ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR026.002
  • Created: 07th May 2025
  • Updated: 07th May 2025
  • Platforms: MacOS, Windows, Linux,
  • Contributor: Ryan Bellows

Remote Desktop Web Access

The subject initiates or configures access to a system using Remote Desktop or Remote Assistance via a web browser interface, often through third-party tools or services (e.g., LogMeIn, AnyDesk, Chrome Remote Desktop, Microsoft RD Web Access). This behavior may indicate preparatory actions to facilitate unauthorized remote access, either for a co-conspirator, a secondary device, or future remote exfiltration. Unlike traditional RDP clients, browser-based remote access methods may bypass endpoint controls and often operate over HTTPS, making detection more difficult with traditional monitoring.

 

This method may be used when traditional RDP clients are blocked or monitored, or when the subject intends to evade installed software policies and gain access through externally hosted portals. While some web-based tools require agents to be installed on the target machine, others permit remote viewing or interaction without full installation, particularly when configured in advance.

Prevention

ID Name Description
PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV021DNS Filtering

Domain Name System (DNS) filtering allows the blocking of domain resolution for specific domains or automatically categorized classes of domains (depending on the functionality of the software or appliance being used). DNS filtering prevents users from accessing blocked domains, regardless of the IP address the domains resolve to.

 

Examples of automatically categorized classes of domains are ‘gambling’ or ‘social networking’ domains. Automatic categorizations of domains are typically conducted by the software or appliance being used, whereas specific domains can be blocked manually. Most DNS filtering software or appliances will provide the ability to use Regular Expressions (RegEx) to (for example) also filter all subdomains on a specified domain.

DNS filtering can be applied on an individual host, such as with the hosts file, or for multiple hosts via a DNS server or firewall.

PV003Enforce an Acceptable Use Policy

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

PV029Enterprise-Managed Web Browsers

An enterprise-managed browser is a web browser controlled by an organization to enforce security policies, manage employee access, and ensure compliance. It allows IT administrators to monitor and restrict browsing activities, apply security updates, and integrate with other enterprise tools for a secure browsing environment.

PV032Next-Generation Firewalls

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

 

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT046Agent Capable of Endpoint Detection and Response

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

 

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

 

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

DT045Agent Capable of User Activity Monitoring

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

 

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

 

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

 

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

DT047Agent Capable of User Behaviour Analytics

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

 

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

 

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

 

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

DT122DNS and HTTPS Traffic to Web-Based Remote Access Platforms

Monitor DNS queries and outbound HTTP/S traffic to known domains associated with browser-based remote access services. These platforms—such as LogMeIn, AnyDesk, Chrome Remote Desktop, and Microsoft RD Web Access—allow subjects to initiate or maintain remote sessions outside of approved IT infrastructure. Their use may indicate preparation for unauthorized remote access, data exfiltration, or external collaboration.

 

Detection Methods:

  • Collect and analyze DNS logs and web proxy traffic across all egress points.
  • Maintain and regularly update a threat intelligence list of domains and subdomains linked to web-based remote desktop platforms.
     

Example domains and subdomains include:

  • logmein.com
  • remotedesktop.google.com
  • anydesk.com
  • rdweb.wvd.microsoft.com
  • teamviewer.com
  • parsec.app
  • splashtop.com

 

Configure alerting for:

  • First-time access to any listed domain by a user or endpoint.
  • Repeated access over time, suggesting potential session establishment.
  • Access outside approved VPN channels or corporate IP ranges.
  • DNS tunneling or large data transfers over HTTPS to these platforms.

 

Integrate results with identity sources to correlate web access with role-based access expectations.

DT051DNS Logging

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

DT096DNS Monitoring

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.