Infringement
Account Sharing
Data Loss
Denial of Service
Disruption of Business Operations
Excessive Personal Use
Exfiltration via Email
Exfiltration via Media Capture
Exfiltration via Messaging Applications
Exfiltration via Other Network Medium
Exfiltration via Physical Medium
- Exfiltration via Bring Your Own Device (BYOD)
- Exfiltration via Disk Media
- Exfiltration via Floppy Disk
- Exfiltration via New Internal Drive
- Exfiltration via Physical Access to System Drive
- Exfiltration via Physical Documents
- Exfiltration via Target Disk Mode
- Exfiltration via USB Mass Storage Device
- Exfiltration via USB to Mobile Device
- Exfiltration via USB to USB Data Transfer
Exfiltration via Screen Sharing
Exfiltration via Web Service
Harassment and Discrimination
Inappropriate Web Browsing
Installing Malicious Software
Installing Unapproved Software
Misappropriation of Funds
Non-Corporate Device
Providing Access to a Unauthorized Third Party
Public Statements Resulting in Brand Damage
Regulatory Non-Compliance
Sharing on AI Chatbot Platforms
Theft
Unauthorized Changes to IT Systems
Unauthorized Printing of Documents
Unauthorized VPN Client
Unlawfully Accessing Copyrighted Material
- ID: IF013
- Created: 20th June 2024
- Updated: 02nd October 2025
- Contributor: The ITM Team
Disruption of Business Operations
The subject causes interruptions, degradation, or instability in organizational systems, processes, or data flows that impair day‑to‑day operations and affect availability, integrity, or service continuity. This category encompasses non‑exfiltrative and non‑theft forms of disruption, distinct from data exfiltration or malware aimed at permanent destruction.
Disruptive actions may include misuse of administrative tools, intentional misconfiguration, suppression of services, logic interference, dependency tampering, or selective disabling of critical functions. The objective is operational impact; slowing, blocking, or misrouting workflows, rather than data removal or theft.
Subsections
ID | Name | Description |
---|---|---|
IF013.001 | File or Data Deletion | A subject deletes organizational files or data (manually or through tooling) outside authorized workflows, resulting in the loss, concealment, or unavailability of operational assets. This infringement encompasses both targeted deletion (e.g. selected records, logs, or documents) and bulk removal (e.g. recursive deletion of directories or volumes).
Unlike Destructive Malware Deployment, which uses self-propagating or malicious code to irreversibly damage systems, this behavior reflects direct user-driven actions or scripts that remove or purge data without employing destructive payloads. Deletions may be conducted via built-in utilities, custom scripts, scheduled tasks, or misuse of administrative tools such as backup managers or version control systems.
This activity frequently occurs to:
It may also involve secondary actions such as emptying recycle bins, purging shadow copies, disabling version histories, or wiping removable media to obscure the scope of deletion. |
IF013.002 | Operational Disruption Impacting Customers | The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust.
Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access.
Examples include:
These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly. |
Prevention
ID | Name | Description |
---|---|---|
PV023 | Access Reviews | Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active. |
PV069 | Identity Credential Challenge and Verification | Randomized, routine verification of physical identity credentials is a necessary preventive control in environments where access is gated by visual or badge-based authentication. Unverified presence within secured areas increases organizational tolerance for impersonation, tailgating, and badge misuse—especially where behavioral drift has eroded expectations of enforcement.
Identity challenge programs mitigate this drift by reinforcing that possession of an ID badge is not proof of authorization. When implemented effectively, they also surface expired, misused, or cloned credentials before they enable preparatory actions such as unauthorized access, lateral movement, or physical data collection.
Human-led or Automated challenge mechanisms
Credential Verification Points (CVPs): Assign roving or fixed-position security personnel equipped with access control readers capable of validating badge status and presenting the registered photo of the assigned individual. Personnel should challenge any subject whose badge fails to scan or whose appearance does not match the system photo.
Automated Robotic Challenge Systems: Deploy robotic guard platforms with integrated badge readers, cameras, and two-way audio connected to a live remote security agent. These systems can autonomously perform credential challenges without requiring direct physical confrontation. They are especially valuable in high-risk or high-traffic areas where human intervention may be inconsistent or prone to social engineering.
