MITRE’s New Fraud-Cyber Framework Uses Real Attack Data

Financial fraud losses in the United States soared to $16.6 billion in 2024, a staggering increase from $4.2 billion just four years earlier. This dramatic rise underscores a critical operational gap: the teams tasked with combating these threats, fraud investigators and cybersecurity analysts, have traditionally worked in silos. They use different tools, speak different languages, and operate with separate mental models of how an attack progresses. This disconnect creates vulnerabilities that adversaries exploit. To bridge this divide, MITRE has introduced the MITRE Fight Fraud Framework (F3), a behavior-based model built from real-world attack data to provide a unified language for describing, detecting, and disrupting fraud campaigns.

Unlike traditional rule-based systems that scan transactions against static conditions, F3 operates at a strategic level. It organizes fraudster behavior into a sequence of tactics and techniques observed in actual incidents. The framework covers the entire attack lifecycle, from Reconnaissance and Resource Development through Initial Access and Defense Evasion, culminating in Positioning, Execution, and Monetization. The final two tactics, Positioning and Monetization, are unique to the fraud domain and do not appear in MITRE’s established ATT&CK framework for cyberattacks. Positioning involves an adversary’s actions within a compromised environment to prepare for execution, while Monetization focuses on converting stolen assets into usable value, highlighting the financial end goal that defines fraud.

Where a technique aligns with an existing ATT&CK entry, F3 adopts it with definitions modified for fraud-specific outcomes. For techniques unique to fraud, the framework assigns new F1XXX-series designations, ensuring compatibility with the broader ATT&CK schema. This design allows for a shared understanding across security disciplines. As the MITRE CTID Research Team explained, F3 answers a fundamental question: “What is the adversary trying to achieve at this stage, and how do they typically do it?” By codifying fraud actors’ tactics, it enables organizations to understand complete campaigns rather than reacting to isolated suspicious events.

The framework is not a replacement for transaction-scoring systems. Rules, heuristics, or machine learning models are still required to make enforcement decisions. However, F3 directly informs and improves those systems by grounding detection logic in observed fraud behaviors and attack sequences. It provides fraud analysts with a consistent method for describing incidents, gives cyber teams a structure for detecting adversary techniques, and offers security leaders a basis for risk assessment tied to real-world fraud patterns.

For organizations beginning to adopt F3, MITRE outlines a practical path forward. The first step is to integrate fraud and cybersecurity teams through shared workflows and joint analysis. Next, institutions should document incidents and trends using the F3 framework to standardize how fraud scenarios are recorded. Finally, they must map documented F3 techniques to their available data sources to better identify and monitor adversary behaviors.

Four core principles guided the framework’s construction to ensure its utility. First, the effects of a technique must be observable during an incident. Second, every incident must involve at least one digital or technological method, such as phishing or malware. Third, techniques describe the adversary’s distinct, observable actions, not the tools they use. Finally, behaviors that manifest in multiple forms are captured as sub-techniques to maintain a consistent level of abstraction. These principles ensure F3 remains actionable for cyber threat intelligence, detection engineering, and security control design.

Designed as a living framework, F3 will evolve continuously as new fraud schemes emerge. MITRE plans to augment it with data sources for detection and recommended mitigations. The organization encourages community involvement, allowing security professionals to review the framework, suggest edits, prioritize future content, and contribute new techniques through the official F3 website.