MITRE releases emulation plan for FIN6 hacking group, more to follow

New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders.
Written by Catalin Cimpanu, Contributor

MITRE and cyber-security industry partners have launched a new project that promises to offer free emulation plans that mimic today's biggest hacking groups in order to help train security teams to defend their networks.

Named the Adversary Emulation Library, the project is the work of the MITRE Engenuity's Center for Threat-Informed Defense.

The project, hosted on GitHub, aims to provide free-to-download emulation plans.

Emulation plans are a collection of step-by-step guides, scripts, and commands that describe and perform malicious operations commonly observed in the playbook of a specific adversary.

The goal of an emulation plan is to test network defenses and see if automated security systems or human operators detect attacks before, during, and after they've taken place — and then update security procedures to account for any lapses.

First emulation plan — FIN6

The first entry in MITRE's Adversary Emulation Library is an emulation plan for FIN6, one of today's biggest financially-motivated cybercrime groups.

FIN6 has been active since 2015 and is primarily known for targeting companies operating high-traffic POS (Point-of-Sale) payment terminals, where it compromises internal networks to install POS malware that steals payment card information.

The FIN6 plan is the first of many that MITRE intends to make freely available in the coming months.

The plans are being put together by MITRE and multiple industry partners that are part of MITRE Engenuity, a non-profit currently comprised of 23 organizations from around the globe with highly sophisticated security teams.

Microsoft, Fujitsu, and AttackIQ are MITRE Engenuity members and worked with MITRE on the FIN6 plan released today.

Prior to establishing the MITRE Engenuity non-profit to work on these plans and make them available for free, the MITRE Corporation previously released two other emulation plans, the first for APT3 (Chinese state-sponsored hacking group) in 2017, and a second one for APT29 (Russian state-sponsored hacking group) earlier this year in 2020.

The positive feedback from these two releases inspired MITRE leadership to work on codifying a structure for emulation plans together with industry partners, according to a blog post published earlier this week by Jon Baker, Department Manager at The MITRE Corporation.

A little known fact about FIN6 is that the group also sometimes dabbles in deploying ransomware on some of the networks it hacks, along with Magecart-like skimmers, small details that are included in MITRE's FIN6 emulation plan, something that speaks about the quality and accuracy of the documents released today.

Until MITRE Engenuity releases additional plans, security teams looking to quench their curiosity can also take a look at the adversary emulation plans released by Scythe over the summer.


General structure of the FIN6 emulation plan

The FBI's most wanted cybercriminals

Editorial standards