MITRE Introduces a Dedicated Framework for Cyber Fraud
The non-profit MITRE Corporation released a new resource on Thursday aimed at helping organizations better understand and combat fraud: the MITRE Fight Fraud Framework (MITRE F3). The framework functions as a curated knowledge base built around a behavior-based model that maps out the tactics, techniques, and procedures (TTPs) used by fraudsters, drawing directly from real-world incidents.
According to MITRE, the incidents captured within F3 "involve the intentional use of deceptive or illegal practices to fraudulently obtain money, assets, or information from individuals or institutions, and include actions carried out over cyber channels." The framework is designed to provide a common structure and shared taxonomy for describing cyber fraud incidents, with the goal of enabling stronger collaboration in fraud detection, prevention, and response efforts.
Designed for Global, Open Access
The analyst-developed knowledge base was built to be structured, transparent, and operationally relevant. Importantly, it is globally accessible and free to use — lowering the barrier for organizations of all sizes to adopt it. MITRE has also published a dedicated website for the framework, a visual representation of its tactics, documentation on its design principles and methodology, and guidance on practical applications. A GitHub repository has been made available as well, offering additional resources and instructions for interested parties who wish to contribute to the project.
Two New Fraud-Specific Tactics Expand on ATT&CK
One of the most notable aspects of MITRE F3 is its relationship to — and divergence from — the well-established ATT&CK framework. While ATT&CK covers a broad spectrum of adversarial behavior, F3 introduces two fraud-specific tactics that are not captured within ATT&CK:
- Positioning: This tactic covers post-compromise activities in which threat actors collect and manipulate data while preparing for follow-up execution steps.
- Monetization: This tactic describes the activities fraudsters perform to convert compromised assets into usable financial value.
MITRE explains that these additions are critical because fraud success hinges not just on gaining access, but on extracting and moving value. "These additions capture the uniqueness of fraud where success depends on moving and extracting value, not just gaining access. By capturing those stages, F3 allows defenders to trace fraud activity from initial compromise through financial impact," MITRE noted.
Revisions to Existing ATT&CK Tactic Definitions
Beyond introducing new tactics, MITRE F3 also redefines several tactics that already exist within the ATT&CK framework to better fit the fraud context. These redefined tactics include:
- Reconnaissance
- Resource Development
- Initial Access
- Defense Evasion
- Execution
These modifications reflect the distinct nature of fraud operations compared to traditional intrusion-focused threat activity tracked in ATT&CK.
A Shared Language for Cyber and Fraud Defenders
A core ambition behind MITRE F3 is bridging the historically separate worlds of cybersecurity and fraud investigation. Organizations dealing with financial fraud often operate in silos from their cybersecurity counterparts, and the lack of shared terminology has long complicated joint responses.
MITRE frames this directly: "This structure creates a shared language that allows cyber and fraud defenders to enumerate the material events in a fraud incident, connect cyber activity to financial outcomes, and align detection, prevention, and response strategies."
By providing that common lexicon, F3 positions itself as a tool capable of connecting technical indicators of compromise to downstream financial harm — a linkage that has been difficult to formalize until now.
Context Within MITRE's Expanding Framework Portfolio
The release of F3 continues MITRE's broader effort to produce specialized frameworks addressing distinct threat domains. Recent initiatives from the organization include the release of a security framework for embedded systems, the publication of the 2025 list of the Top 25 Most Dangerous Software Vulnerabilities, an update to ATT&CK v18 with enhancements to detections, mobile, and ICS coverage, and the unveiling of the AADAPT Framework aimed at tackling cryptocurrency-related threats.
The Fight Fraud Framework represents a natural extension of this work — applying the proven structure of behavior-based adversary modeling to one of the most financially damaging categories of cybercrime organizations face today.
Source: SecurityWeek