ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT018
  • Created: 30th May 2024
  • Updated: 25th July 2024
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Edge Browser History

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Sections

ID Name Description
IF001Exfiltration via Web Service

A subject uses an existing, legitimate external Web service to exfiltrate data

IF007Unlawfully Accessing Copyrighted Material

A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites.

IF008Inappropriate Web Browsing

A subject accesses web content that is deemed inappropriate by the organization.

IF009Installing Unapproved Software

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

IF010Exfiltration via Email

A subject uses electronic mail to exfiltrate data.

PR005IT Ticketing System Exploration

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

ME006Web Access

A subject can access the web with an organization device.

IF016Misappropriation of Funds

A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices.

IF018Sharing on AI Chatbot Platforms

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

PR023Suspicious Web Browsing

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

PR025File Download

The subject downloads one or more files to a system to access the file or prepare for exfiltration.

IF017Excessive Personal Use

A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security.

MT020Ideology

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

 

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

 

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

IF001.001Exfiltration via Cloud Storage

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://www.dropbox[.]com
  • hxxps://drive.google[.]com
  • hxxps://onedrive.live[.]com
  • hxxps://mega[.]nz
  • hxxps://www.icloud[.]com/iclouddrive
  • hxxps://www.pcloud[.]com
IF001.002Exfiltration via Code Repository

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://github[.]com
  • hxxps://gitlab[.]com
  • hxxps://bitbucket[.]org
  • hxxps://sourceforge[.]net
  • hxxps://aws.amazon[.]com/codecommit
IF001.003Exfiltration via Text Storage Sites

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://pastebin[.]com
  • hxxps://hastebin[.]com
  • hxxps://privatebin[.]net
  • hxxps://controlc[.]com
  • hxxps://rentry[.]co
  • hxxps://dpaste[.]org
IF001.004Exfiltration via Webhook

A subject may use an existing, legitimate external Web service to exfiltrate data

IF007.001Downloading Copyrighted Material

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material.

IF007.003Distributing Copyrighted Material

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material.

IF008.001Lawful Pornography

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

IF008.002Unlawful Pornography

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

IF008.003Terrorist Content

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

IF008.004Extremist Content

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

IF008.005Gambling

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.006Inappropriate Usage of Social Media

A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image.

IF008.007Gaming

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.008Other Inappropriate Content

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

IF005.002Exfiltration via Web-Based Messaging Application

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

IF007.002Streaming Copyrighted Material

A subject accesses a website that allows for the unauthorized streaming of copyrighted material.

ME006.001Webmail

A subject can access personal webmail services in a browser.

ME006.002Cloud Storage

A subject can access personal cloud storage in a browser.

ME006.003Inappropriate Websites

A subject can access websites containing inappropriate content.

ME006.004Note-Taking Websites

A subject can access external note-taking websites (Such as Evernote).

ME006.005Messenger Services

A subject can access external messenger web-applications with the ability to transmit data and/or files.

ME006.006Code Repositories

A subject can access websites used to access or manage code repositories.

IF016.001Misuse of a Corporate Card

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

IF016.004Insider Trading

A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company.

IF016.002Unauthorized Bank Transfers

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.

IF009.003Unintentionally Introducing Malware

A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering.

IF009.002Inappropriate Software

A subject installs software that is not considered appropriate by the organization.

IF009.001Unwanted Software

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

IF004.003Exfiltration via Personal NAS Device

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.

PR003.004Installing Browser Extensions

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

IF001.005Exfiltration via Note-Taking Web Services

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

  • hxxps://www.evernote[.]com
  • hxxps://keep.google[.]com
  • hxxps://www.notion[.]so
  • hxxps://www.onenote[.]com
  • hxxps://notebook.zoho[.]com
ME006.007Text Storage Websites

A subject can access external text storage websites, such as Pastebin.

PR004.002Collaboration Platform Exploration

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

IF011.003Providing Unauthorized Access to a Collaboration Platform

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

IF018.001Exfiltration via AI Chatbot Platform History

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

IF018.002Reckless Sharing on AI Chatbot Platforms

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.

AF008.001Image Steganography

A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.

Image steganography methods can be categorised based on how data is embedded within an image. These methods vary in capacity (amount of data stored), detectability (resistance to steganalysis), and robustness (resistance to compression or modification). Below are the primary techniques used:

 

Least Significant Bit (LSB) Steganography

  • One of the most common and simple methods.
  • Modifies the least significant bits (LSBs) of pixel values to encode secret data.
  • Minimal visual impact since changes occur in the lowest bit planes.

 

How it works:

  • Each pixel in an image consists of three color channels (Red, Green, and Blue).
  • The LSB of each channel is replaced with bits from the hidden message.

 

Example:

  • Original pixel: (10101100, 11011010, 11101101)
  • After encoding: (10101101, 11011010, 11101100)
  • Only minor changes, making detection difficult.

 

Advantages:

  • High capacity when applied to all three channels.
  • Simple and easy to implement.