Implementation considerations
Separation of Challenge and Enforcement: Where feasible, separate the individual performing the challenge from the individual initiating an enforcement action. This reduces risks associated with escalation—such as confrontation with hostile subjects—or familiarity bias from onsite personnel.
Policy Integration: Embed the challenge expectation within the Acceptable Use Policy and physical security policy. Clarify that possession of a badge does not exempt any individual from verification.
Audit and Alerting: Log all challenge events (successful, failed, bypassed) to a centralized system. Include metadata such as badge ID, photo match result, time, location, and outcome. Flag repeat failures or unverified entries for investigative review. |
PV049 | Managerial Approval | The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate. |
PV040 | Network Access Control (NAC) | Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks. NAC performs the following functions:
NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers. |
PV011 | Physical Access Controls | Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge. |
PV048 | Privileged Access Management (PAM) | Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.
Key Prevention Measures:
Benefits:
|
PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
PV070 | Service Desk Caller Verification Process | This prevention mandates a standardized, enforceable identity verification process for all service desk interactions involving password resets, account unlocks, or access changes. It requires the use of multi-factor authentication (MFV), out-of-band confirmation (OOB), and structured workflow enforcement to ensure caller legitimacy. The process reduces susceptibility to impersonation, prevents policy bypass under pressure, and ensures auditability for investigative review.
Prevention MeasuresAll verification must use at least two distinct factors:
For high-risk accounts, apply out-of-band confirmation:
Verification steps must be enforced within the IT Service Management (ITSM) platform:
Escalation protocols must be followed when:
Logs must include:
Service desk staff must undergo regular training and social engineering simulations:
|
PV062 | Static Code Analysis via CI/CD Pipelines | Static code analysis integrated into CI/CD pipelines provides a critical prevention mechanism against anti-forensic behaviors embedded in code, scripts, and infrastructure definitions. By enforcing automated review of logic patterns prior to deployment, organizations can detect concealed execution paths, scheduling abuse, and evasive constructs before they reach production.
This control is especially vital in mitigating deferred execution techniques, where the subject inserts code that activates long after submission—typically to evade scrutiny or delay attribution. Static analysis enables defenders to identify high-risk patterns at rest, before runtime, reducing reliance on reactive detection and shortening investigative timelines.
Detection of Time-Based Execution Logic:
Abnormal Delay Functions and Sleep Calls:
Embedded Scheduler References in Scripts:
Identification of Obfuscation and Dynamic Constructs:
CI/CD Blocking and Exception Escalation:
Pre-Deployment Artifact Scanning:
Cross-Team Code Review and Signature Expansion:
Attestation of Safe Logic by Departing Engineers: |
PV057 | Structured Request Channels for Operational Needs | Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.
Implementation Approaches
Operational Principles
|
Detection
ID | Name | Description |
---|---|---|
DT046 | Agent Capable of Endpoint Detection and Response | An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.
Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.
An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate). |
DT045 | Agent Capable of User Activity Monitoring | An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.
The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).
Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.
Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms. |
DT047 | Agent Capable of User Behaviour Analytics | An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.
The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.
A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.
Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms. |
DT052 | Audit Logging | Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns. |
DT143 | Automated Visual and Thermal Baseline Scanning of Server Environments | In high-sensitivity physical environments such as data centers, battery banks, and server rooms, environmental consistency is a critical security signal. Unexplained physical changes—such as added devices, modified cable routing, or thermal anomalies—may indicate preparatory activity by a subject intending to exfiltrate data, introduce malicious hardware, or compromise critical infrastructure.
Automated visual and thermal baseline scanning provides a scalable method to detect such changes by comparing real-time camera feeds to historical baselines. This technique extends the concept of "known good state" into the physical realm, enabling early identification of unauthorized modifications before they result in policy violations or technical compromise.
Methods of implementation
Autonomous Environmental Scanning Systems: Deploy robotic or fixed-position platforms capable of capturing high-resolution visual and thermal imagery at defined intervals. These systems should be configured to scan static components (e.g., server racks, power units, fire suppression systems, cable bundles, and access panels) from consistent angles and distances.
