Industry-wide partnership on threat-informed defense improves security for all

MITRE Engenuity’s Center for Threat-Informed Defense has published a library of detailed plans for emulating the threat actor FIN6 (which Microsoft tracks as TAAL), a collection of threat intelligence, MITRE ATT&CK data, supporting scripts, and utilities designed to enable red teams to emulate the adversary and evaluate defensive capabilities in their environments.

Microsoft, a founding member of MITRE Engenuity’s Center for Threat-Informed Defense, is proud to be part of this industry-wide collaborative project. The Center for Threat-Informed Defense aims to bring together security researchers from across the globe to advance state-of-the-art approaches in cybersecurity.

Through projects like publishing the FIN6 adversary emulation plan, the center supports applied research and advanced development to improve cyber defense at scale. And because the center builds on MITRE ATT&CK, the emulation plan aligns with a framework that security researchers and analysts are already familiar with and use in security operations.

FIN6: Evolving e-crime group

FIN6 is a sophisticated e-crime group, suspected to be of Russian origins, that has been operating since 2015. The financially motivated group is known to target point-of-sale or (POS) systems in the retail and hospitality industries using the FrameworkPOS and GratefulPOS malware strains. Recently, the group has expanded their activities to “Magecart” campaigns, in which they insert malicious scripts into online shopping websites to steal credit card data and other sensitive info.

The group has also been observed utilizing existing Trickbot infections to gain access to target networks, move laterally through RDP brute force, and deploy Ryuk and LockerGoga ransomware payloads in specific locations. In addition, FIN6 has been seen leveraging the malware framework called “Anchor”, which has also been tied to Trickbot activity since 2018, lending credence to the alleged operational link between the two groups.

These campaigns point to the group continuously evolving and broadening its objectives, attack tooling, and partnerships with other e-crime groups to further its financially motivated goals.

Critical, practical emulation plan

The FIN6 emulation plan published by the Center for Threat-Informed Defense assembles threat actor information, individual tactics, technique, and procedures (TTPs), and emulation plans. It collects threat intelligence that today exist in multiple places into a single resource, saving red teams time and effort in scouring, reading, and digesting information, while also delivering essential emulation information.

Red teams looking to emulate the adversary, no matter their skill level, will find the plan beneficial. In addition to providing an overview of the threat actor, it lists required, publicly available tooling that will help ensure that prerequisites are met for a successful operation.

The emulation plans are organized in phases, which are useful for structuring red team operations to emulate FIN6’s goals and procedures. Tactics, techniques, and procedures (TTPs) implemented in CALDERA and Atomic Red Team style provide signals for all relevant MITRE ATT&CK techniques. This assembly of information takes red teams from minimal knowledge to working emulation in short order.

More advanced teams will likewise find this plan valuable. Even when teams are not limited to publicly available tools and command-line emulation, the TTP emulation plan can save time and be used as basis for implementing more complex and nuanced emulation, or for absorbing these capabilities into custom tooling.

Ultimately, research like the FIN6 emulation plan provides critical, realistic emulation signals to blue teams faster. Because emulation plans that are usable off-the-shelf lowers the bar to receiving threat emulation signals, by and large, it helps improve defense capabilities.

Microsoft Threat Protection coverage

The FIN6 emulation plan covers a total of 16 MITRE ATT&CK techniques, many of which are very tricky to detect because they blend into normal network activity, but all 16 are visible to Microsoft Threat Protection. Microsoft Threat Protection, which delivers coordinated cross-domain defense by consolidating threat data across endpoint, email and data, identities, and apps, has demonstrated its industry-leading detection capabilities in the latest MITRE ATT&CK evaluation.

For seven of the techniques utilized by FIN6, Microsoft Threat Protection automatically raises real-time alerts, notifying security operations teams about the presence of the threat actor and its activities in a network. The rest of the FIN6 techniques are recorded by Microsoft Threat Protection as telemetry, which are presented as details within process trees in alerts.

In addition, even with the evasive nature of these techniques, Microsoft Threat Protection stops processes related to three of the techniques on endpoints. It does this through next-generation protection capabilities, as well as the new endpoint and detection response (EDR) in block mode. EDR in block mode transforms EDR detections into blocking and containment of malicious behaviors and artifacts.

All related alerts and signals, as well as other important information like affected entities and remediation status, are consolidated into a single incident view. This correlation of threat data allows security operations teams to determine the full scope of the threat on their environments, prioritize alerts based on severity level, and swiftly remediate affected assets.

As part of Microsoft’s own learning from the emulation plan and the partnership with the Center for Threat-Informed Defense, our researchers are looking into further improving coverage by looking into transforming telemetry into specific detections that raise alerts, where applicable.

Industry collaborations yields stronger protection for the ecosystem

Microsoft Threat Protection’s 100% coverage of the MITRE ATT&CK techniques covered by the FIN6 emulation plan demonstrates Microsoft’s broad visibility into threats, especially sophisticated and persistent ones like FIN6 attacks. By partnering with the MITRE Engenuity’s Center for Threat-Informed Defense, we can share our insights and experiences to other members of the Center and to the industry in general, while also learning from other experts.

Microsoft has always been a champion of industry-wide partnerships, because these result in better security for the whole ecosystem. To this end, we will continue to work with MITRE Engenuity for projects like this. We will also continue partnering with MITRE Corporation to build transparent and collaborative testing that benefits all.

Dana Baril, Ivan Macalintal, Kate Farris

Microsoft Threat Protection Research Team