Detections
- Home
- - Detections
- -DT045
- ID: DT045
- Created: 02nd June 2024
- Updated: 19th July 2024
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Agent Capable of User Activity Monitoring
An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.
The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).
Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.
Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.
Sections
ID | Name | Description | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ME006 | Web Access | A subject can access the web with an organization device. | |||||||||||||||||||||||||||||||||||
ME007 | Privileged Access | A subject has privileged access to devices, systems or services that hold sensitive information. | |||||||||||||||||||||||||||||||||||
ME009 | FTP Servers | A subject is able to access external FTP servers. | |||||||||||||||||||||||||||||||||||
ME010 | SSH Servers | A subject is able to access external SSH servers. | |||||||||||||||||||||||||||||||||||
PR019 | Private / Incognito Browsing | Private browsing, also known as 'incognito mode' among other terms, is a feature in modern web browsers that prevents the storage of browsing history, cookies, and site data on a subject's device. When private browsing is enabled, it ensures any browsing activity conducted during the browser session is not saved to the browser history or cache.
A subject can use private browsing to conceal their actions in a web browser, such as navigating to unauthorized websites, downloading illicit materials, uploading corporate data or conducting covert communications, thus leaving minimal traces of their browsing activities on a device and frustrating forensic recovery efforts. | |||||||||||||||||||||||||||||||||||
PR020 | Data Obfuscation | Data obfuscation is the act of deliberately obscuring or disguising data to avoid detection and/or hinder forensic analysis. A subject may obscure data in preparation to exfiltrate the data. | |||||||||||||||||||||||||||||||||||
PR021 | Network Scanning | A subject conducts a scan of a network to identify additional systems, or services running on those systems. | |||||||||||||||||||||||||||||||||||
IF017 | Excessive Personal Use | A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security. | |||||||||||||||||||||||||||||||||||
IF018 | Sharing on AI Chatbot Platforms | A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information. | |||||||||||||||||||||||||||||||||||
AF016 | Uninstalling Software | The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity. | |||||||||||||||||||||||||||||||||||
PR023 | Suspicious Web Browsing | A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event. | |||||||||||||||||||||||||||||||||||
AF017 | Use of a Virtual Machine | The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities. | |||||||||||||||||||||||||||||||||||
IF020 | Unauthorized VPN Client | The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented. | |||||||||||||||||||||||||||||||||||
IF019 | Non-Corporate Device | The subject performs work-related tasks on an unauthorized, non-organization-owned device, likely violating organizational policy. Without the organization’s security controls in place, this device could be used to bypass established safeguards. Moreover, using a personal device increases the risk of sensitive data being retained or exposed, particularly after the subject is offboarded, as the organization has no visibility or control over information stored outside its managed systems. | |||||||||||||||||||||||||||||||||||
MT001 | Joiner | A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies. | |||||||||||||||||||||||||||||||||||
MT002 | Mover | A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies. | |||||||||||||||||||||||||||||||||||
MT003 | Leaver | A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies. | |||||||||||||||||||||||||||||||||||
PR024 | Increase Privileges | A subject uses a mechanism to increase or add privileges assigned to a user account under their control. This enables them to access systems, services, or data that is not possible with their standard permissions. | |||||||||||||||||||||||||||||||||||
AF019 | Decrease Privileges | A subject uses a mechanism to decrease or remove the privileges assigned to a user account under their control. This may represent an anti-forensics technique where the subject attempts to obscure previously held privileges that could associate them with activity relating to an infringement. | |||||||||||||||||||||||||||||||||||
PR025 | File Download | The subject downloads one or more files to a system to access the file or prepare for exfiltration. | |||||||||||||||||||||||||||||||||||
MT019 | Rogue Nationalism | A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.
While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization. | |||||||||||||||||||||||||||||||||||
MT018 | Curiosity | A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization. | |||||||||||||||||||||||||||||||||||
MT020 | Ideology | A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.
Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.
Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves. | |||||||||||||||||||||||||||||||||||
IF001 | Exfiltration via Web Service | A subject uses an existing, legitimate external Web service to exfiltrate data | |||||||||||||||||||||||||||||||||||
IF022 | Data Loss | Data loss refers to the unauthorized, unintentional, or malicious disclosure, exposure, alteration, or destruction of sensitive organizational data caused by the actions of an insider. It encompasses incidents in which critical information—such as intellectual property, regulated personal data, or operationally sensitive content—is compromised due to insider behavior. This behavior may arise from deliberate exfiltration, negligent data handling, policy circumvention, or misuse of access privileges. Data loss can occur through manual actions (e.g., unauthorized file transfers or improper document handling) or through technical vectors (e.g., insecure APIs, misconfigured cloud services, or shadow IT systems). | |||||||||||||||||||||||||||||||||||
MT021 | Conflicts of Interest | A subject may be motivated by personal, financial, or professional interests that directly conflict with their duties and obligations to the organization. This inherent conflict of interest can lead the subject to engage in actions that compromise the organization’s values, objectives, or legal standing.
