Part 3 of 3 in our MITRE F3 series: It’s time to execute.
MITRE F3 does a great job of giving fraud and cyber teams a shared language for what they’re seeing. But it doesn’t tell you where to open the suspicious link, how to validate the spoofed portal safely, where to put the evidence once you’ve collected it, or how to safely accelerate your work with emerging tech and AI. This is where investigations get messy, ad-hoc, and fragmented.
The case: A text message that leads somewhere
Consumers reported $470 million in text-message fraud losses in 2024. Most start the same way: a message about a delivery issue, a fake fraud alert, an unpaid toll. The initial message is almost always harmless. The sequence of malicious steps behind it is where things get complicated.
Reconnaissance & Resource Development
Your fraud team gets an alert. A customer reports receiving a text that looked like it came from your payment processor. They didn’t click, but your team wants to validate what’s happening. One analyst needs to examine the SMS infrastructure, trace where the message came from, and determine if there’s a compromised supplier or spoofed sender. They can’t do this on their normal endpoint, because opening suspicious infrastructure exposes your network to attack infrastructure. They can’t do it from a shared machine; they’ll contaminate the evidence. They can’t open it on their personal device, because compliance won’t allow it.
So they open it in an isolated environment. They spin up a clean workspace with OSINT tools, message tracing software, whatever their investigation requires. They validate the sender, trace the infrastructure, and collect evidence without risking anyone.
Initial Access & Positioning
Your SIEM flags a spike in login failures from a residential IP. Someone clicked the link. Your cyber team now has context: this isn’t an isolated phishing event; it’s the beginning of a fraud sequence. Now your fraud team documents what they found: the message appears to route through a legitimate service that’s been compromised. They share this finding with your cyber team in the same investigation workspace. No email. No message that gets lost. Both teams read from the same incident timeline using the same vocabulary. Your cyber team hunts for similar patterns in your logs… but now they’re hunting for the specific indicators your fraud team identified, going faster than ever with secured access to AI agents.
Execution & Monetization
Three customer accounts show signs of manipulation. Account permissions were briefly elevated. Two wire transfers were initiated but never completed. One transferred successfully before being frozen. All of this happens in the same protected investigation environment. A junior analyst reviews account modifications without touching customer-facing systems. A senior investigator validates wire transfer mechanics without risking production databases. Your compliance team reviews the evidence chain without exposure. Multiple people working the same case, same environment, same incident record.
Evidence & Handoff
Your team exports the investigation package: timeline, evidence snapshots, account modification logs, wire transfer records, infrastructure analysis. Complete chain of custody. Audit trail showing who accessed what, when, and from where. You hand this off to law enforcement, your legal team, and your customer relations team with full confidence. This takes one day instead of one week. One environment instead of five different systems. Evidence instead of partial reconstructions.
Making it operational
F3 gives your teams a shared vocabulary for the sequence. When your fraud and cyber teams work together in a space designed for sensitive investigation – where they can open suspicious infrastructure, validate account changes, trace attack chains, and coordinate findings – then, the framework becomes operational instead of theoretical.
Without that space, every step becomes a problem. Opening the suspicious link on a corporate machine potentially compromises it. Sharing findings over email creates audit liabilities. Jumping between systems loses your evidence chain. Handing off partial documentation weakens your legal case. Having any interaction with AI models potentially exposes or compromises your case.
To operationalize F3, create a dedicated investigation workspace: not your production environment, not a shared endpoint. A protected space where your team can open hostile content, run specialized tools, and maintain full audit trails. Your cyber team, fraud team, and compliance team should all have access to the same investigation record, using F3 tactics as your touchpoint words: Reconnaissance, Initial Access, Positioning, Execution, Monetization.
Fraud investigators are increasingly using AI to accelerate analysis. An investigator might ask an AI agent to generate a system profile, view the same suspicious site across three different virtual environments to compare how it renders, then run a diff to spot inconsistencies that signal fraud. They might use AI to answer questions about their fraud kill chain, like looking for which tactic matches this account behavior, without exposing corporate infrastructure to the AI model or leaking investigation details to a third-party service.
This matters even more when investigations require collaboration across sector partners. Multiple fraud teams from different organizations can work together in a shared investigation environment on threats affecting the entire sector. They can analyze attack patterns, compare indicators, build collective defenses, without exposing their individual networks, or using insecure channels. This stands in contrast to approaches that leave teams isolated or require sensitive coordination through email and screen sharing.
Capture evidence in the investigation workspace before you hand anything off externally. For screenshots, logs, and system states, your workspace becomes your evidence repository with a complete chain of custody. When you’re ready to escalate to legal, law enforcement, or leadership, export the complete investigation package: timeline, evidence, audit trail, F3 annotations. This turns weeks into days. It turns fragmented findings into coordinated responses. It turns individual observations into a case.
Frequently Asked Questions
When do you open an investigation environment vs. using your standard tools?
When the work involves opening unknown infrastructure, validating suspicious content, tracing attack chains, or handling evidence that needs chain of custody. Essentially: anytime the investigation could expose your corporate network or contaminate evidence if done on standard endpoints.
How do you prevent investigators from getting infected or exposed?
Full isolation. The investigation workspace is completely separated from your corporate network. Malware stays contained. Adversary infrastructure can’t pivot into your systems. Your investigators operate in a protected sandbox designed for exactly this kind of risky work.
This protection extends to AI-powered and AI-predator models targeting investigators. When working in isolated environments, investigators don’t present the same signature or fingerprint that makes them identifiable targets. Details like browser fingerprints, device characteristics, and network signatures change over time within the environment, making it harder for offensive AI models to track or target the investigator behind the analysis.
Can multiple people work the same case in the same environment?
Yes! Your fraud analyst, your cyber investigator, your compliance officer – they all access the same investigation workspace. They see the same evidence. They work from the same incident timeline. This eliminates the “lost in translation” problem of fragmented workflows.
How do you document findings for legal and law enforcement?
The investigation environment maintains a complete audit log. Every action, every document review, every export is recorded. When you’re ready to hand findings to law enforcement or your legal team, you export the investigation package with full chain of custody intact.
What tools do you run inside the investigation environment?
Whatever your team needs. OSINT tools, message tracing software, network analysis, malware analysis, forensic tools, specialized fraud detection software. The environment is purpose-built to support your investigation workflow without imposing tool restrictions.
What about AI tools? How can you use them without creating exposure?
Fraud investigators often need AI to accelerate their work. But using third-party AI services with sensitive investigations data creates exposure: you’re sending case details to external models, and you don’t control where that data goes.
In an isolated environment, you can run AI models locally or use AI agents without leaking investigation details outside your workspace. You can ask AI to analyze fraud sequences, generate system profiles, or compare suspicious sites across multiple environments, all without exposing your case to third-party vendors. This prevents shadow use of AI and keeps data contained. The environment also supports access to clous resources, container infrastructure, and potentially AI appliances as they become available. This can give your team the power of AI, without the exposure risk.
