Thought Leadership
The organization behind ATT&CK has released a companion framework specifically for financial fraud, introducing two new attack phases that the original framework never covered.
Anyone familiar with ATT&CK knows how central MITRE’s framework has become to modern threat analysis. What it never mapped, though, was the typical progression of financial fraud. Specifically what happens after an attacker gains access and the focus shifts to making money. That is the gap the new Fight Fraud Framework (F3) is designed to fill.
F3 is built from real-world fraud incidents and maps out how attackers operate from initial preparation through first access to the actual extraction of funds. It is intended as a shared working foundation for both cybersecurity teams and traditional fraud investigators, two groups that have historically struggled to speak the same language.
The key insight: fraud does not end with the breach
ATT&CK primarily describes how attackers break into systems and establish a foothold. In fraud, that is only half the story, because what happens next is what actually matters. F3 therefore introduces two phases that ATT&CK simply does not address.
The first is called Positioning: once the attacker has gained access, they begin preparing the actual fraud. This means collecting data, manipulating account balances and setting up the infrastructure needed for the next step. The second phase, Monetization, describes how compromised accounts or data are ultimately converted into cash. Wire transfers, crypto transactions, fraudulent purchases: all of it falls under this category.
Open, free and on GitHub
MITRE is releasing F3 as an open knowledge base: free of charge, globally accessible and hosted in a public GitHub repository. The repo also explains how outside contributors can get involved. A dedicated website provides a visual overview of the described tactics along with documentation on the framework’s design principles and methodology.
How quickly F3 gets adopted in practice remains to be seen. ATT&CK took years to become the go-to reference it is today. F3 at least starts from a solid foundation of observed attack data rather than theory.
