Introduction: MITRE ATT&CK® is a globally-accessible framework of real-world adversary tactics and techniques. It helps security teams understand how attackers operate. Mapping ATT&CK techniques to specific sectors highlights how and why certain industries are targeted. Adversaries adapt their methods to each industry’s assets, users, and technology. For example, finance firms see rampant credential theft and scripting attacks, while healthcare is hit hard by phishing that leads to ransomware. Sector-specific mapping focuses defenses on the most likely attacks. This guide lists the top 5 ATT&CK techniques per industry, grouped by tactic, with official MITRE links and references to documented threat trends.
🏦 Finance
- Execution:
- T1059.003 – Windows Command Shell (Execution). Used to run OS commands and scripts on Windows servers. Financial attackers leverage command shells to pivot and deploy tools once inside banking networks.
- T1059.001 – PowerShell (Execution). Powerful scripting on Windows. Many financial breaches start with phishing or malware that drop PowerShell payloads to automate theft or lateral movement.
- Discovery:
- T1087.002 – Domain Account Discovery (Discovery). Harvests domain user info. Finance threat actors use account discovery to enumerate who has privileged access, often looking for admin or SWIFT system accounts to compromise.
- T1046 – Network Service Discovery (Discovery). Scans networks for live hosts and services. Widely used in banking environments to map high-value servers (e.g. core banking, payment servers) that attackers later target.
- Defense Evasion:
- T1207 – Rogue Domain Controller (Defense Evasion). Stand up fake DCs to steal credentials. Financial attackers sometimes set up malicious domain controllers to intercept logons and harvest account hashes from ATMs or banking networks.
- Supporting Context: Finance organizations are uniquely attractive to cybercrime. Recent data shows the top finance-sector techniques include Windows Command Shell (29.2% of incidents), Domain Account Discovery (19.6%), PowerShell (17.3%), Rogue Domain Controllers (17.3%), and Network Discovery (16.8%). These are all present above. Attackers exploit finance’s complex infrastructure (ATMs, ledger systems, SWIFT connections) using scripting and discovery to move stealthily and steal funds or data.
🏥 Healthcare & Social Assistance
- Initial Access:
- T1566.002 – Phishing: Spearphishing Link (Initial Access). Malicious email links. In healthcare, spearphishing is by far the #1 entry vector, exploiting staff’s heavy email use. Industry reports show >50% of healthcare breaches started with phishing links.
- T1566.001 – Phishing: Spearphishing Attachment (Initial Access). Malicious email attachments. Healthcare workers often open malicious documents, which launches malware. This was the second-most common vector (~27%) in recent health-sector attacks.
- T1566 – Phishing (generic) (Initial Access). Phishing general. Campaigns targeting hospitals and clinics rely on phishing as the umbrella technique.
- Execution/Access:
- T1190 – Exploit Public-Facing Application (Initial Access). Exploiting internet-facing servers (e.g. patient portals, remote access). Attackers exploit unpatched VPNs or web apps used by healthcare providers. Healthcare saw ~25% of breaches via this route.
- Initial Access (other):
- T1133 – External Remote Services (Initial Access). Compromised VPN/RDP accounts, Citrix, etc. Many health orgs open remote access for telemedicine; attackers abuse weak remote credentials to enter networks.
- Why It Matters: The HSA (Healthcare & Social Assistance) sector is dominated by phishing-based intrusions. High email volume, rotating/temporary staff, and undertrained personnel make phishing effective. Ransomware gangs like Ryuk and Conti famously hit hospitals via spearphish. Public-facing medical systems (telehealth portals, EHR interfaces) and exposed VPNs provide exploitable gaps. Protecting healthcare means hardening email defenses and patching public apps, since these techniques (T1566.x, T1190, T1133) account for the majority of incidents.
🛒 Retail & E-commerce
- Initial Access:
- T1566.002 – Phishing: Spearphishing Link (Initial Access). Email links remain a top tactic. Retail employees (often seasonal or part-time) are frequently phished. Recent retail incident analysis shows spearphishing links (~17%) as the #1 initial access vector.
- T1534 – Internal Spearphishing (Lateral Movement). Phishing from within. After initial compromise, attackers often use a legitimate internal email account to phish other retail staff, increasing trust and success. This technique was the 2nd most common (11.5%) in retail breaches.
- T1566.001 – Phishing: Spearphishing Attachment (Initial Access). Malicious attachments. Often ZIPs or docs with macros, used heavily by retail-targeting groups (like FIN7). Saw ~10% usage in retail incidents.
- Initial Access (exploit):
- T1190 – Exploit Public-Facing Application (Initial Access). Hitting e-commerce platforms. Retailers’ web stores and payment portals are high-value targets. About 6.4% of recent retail compromises involved exploiting internet-facing apps.
- Initial Access (other):
- T1133 – External Remote Services (Initial Access). VPNs or cloud admin portals. Used by attackers to directly log in after obtaining credentials (for example, via phishing). Accounts for ~5% of retail cases.
- Why It Matters: Retailers handle massive customer data and payments. Attackers target them for credit card theft and extortion. Phishing spearphishing (links, attachments, internal) dominates initial access. The retail workforce’s large, transient nature and frequent third-party/vendor links make phishing and credential compromise very successful. Vulnerable e-commerce servers and supplier portals also attract exploit-based attacks. This sector has seen a 111% surge in ransomware, emphasizing the need to defend against these T1566 and T1190 techniques.
🏭 Manufacturing & Industrial Control Systems (ICS)
- Initial Access:
- T1566.002 – Phishing: Spearphishing Link (Initial Access). Similar to other industries, spearphishing links are heavily used. In manufacturing breach data, ~30% of incidents involved phishing links. Adversaries lure factory or OT engineers with malicious URLs.
- T1534 – Internal Spearphishing (Lateral Movement). Once inside the network, attackers phish other internal employees using a compromised email. This happened in ~23% of manufacturing cases, exploiting trust in internal communications.
- T1566.001 – Phishing: Spearphishing Attachment (Initial Access). Malicious attachments (often Office macros). Used in ~17% of manufacturing incidents. Engineering staff may open technical PDFs or spreadsheets that hide malware.
- Execution:
- T1204.002 – User Execution: Malicious File (Execution). Users opening malware-laden files. Attackers rely on workers manually executing dropped files. This accounts for ~12% of cases and ties into phishing delivery (click to run).
- Initial Access (generic):