adversary Emulation Library.

The Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.


Understanding defenses from the perspective of the adversary is critical, but often teams lack the resources (expertise and funding) to conduct the adversary emulation exercises.


Establish a library of standardized intelligence-driven adversary emulation plans that can be easily leveraged by cyber defenders.


Enables cyber defenders to see their defenses from the perspective of the adversary.

funding Research Participants

Share This Project

Stay Informed

Stay informed about new releases of R&D projects and other exciting updates from the Center for Threat-Informed Defense.