The Evolution of Beacon Attack Frameworks

In the early days of Fin6's foray into extortion operations Mandiant had seen three distinct individuals sort of working through a single victim network and in this case each of them was using a different attack framework. And so that just kind of goes to highlight that to some degree there is a sense of sort of personal preference or familiarity that has driven some of the diversity we've seen as well. It's also important to note that in a lot of cases we do see these actors using these frameworks in tandem as I previously suggested right. So you know their decision can be driven by practicalities and change over time as even if they're using cobalt strike potentially they get access to a new cracked copy