ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR004.001
  • Created: 25th May 2024
  • Updated: 14th June 2024
  • Contributor: The ITM Team

Network File Exploration

A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.

Prevention

ID Name Description
PV008Enforce File Permissions

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Detection

ID Name Description
DT009Cyber Deception, File Canary

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

 

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.