Baseline Comparison Algorithms: Implement software that compares each new scan to a stored baseline image set. Visual deviation detection should include object placement, cable routing, connected device presence (e.g., USB or external drives), and enclosure status (open vs. closed). Thermal deviation detection should identify abnormal heat signatures on batteries, processors, fans, or power supplies—indicative of tampering, overload, or early-stage failure.
Alert Routing and Escalation: Flag deviations beyond a defined threshold for human validation. Route alerts to a live remote operator who can verify anomalies and determine whether an onsite response is required. Escalation should trigger access reviews, subject correlation (e.g., badge scans or door logs), and containment measures if sabotage or preparatory behavior is suspected.
Targeted Focus Zones
Prioritize static components that are unlikely to change under normal operational procedures. These include:
Anomaly Logging and Cross-Referencing: Record each scan result, deviation instance, and operator decision for later forensic analysis. Integrate with physical access systems to correlate anomalies with subject presence. |
DT114 | Baseline System Performance Profiling | Establish and monitor baseline system performance metrics for all critical endpoints, servers, and cloud workloads to detect deviations that may indicate unauthorized activities, such as crypto mining, data staging, or malware execution. Deviations from expected resource usage profiles can serve as an early indicator of operational misuse, compromise, or unauthorized software deployment.
Detection Methods
Indicators
|
DT033 | Closed-Circuit Television | CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file. |
DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
DT137 | Discrepancies Between Physical Access Logs and System Authentication | In tightly controlled environments where system access is expected to be physically co-located (e.g., secure enclaves, badge-restricted zones, no-VPN networks), login events occurring without corresponding physical entry records indicate potential misuse of credentials or anti-forensic access. Subjects may provide or leak credentials to others, or operate under shared or impersonated accounts. This discrepancy can also signal badge cloning, tailgating, or failure to enforce physical-to-logical access binding.
Detection Methods
Compare physical access logs (e.g., Lenel, Genetec, CCure badge systems) with:
Construct correlation logic:
Filter for:
Alert on:
Example ScenarioIn a secure IT operations center, access to administrative consoles is restricted to physically present engineers. On a holiday, an engineer’s domain account logs into the configuration server — but badge access records show they never entered the facility that day. Investigation reveals the password was shared with a colleague under informal backup practices, violating policy and creating audit ambiguity. |
DT146 | File Integrity Monitoring | File Integrity Monitoring (FIM) is a technical prevention mechanism designed to detect unauthorized modification, deletion, or creation of files and configurations on monitored systems. The most basic implementation method is cryptographic hash comparison, where a known-good baseline (typically SHA256 or SHA1) is calculated and stored for monitored files. At regular intervals (or in real time) current file states are re-hashed and compared to the baseline. Any discrepancy in hash value, size, permissions, or timestamp is flagged as an integrity violation. While hash comparison is foundational, mature File Integrity Monitoring (FIM) solutions incorporate additional telemetry and instrumentation to increase forensic depth, reduce false positives, and support attribution:
To be effective in insider threat contexts, File Integrity Monitoring should be explicitly tuned to monitor (at minimum):
In ransomware or destruction scenarios, File Integrity Monitoring can detect the early stages of detonation by identifying rapid, high-volume file modifications and hash changes, particularly in mapped drives, document repositories, and shared storage. This can serve as a trigger for containment actions and/or investigation before full encryption completes, especially when correlated with process telemetry and known ransomware behaviors (e.g. deletion of shadow copies, entropy spikes).
When tuned and deployed appropriately, File Integrity Monitoring provides a high-fidelity signal of tampering, staging, or covert access attempts, even when other telemetry (e.g. signature-based detection or anomaly modeling) fails to trigger. This makes it particularly valuable in environments where subjects have elevated access, control over telemetry agents, or knowledge of investigative blind spots. |
DT050 | Impossible Travel | Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations. |
DT102 | User and Entity Behavior Analytics (UEBA) | Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior. |
DT101 | User Behavior Analytics (UBA) | Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events. |