The MITRE ATT&CK (Registered trademark) framework is a globally recognized repository of adversarial Tactics, Techniques, and Procedures (TTPs) based on real-world cyber threats.It provides a model for analyzing attack behaviors and enhancing incident attribution.Business Email Compromise (BEC) frauds, a growing cyber threat, exploit email communications for financial gain.However, the MITRE framework is not widely used for BEC, as no custom matrix has been developed specifically for these attacks.This study maps the TTPs used by BEC Threat Actors (TA) within the MITRE ATT&CK framework.
The methodology included a review of academic literature, Cyber Threat Intelligence (CTI) reports, and real-world incident response data from INCIDE Digital Data white feather tinsel S.L.A total of 10 tactics, 34 techniques, and 46 sub-techniques were identified, with 5 new sub-techniques proposed to address gaps, particularly in mailbox manipulation and defense evasion.Additionally, Privilege Escalation, Lateral Movement, and Credential Access tactics were merged due to overlapping techniques, while the Execution tactic was excluded as it is not central to BEC attacks.To demonstrate the utility of the framework, we characterized wedding bands in fresno two real-world TAs: Cosmic Lynx, a sophisticated actor targeting multinational organizations, and Chiffon Herring, a smaller-scale attacker employing simpler methods.
These case studies highlight the framework’s adaptability for analyzing diverse TA profiles and its potential to support improved incident attribution, detection, and prevention strategies.