MITRE’s latest project is a public library of detailed plans replicating tactics and techniques used by known attack groups. The first set of adversary emulation plans released this week describe the behavior of cybercrime group FIN6.
Adversary emulation plans are valuable evaluation and training tools for security teams. A collection of scripts, tools, and commands, emulation plans can be used to replicate s particular adversary’s specific actions in the network. Security teams can simulate real-world attacks by running through the plans in order to assess how well their defenses hold up. This way, defenders can address any gaps identified in security procedures before they become a problem.
MITRE Engenuity’s Center for Threat-Informed Defense curated threat actor information, tools, and techniques scattered across multiple sources into a single accessible resource, said Richard Struse, the Center’s director. The adversary emulation plans are assembled by combing through all the existing material iso that security teams don’t have to spend time and effort tracking down all the different pieces. The emulation plan is available for security teams to use themselves, as well as in machine-readable form for use with automated tools.
“Our goal is to empower network defenders to detect and remediate against attackers,” said Struse. The plans have “practical information network defenders will find useful.”
Detecting FIN6
The first plan in the Center for Threat-Informed Defense’s Adversary Emulation Library mimics FIN6, a financially-motivated cybercrime group possibly of Russian origin. FIN6 which has been linked to attacks against point-of-sale systems in retail and hospitality sectors since at least 2015. The group is known to have used FrameworkPOS and GratefulPOS malware, deployed Ryuk and LockerGaga ransomware, and also linked to various Magecart campaigns.
The FIN6 emulation plan covers 16 MITRE ATT&CK techniques and provides a step-by-step guide on which commands to execute and in which order so that defenders could simulate the group’s activities. The plan also includes tactics that the group doesn’t use frequently, such as the fact that FIN6 has used Trickbot infections in the past to gain access to some targeted networks and move laterally through the network after brute-forcing remote desktop protocol connections.
Many of the techniques included in the plans are “very tricky to detect” because they blend into normal network activity, wrote Dana Baril, Ivan Macalintal, Kate Farris, members of the Microsoft Threat Protection Research Team. Microsoft (along with Fujitsu and AttackIQ) worked with MITRE on this FIN6 plan.
The plans were put together by MITRE and industry partners part of MITRE Engenuity, and the goal is to release new plans every few months, and Struse said the next one would likely be added to the library before the end of the year. There are also plans to convert the plans that were used in the ATT&CK Evaluations—for Chinese state-sponsored group APT3 in 2017 and Russian state-sponsored group APT29 earlier this year—to be included in the library.
Tactics, Not Groups
A network defender running through the scripts will see which commands succeed on the network, and which ones fail. Failures mean the defenses in place worked to block the attacker. Successes mean the attacker is able to carry out that step—which may lead to lateral movement or establishing persistence—and the defender sees exactly how the network is vulnerable.
The plans focus on attacker behavior, and not on specific indicators-of-compromise such as malware hashes and IP addresses. That is intentional, since those things can change quickly, and other sources (such as information-sharing groups like the industry-specific ISACs) are better suited to provide that type of information in a timely basis, Sturuse said. Attacker behavior tends to stay the same, such as the fact that a group frequently relies on a specific malware family or uses a particular administrator tool as part of lateral movement in the network, and are often consistent across operations.
If the CISO comes around asking, “What would happen if we are hit by this [FIN6]?” security teams would be able to answer by looking at the results of what happened on their network after running an emulation plan, Struse said.
The plans are also aligned with MITRE’s ATT&CK framework of adversary behaviors. This is useful because it provides a common vocabulary to use when describing attacks. It’s also a way to go beyond just looking at the adversary group. The defender can figure out what other adversary groups are known to use the particular technique the network is susceptible to. Even if there isn’t a plan emulating a specific adversary group, defenders can still do a lot to prepare their network because techniques overlap across groups.
While the plans are being released under group names, the eventual hope is to have teams look at the library as a “buffet of techniques and implementations,” Struse said. Eventually, defenders would be able to shift from implementing the plans vertically—the adversary group—into thinking horizontally—across a range of behaviors.
“If you can close those gaps, it doesn’t matter who [which group] you are defending against,” Struse said.