Welcome to another SCYTHE #ThreatThursday! This week we’re taking a slightly different approach by taking a deeper dive into the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense (“Center”) and the importance of machine-readable Cyber Threat Intelligence at the adversary behavior and TTP level as well as sharing adversary emulation plans and YAML-to-JSON conversion.
It’s exciting for our friends at MITRE to lead the creation of MITRE’s Adversary Emulation Library and for the industry focus on development of these plans. The Center’s library is run by the new, commercially funded MITRE Engenuity group, created with the express goal of creating a public library of TTP’s for use in the systematic testing of defenses. We share in their goal to bring TTP focused defense to the community as we’ve been doing with the SCYTHE Threat Thursday’s and our Community Threats GitHub. The ability to repeatedly and easily emulate a threat’s behaviors is critical to a strong cyber defense. To that point, SCYTHE makes our Threat templates as simple and straightforward as possible to allow for Red, Blue, and Purple teams to work through these exercises.
Cyber Threat Intelligence
Instead of repeating that which has been very well documented regarding the FIN6 intelligence summary, we will just provide the excellent introductory summary from the document:
FIN6 is thought to be a financially motivated cybercrime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions.
Adversary Emulation Plan
The FIN6 Emulation Plan provided by the Center is actually separated into “Phases”:
- Privilege Escalation
- Credential Access
- Execution - Point of Sale (POS)
- Persistence - Point of Sale (POS)
- Exfiltration - Point of Sale (POS)
- Execution - Ransomware
- Lateral Movement - Ransomware
- Execution - Ransomware (... again)
These Phases end up being about 26 explicit commands, not counting any required setup or prerequisite for a given tool. We were very pleased to see that the Threat Emulation plan itself used many of the syntax choices used by Red Canary’s excellent Atomic Red Team. Atomic Red Team is not only something that we here at SCYTHE are intimately familiar with, but it brings with it the ability to perform prerequisite setup and checks.
For this week’s Threat Thursday, we focused exclusively on the “Phase 1” steps of FIN6 emulation plan, which actually wound up being only about 10 actions (again, not counting setup of prerequisites).
Command and Control
T1071 - Application Layer Protocol
T1105 - Ingress Tool Transfer
T1219 - Remote Access Software
T1573 - Encrypted Channel
T1059 - Command and Scripting Interpreter
T1140 - Deobfuscate/Decode Files or Information
MITRE YAML to SCYTHE JSON
The Emulation Plan commands did need some adjustment and there were actions which did not work as expected. Additionally, each of the YAML commands were only associated with a single MITRE ATT&CK technique ID, and although this helps with some clarity, it leaves an accuracy hole as many of the commands being executed actually exist in a few matrix cells simultaneously.
The creation of the MITRE Adversary Emulation Library is a great step, not only for the intelligence and threat behaviors it will provide, but because it validates the work we have seen across the industry and have been generating in our Adversary Emulation Library. Threat templates that are machine readable, easily repeated, customizable, and detail explicit threat actor behaviors are critical for the validation of defenses and defenders; and are open to be utilized by Red and Blue Teams alike as Bryson with Daniel Riedel, New Context, detailed at ATT&CKCon in their lightning talk, STIX in the Mud. FIN6 is a fantastic initial threat from the Center, as it sets the foundation for their syntax while also being a solid general threat for the community to analyze. We will continue to work on the plan provided by MITRE to create the second phase of FIN6 for machine readable emulation and share it in an upcoming #ThreatThursday.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.