• Who We Are
        • Learn more about MITRE Engenuity’s journey as a hub for transformative innovation.

        • How We Engage
        • We forge innovative partnerships to generate whole-of-nation solutions to complex technological problems.

        • Contact Us
        • Connect with a member of the MITRE Engenuity team and ensure your inquiry gets to the right people.

        • Cybersecurity
        • We are relentlessly advancing the art of threat-informed defense, anchored by a belief that we can improve our defenses with a systemic application of a deep understanding of adversary tradecraft and technology.

        • ATT&CK Evaluations
        • We offer objective analysis of cyber products and features – see our latest results.

        • Center for Threat-Informed Defense
        • Read more about the cutting-edge research and development being done with input from our participant organizations, featuring some of the top security operations centers.

        • Developing tomorrow's cyber workforce today.
        • News & Insights
        • We are leading the leading edge of innovation. Explore the latest news, insights, R&D, and special projects from our advanced tech experts and partners.

        • Subscribe to Our Newsletters
        • Our tech foundation is addressing the complex problems that face our nation today. Find out how you can join our efforts as we spur innovation for public good.


MITRE Engenuity Center for Threat-Informed Defense Releases FIN6 Adversary Emulation Plan

Plan Empowers Defenders to Emulate Cybercrime Group Targeting Retail, Hospitality

McLean, VA, and Bedford, MA, September 15, 2020 MITRE Engenuity’s Center for Threat-Informed Defense has launched a public library of adversary emulation plans that enable defenders to replicate many of the tactics and techniques used by known cyber adversaries. The first entry features a curated selection of malicious behaviors used by the cybercrime group known as FIN6.

Security analysts believe that FIN6 is a financially motivated cybercrime group that has compromised high-volume point-of-sale systems in the hospitality and retail sectors since at least 2015. The group has focused on U.S. and European e-commerce sites and multinational organizations, though it has targeted companies based in other countries as well. FireEye estimates that the group has stolen $400 million via credit card data.

The FIN6 adversary emulation plan includes a detailed intelligence summary and a step-by-step guide for emulating the group. It gives red team operators a series of scripts and commands that can be easily extracted and used in a repeatable fashion to emulate adversary behavior.

“While the FIN6 plan is the initial entry in the library, the Center and its research participants will be adding additional adversary emulation plans on a regular basis. This library makes it much easier for defenders around the world to assess their own environments against the threat posed by specific adversaries and use the results to rapidly improve their organizations’ cybersecurity posture,” said Richard Struse, Center director. “Creating publicly available resources that empower organizations to make evidence-based decisions and investments is at the heart of the Center’s purpose.”

“Microsoft believes the key to getting ahead of attackers is to think as they do, and the only way to do that is by learning their techniques. This new library of attacker techniques will enable defenders to more quickly, efficiently, and accurately emulate attacks from a dangerous actor targeting financial services companies, FIN6,” said Dana Baril, senior security research lead at Microsoft Security. “Microsoft is honored to take part in contributing to and sponsoring this library that will help improve overall defense capabilities to detect and block these techniques at first sight.”

“This is an historic first, and as a founding research partner of the Center for Threat-Informed Defense, I am immensely proud that AttackIQ is working with MITRE and the Center team to make this emulation plan publicly available,” said Carl Wright, chief commercial officer at AttackIQ. “Too many organizations lack the resources to study adversaries and build these emulation plans. We are working in the public interest to help every organization become more resilient to cyberattacks.”

“We were excited to collaborate with other industry leaders through the Center to develop the FIN6 adversary emulation plan,” said Manabu Muramatsu, senior director of cybersecurity, Infrastructure Service Division in the Defense Systems Unit at Fujitsu Limited. “We plan to leverage the plan to help our customers better protect themselves.”

The adversary emulation library is available in the Center’s GitHub organization [https://github.com/center-for-threat-informed-defense/adversary_emulation_library] and is released under the Apache 2 license. The emulation plan is available for security teams to use themselves, as well as in machine-readable form for use with automated tools.

About MITRE Engenuity Center for Threat-Informed Defense
The Center is a nonprofit, privately funded research and development organization currently comprised of 23 organizations from around the globe with highly sophisticated security teams. Together with Research Participants, the Center builds on MITRE ATT&CK, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all. https://mitre-engenuity.org/center-for-threat-informed-defense/

Media contact:

Jeremy Singer