Mapping To FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0085
Associated Groups:  FIN4
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1056 - Input Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.
T1059 - Command and Scripting Interpreter There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0034 - System Activity Monitoring A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
T1071 - Application Layer Protocol There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
T1078 - Valid Accounts There is an opportunity to introduce user accounts that are used to make a system look more realistic. DTE0010 - Decoy Account A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
T1078 - Valid Accounts There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1078 - Valid Accounts There is an opportunity to prepare user accounts so they look used and authentic. DTE0008 - Burn-In A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.
T1090 - Proxy There is an opportunity to block an adversary that is seeking to use a proxied connection. DTE0026 - Network Manipulation A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists.
T1114 - Email Collection There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
T1204 - User Execution There is an opportunity to study the adversary and collect first-hand observations about them and their tools. DTE0018 - Detonate Malware A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
T1565 - Data Manipulation In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. DTE0011 - Decoy Content A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices.
T1566 - Phishing A phishing email can be detected and blocked from arriving at the intended recipient. DTE0019 - Email Manipulation A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.
T1566 - Phishing A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. DTE0023 - Migrate Attack Vector A defender can move suspicious emails to a decoy system prior to opening and examining the email.
T1566 - Phishing Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
T1566 - Phishing There is an opportunity to discover who or what is being targeting by an adversary. DTE0015 - Decoy Persona A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.