Disadvantages:

  • Highly susceptible to detection and compression (JPEG compression removes LSB changes).
  • Easily detected by statistical analysis methods.

 

Masking and Filtering Steganography

  • Works similarly to watermarking by altering the luminance or contrast of an image.
  • Best suited for lossless formats like BMP and PNG, not JPEG.

 

How it works:

  • Hidden data is embedded in textured or edge-rich areas to avoid easy detection.
  • Modifies pixel intensity slightly, making it harder to detect through simple LSB analysis.

 

Advantages:

  • More robust than LSB against lossy compression and scaling.
  • Works well for grayscale and color images.

Disadvantages:

  • Lower capacity than LSB.
  • More complex to implement.
     

Transform Domain Steganography

  • Instead of modifying pixel values directly, this technique embeds data in frequency components after applying a mathematical transformation.

 

Types of Transform Domain Methods:

a. Discrete Cosine Transform (DCT) Steganography

  • Used in JPEG images, where data is embedded in DCT coefficients instead of pixels.
  • Common algorithm: F5 steganography (JSteg is an older, less secure method).

 

How it works:

  • The image is converted to frequency domain using DCT.
  • The hidden data is embedded in the mid-frequency DCT coefficients to avoid detection.
  • The image is recompressed using JPEG encoding.

 

Advantages:

  • Resistant to LSB steganalysis.
  • Works with JPEG, making it more practical.

Disadvantages:

  • Lower data capacity than LSB.
  • Can be detected by statistical steganalysis.

 

b. Discrete Wavelet Transform (DWT) Steganography

  • Uses wavelet transformation to embed data in high or low-frequency components.

 

How it works:

  • The image is broken into multiple frequency bands using DWT.
  • Data is embedded in high-frequency coefficients, ensuring robustness.
  • Common in medical image steganography for secure data transmission.

 

Advantages:

  • More robust against compression and noise than DCT.
  • Can embed more data than traditional DCT methods.

Disadvantages:

  • Requires more complex computation.
  • Can be detected by advanced steganalysis tools.

 

c. Fourier Transform-Based Steganography

  • Uses Fast Fourier Transform (FFT) to embed secret data in the frequency spectrum.
  • More resistant to image processing operations like scaling and rotation.

 

Advantages:

  • High robustness.
  • Harder to detect using common LSB-based analysis.

Disadvantages:

  • Requires complex processing.
  • Limited in data capacity.

 

Palette-Based and Color Modification Techniques

 

a. Palette-Based Steganography (GIF, PNG)

  • Modifies indexed color tables instead of pixels.
  • Works by shifting palette entries in GIF or PNG images.

 

Advantages:

  • No direct pixel modifications, making it hard to detect visually.

Disadvantages:

  • Can be detected by comparing original and modified color palettes.
  • Limited to certain file formats.

 

b. Alpha Channel Manipulation

  • Uses transparency layers in images (e.g., PNG with alpha channels) to store hidden data.

 

Advantages:

  • Harder to detect in images with multiple layers.

Disadvantages:

  • Only works in formats supporting alpha transparency (PNG, TIFF).

 

Edge-Based and Texture-Based Steganography

 

a. Edge Detection Steganography

  • Embeds data only in edge regions of an image, avoiding smooth areas.
  • Uses Canny edge detection or similar algorithms.

 

Advantages:

  • Harder to detect using basic LSB analysis.
  • Can withstand minor modifications.

Disadvantages:

  • Requires pre-processing.
  • Lower capacity than LSB.

 

b. Patchwork Algorithm

  • Uses redundant patterns to embed data, making detection harder.
  • Works well for texture-rich images.

 

Advantages:

  • High resistance to compression and cropping.

Disadvantages:

  • Complex encoding and decoding process.

 

Spread Spectrum and Noise-Based Techniques

 

a. Spread Spectrum Steganography

  • Mimics radio communication techniques, distributing data across the entire image.
  • Uses pseudo-random noise patterns to hide data.

 

Advantages:

  • Harder to detect due to randomness.

Disadvantages:

  • Lower data capacity.

 

b. Statistical Steganography

  • Alters color distributions or histogram properties to encode data.
  • Ensures changes remain within natural variations.

 

Advantages:

  • Very stealthy and hard to detect.

Disadvantages:

  • Limited data capacity.

 

Adaptive and AI-Based Steganography

  • Uses machine learning to optimize embedding locations.
  • Adaptive algorithms select least noticeable areas dynamically.


Advantages:

  • Extremely stealthy and resistant to detection.

Disadvantages:

  • Requires computational power.

 

Comparison Table of Image Steganography Methods

 

MethodCapacityRobustnessDetectabilityComplexity
LSBHighLowHighLow
DCTMediumHighMediumMedium
DWTMediumHighMediumHigh
FFTLowVery HighLowVery High
Edge-BasedLowMediumLowMedium
Spread SpectrumLowVery HighLowHigh