ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: ME008
  • Created: 25th May 2024
  • Updated: 01st August 2025
  • Contributor: The ITM Team

Network Attached Storage

A subject can write to a Network Attached Storage (NAS) device outside the organization’s control. In remote or hybrid settings, the subject’s ability to access NAS devices on their personal LAN — from a corporate-managed endpoint — introduces a persistent and often unmonitored risk vector.

 

These consumer-grade platforms (e.g., Synology, QNAP, WD My Cloud) fall outside the scope of organizational governance, yet remain fully accessible when the subject is working from home. If reachable, they provide a standing means to stage, duplicate, or transfer sensitive enterprise data.

 

This capability is particularly dangerous when VPN configurations permit split tunneling, unintentionally allowing local subnet access alongside corporate resources. Even in the absence of deliberate misuse, the continued accessibility of these unmanaged file-sharing services expands the subject’s technical means and circumvention potential.

Prevention

ID Name Description
PV058Consistent Enforcement of Minor Violations

Establish and maintain processes where all policy violations, including those perceived as minor or low-impact, are addressed consistently, proportionately, and promptly. By reinforcing that even small infractions matter, organizations deter boundary testing behaviors and reduce the risk of escalation into more serious incidents.

 

Implementation Approaches

  • Develop clear disciplinary guidelines that outline expected consequences for different categories of violations, ensuring minor infractions are not overlooked.
  • Empower first-line supervisors and managers with authority and tools to address minor violations at the earliest opportunity through corrective conversations, formal warnings, or minor sanctions as appropriate.
  • Track policy violations centrally, including minor incidents, to identify repeat offenders or emerging behavioral patterns across time.
  • Communicate the rationale for enforcement to the workforce, framing minor violation enforcement as a measure to protect operational integrity rather than bureaucratic punishment.
  • Conduct periodic reviews of enforcement actions to ensure consistency across departments, teams, and levels of seniority, minimizing perceptions of favoritism or uneven discipline.

 

Operational Principles

  • Proportionality: Responses to minor violations should be appropriate to the severity but still reinforce the boundary.
  • Visibility: Enforcement actions should be visible enough to deter others, without unnecessarily shaming or alienating individuals.
  • Predictability: Personnel should understand that violations will predictably result in consequences, eliminating ambiguity or assumptions of tolerance.
  • Escalation Readiness: Organizations should be prepared to escalate interventions for individuals who demonstrate patterns of repeated minor violations.
PV020Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

PV001No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Detection

ID Name Description
DT045Agent Capable of User Activity Monitoring

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

 

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

 

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

 

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

DT047Agent Capable of User Behaviour Analytics

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

 

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

 

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

 

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

DT048Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.