ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR006.003
  • Created: 25th May 2024
  • Updated: 14th June 2024
  • Contributor: The ITM Team

Security Enumeration via File System

A subject attempts to identify security software on a target system by looking through the file system to identify relevant directories or files.

Prevention

ID Name Description
PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT009Cyber Deception, File Canary

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

 

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.