For instance, a subject who serves as a senior procurement officer at a company may have a financial stake in a vendor company that is bidding for a contract. Despite knowing that the vendor's offer is subpar or overpriced, the subject might influence the decision-making process to favor that vendor, as it directly benefits their personal financial interests. This conflict of interest could lead to awarding the contract in a way that harms the organization, such as incurring higher costs, receiving lower-quality goods or services, or violating anti-corruption regulations.
The presence of a conflict of interest can create a situation where the subject makes decisions that intentionally or unintentionally harm the organization, such as promoting anti-competitive actions, distorting market outcomes, or violating regulatory frameworks. While the subject’s actions may be hidden behind professional duties, the conflict itself acts as the driving force behind unethical or illegal behavior. These infringements can have far-reaching consequences, including legal ramifications, financial penalties, and damage to the organization’s reputation. | |||||||||||||||||||||||||||||||||||
ME024 | Access | A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.
Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.
Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities. | |||||||||||||||||||||||||||||||||||
ME025 | Placement | A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.
Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.
Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity. | |||||||||||||||||||||||||||||||||||
ME006.001 | Webmail | A subject can access personal webmail services in a browser. | |||||||||||||||||||||||||||||||||||
ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. | |||||||||||||||||||||||||||||||||||
ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. | |||||||||||||||||||||||||||||||||||
ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). | |||||||||||||||||||||||||||||||||||
ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. | |||||||||||||||||||||||||||||||||||
PR016.001 | Local Data Staging | A subject stages collected data in a central location or directory local to the current system prior to exfiltration. | |||||||||||||||||||||||||||||||||||
ME006.006 | Code Repositories | A subject can access websites used to access or manage code repositories. | |||||||||||||||||||||||||||||||||||
IF016.007 | Excessive Overtime | A subject that self reports hours worked, and/or is eligible to claim overtime or an individual responsible for reporting such working time may falsify time records or make false representations to a working time system to cause payment or time in lieu for unperformed work. | |||||||||||||||||||||||||||||||||||
IF004.003 | Exfiltration via Personal NAS Device | A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data. | |||||||||||||||||||||||||||||||||||
PR020.001 | Renaming Files or Changing File Extensions | A subject may rename a file to obscure the content of the file or change the file extension to hide the file type. This can aid in avoiding suspicion and bypassing certain security filers and endpoint monitoring tools. For example, renaming a sensitive document from FinancialReport.docx to Recipes.txt before copying it to a USB mass storage device. | |||||||||||||||||||||||||||||||||||
IF002.001 | Exfiltration via USB Mass Storage Device | A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive. | |||||||||||||||||||||||||||||||||||
IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. | |||||||||||||||||||||||||||||||||||
IF002.007 | Exfiltration via Target Disk Mode | When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer. | |||||||||||||||||||||||||||||||||||
AF004.001 | Clear Chrome Artifacts | A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. | |||||||||||||||||||||||||||||||||||
AF004.003 | Clear Firefox Artifacts | A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. | |||||||||||||||||||||||||||||||||||
AF004.002 | Clear Edge Artifacts | A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. | |||||||||||||||||||||||||||||||||||
IF008.003 | Terrorist Content | A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism). | |||||||||||||||||||||||||||||||||||
IF008.004 | Extremist Content | A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups. | |||||||||||||||||||||||||||||||||||
IF001.005 | Exfiltration via Note-Taking Web Services | A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):
| |||||||||||||||||||||||||||||||||||
ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. | |||||||||||||||||||||||||||||||||||
IF004.004 | Exfiltration via Screen Sharing Software | A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer. | |||||||||||||||||||||||||||||||||||
IF004.005 | Exfiltration via Protocol Tunneling | A subject exfiltrates data from an organization by encapsulating or hiding it within an otherwise legitimate protocol. This technique allows the subject to covertly transfer data, evading detection by standard security monitoring tools. Commonly used protocols, such as DNS and ICMP, are often leveraged to secretly transmit data to an external destination. Prerequisites:
Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:
2. The subject splits the hexdump into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):
3. The subject uses dig to send the data in DNS TXT queries. Looping through the split files and sending each chunk as the subdomain of example.com in a TXT record query:
On the target DNS server that they control, the subject captures the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.
DNS Tunneling (Windows)
Prerequisites:
Steps:
2. The subject splits the hex data into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters):
3. The subject sends the data in DNS TXT queries. Looping through the hex data chunks and sending each chunk as the subdomain of example.com in a TXT record query:
The subject will capture the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query.
ICMP Tunneling (Linux) Prerequisites:
Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt:
2. The subject splits the hexdump into manageable chunks. ICMP packets have a payload size limit, so it’s common to use small chunks. The following command will split the hex data into 32-byte chunks:
3. The subject uses ping to send the data in ICMP echo request packets. Loop through the split files and send each chunk as part of the ICMP payload:
The subject will capture the incoming ICMP packets on the destination server, extract the data from the packets and decode the reassembled the hex data. | |||||||||||||||||||||||||||||||||||
IF002.009 | Exfiltration via Disk Media | A subject exfiltrates data using writeable disk media. | |||||||||||||||||||||||||||||||||||
IF011.001 | Intentionally Weakening Network Security Controls For a Third Party | The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls. | |||||||||||||||||||||||||||||||||||
IF018.001 | Exfiltration via AI Chatbot Platform History | A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system. | |||||||||||||||||||||||||||||||||||
IF018.002 | Reckless Sharing on AI Chatbot Platforms | A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information. | |||||||||||||||||||||||||||||||||||
AF018.003 | Canary Tokens | A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:
The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.
