ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF018.002
  • Created: 17th September 2024
  • Updated: 18th September 2024
  • Contributor: The ITM Team

Environment Tripwires

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

 

This tripwire API is embedded within various parts of the environment:

  • Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
  • Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
  • Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

 

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

  • Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
  • Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
  • System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

 

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

 

Upon detecting activity, the API tripwire can take immediate evasive actions:

  • Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
  • Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
  • Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
  • Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.

Prevention

ID Name Description
PV023Access Reviews

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT052Audit Logging

Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.

DT064AWS CloudTrail, Resource Deletion

CloudTrail logs by themselves, or in conjunction with CloudWatch, can be used to identify resource deletion events. These logs contain the account that performed the action (within the userIdentity field), a timestamp (within the eventTime field), and more detailed information depending on what resource was deleted. Some eventName examples include; DeleteBucket (For S3 bucket deletion), DeleteDBInstance (For RDS deletion), and TerminateInstances (For EC2 termination).

DT066Azure Activity Log, Resource Deletion

Azure Activity Log can be used to identify resource deletion events by using the search bar to filter by operations related to deletion, such as Delete or Delete Resource. These logs contain the account that performed the action (within the Caller field), a timestamp and more detailed information depending on what resource was deleted (within the Resource, Status, and Properties fields).

DT102Cloud User and Entity Behavior Analytics (UEBA)

Deploy UEBA solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and endpoints accessing cloud resources. Cloud UEBA systems track normal behavior patterns and detect anomalies that could indicate potential security risks. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

DT101Cloud User Behavior Analytics (UBA)

Implement UBA tools tailored for cloud environments to continuously monitor and analyze user activities, detecting anomalies that may signal security risks. Typically offered as services by cloud providers or third-party platforms, Cloud UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. These tools can also provide real-time alerts when users engage in behavior that deviates from established norms, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider threats and unauthorized activities within cloud environments.

DT097Deep Packet Inspection

Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, 

DT065GCP Cloud Audit Logs, Resource Deletion

GCP Cloud Audit Logs can be used to identify resource deletion events. These logs contain the account that performed the action (within the Principal field), a timestamp, and more detailed information depending on what resource was deleted. Some query examples include; resource.type="gcs_bucket" and protoPayload.methodName="storage.buckets.delete" for bucket deletion and resource.type="gce_instance" and protoPayload.methodName="v1.compute.instances.delete" for computer instance deletion.

DT062Microsoft 365 Admin Center Sign-in Activity

From the Microsoft 365 Admin Center homepage (https://admin.microsoft.com/#/homepage), after a specific user account has been selected under ‘Users’ > ‘Active Users’, it is possible to view limited sign-in activity under ‘Last sign-in’ > ‘View last 30 days’.

This displays the Date, Status, and Failure reason (if appropriate).

DT063Microsoft Entra ID Sign-in Logs

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

DT098NetFlow Analysis

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

 

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

 

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.