ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT039
  • Created: 01st June 2024
  • Updated: 01st June 2024
  • Contributor: The ITM Team

Web Proxy Logs

Depending on the solution used, web proxies can provide a wealth of information about web-based activity. This can include the IP address of the system making the web request, the URL requested, the response code, and timestamps.

An organization must perform SSL/TLS interception to receive the most complete information about these connections.

Sections

ID Name Description
IF007Unlawfully Accessing Copyrighted Material

A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites.

IF005Exfiltration via Messaging Applications

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

IF008Inappropriate Web Browsing

A subject accesses web content that is deemed inappropriate by the organization.

PR005IT Ticketing System Exploration

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

ME006Web Access

A subject can access the web with an organization device.

PR019Private / Incognito Browsing

Private browsing, also known as 'incognito mode' among other terms, is a feature in modern web browsers that prevents the storage of browsing history, cookies, and site data on a subject's device. When private browsing is enabled, it ensures any browsing activity conducted during the browser session is not saved to the browser history or cache.

 

A subject can use private browsing to conceal their actions in a web browser, such as navigating to unauthorized websites, downloading illicit materials, uploading corporate data or conducting covert communications, thus leaving minimal traces of their browsing activities on a device and frustrating forensic recovery efforts.

IF018Sharing on AI Chatbot Platforms

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

PR023Suspicious Web Browsing

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

IF001.001Exfiltration via Cloud Storage

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data.

IF001.002Exfiltration via Code Repository

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data.

IF001.003Exfiltration via Text Storage Sites

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data.

IF001.004Exfiltration via Webhook

A subject may use an existing, legitimate external Web service to exfiltrate data

AF004.003Clear Firefox Artifacts

A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.002Clear Edge Artifacts

A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.001Clear Chrome Artifacts

A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

IF008.001Lawful Pornography

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

IF008.002Unlawful Pornography

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

IF008.003Terrorist Content

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

IF008.004Extremist Content

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

IF008.005Gambling

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.006Inappropriate Usage of Social Media

A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image.

IF008.007Gaming

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

IF008.008Other Inappropriate Content

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

IF005.002Exfiltration via Web-Based Messaging Application

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

IF007.002Streaming Copyrighted Material

A subject accesses a website that allows for the unauthorized streaming of copyrighted material.

IF007.003Distributing Copyrighted Material

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material.

IF007.001Downloading Copyrighted Material

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material.

ME006.001Webmail

A subject can access personal webmail services in a browser.

ME006.002Cloud Storage

A subject can access personal cloud storage in a browser.

ME006.003Inappropriate Websites

A subject can access websites containing inappropriate content.

ME006.004Note-Taking Websites

A subject can access external note-taking websites (Such as Evernote).

ME006.005Messenger Services

A subject can access external messenger web-applications with the ability to transmit data and/or files.

ME006.006Code Repositories

A subject can access websites used to access or manage code repositories.

IF001.005Exfiltration via Note-Taking Web Services

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device.

ME006.007Text Storage Websites

A subject can access external text storage websites, such as Pastebin.

IF018.001Exfiltration via AI Chatbot Platform History

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

IF018.002Reckless Sharing on AI Chatbot Platforms

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.