The subject strategically places these files in various locations within the environment:
Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:
Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:
By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity. | |||||||||||||||||||||||||||||||||||
MT012.002 | Extortion | A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization. | |||||||||||||||||||||||||||||||||||
MT012.001 | Social Engineering (Inbound) | A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization. | |||||||||||||||||||||||||||||||||||
MT005.001 | Speculative Corporate Espionage | A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization. | |||||||||||||||||||||||||||||||||||
PR020.002 | Modification of Sensitivity Labels | The subject modifies or downgrades the sensitivity label of a file in an attempt to bypass DLP or other security controls. | |||||||||||||||||||||||||||||||||||
PR020.003 | Misclassification of Sensitivity Labels | The subject intentionally misclassifies the sensitivity label of a file in an attempt to bypass DLP or other security controls. | |||||||||||||||||||||||||||||||||||
IF010.002 | Exfiltration via Personal Email | A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system. | |||||||||||||||||||||||||||||||||||
AF008.001 | Image Steganography | A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.
Least Significant Bit (LSB) Steganography
How it works:
Example:
Advantages:
Disadvantages:
Masking and Filtering Steganography
How it works:
Advantages:
Disadvantages:
Transform Domain Steganography
Types of Transform Domain Methods:
How it works:
Advantages:
Disadvantages:
b. Discrete Wavelet Transform (DWT) Steganography
How it works:
Advantages:
Disadvantages:
c. Fourier Transform-Based Steganography
Advantages:
Disadvantages:
Palette-Based and Color Modification Techniques
a. Palette-Based Steganography (GIF, PNG)
Advantages:
Disadvantages:
b. Alpha Channel Manipulation
Advantages:
Disadvantages:
Edge-Based and Texture-Based Steganography
a. Edge Detection Steganography
Advantages:
Disadvantages:
b. Patchwork Algorithm
Advantages:
Disadvantages:
Spread Spectrum and Noise-Based Techniques
a. Spread Spectrum Steganography
Advantages:
Disadvantages:
b. Statistical Steganography
Advantages:
Disadvantages:
Adaptive and AI-Based Steganography
Disadvantages:
Comparison Table of Image Steganography Methods
| |||||||||||||||||||||||||||||||||||
IF004.006 | Exfiltration via Python Listening Service | A subject may employ a Python-based listening service to exfiltrate organizational data, typically as part of a self-initiated or premeditated breach. Python’s accessibility and versatility make it a powerful tool for creating custom scripts capable of transmitting sensitive data to external or unauthorized internal systems.
In this infringement method, the subject configures a Python script—often hosted externally or on a covert internal system—to listen for incoming connections. A complementary script, running within the organization’s network (such as on a corporate laptop), transmits sensitive files or data streams to the listening service using common protocols such as HTTP or TCP, or via more covert channels including DNS tunneling, ICMP, or steganographic methods. Publicly available tools such as PyExfil can facilitate these operations, offering modular capabilities for exfiltrating data across multiple vectors.
Examples of Use:
Detection Considerations:
| |||||||||||||||||||||||||||||||||||
PR018.007 | Downgrading Microsoft Information Protection (MIP) labels | A subject may intentionally downgrade the Microsoft Information Protection (MIP) label applied to a file in order to obscure the sensitivity of its contents and bypass security controls. MIP labels are designed to classify and protect files based on their sensitivity—ranging from “Public” to “Highly Confidential”—and are often used to enforce Data Loss Prevention (DLP), access restrictions, encryption, and monitoring policies.
By reducing a file's label classification, the subject may make the file appear innocuous, thus reducing the likelihood of triggering alerts or blocks by email filters, endpoint monitoring tools, or other security mechanisms.
This technique can enable the unauthorized exfiltration or misuse of sensitive data while evading established security measures. It may indicate premeditated policy evasion and can significantly weaken the organization’s data protection posture.
Examples of Use:
Detection Considerations:
| |||||||||||||||||||||||||||||||||||
IF022.001 | Intellectual Property Theft | A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.
Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm. | |||||||||||||||||||||||||||||||||||
IF022.002 | PII Leakage (Personally Identifiable Information) | PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.
Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.
The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.
Examples of Infringement:
| |||||||||||||||||||||||||||||||||||
IF022.003 | PHI Leakage (Protected Health Information) | PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.
HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.
In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.
This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.
Examples of Infringement:
| |||||||||||||||||||||||||||||||||||
IF023.001 | Export Violations | Export violations occur when a subject engages in the unauthorized transfer of controlled goods, software, technology, or technical data to foreign persons or destinations, in breach of applicable export control laws and regulations. These laws are designed to protect national security, economic interests, and international agreements by restricting the dissemination of sensitive materials and know-how.
Such violations often involve the failure to obtain the necessary export licenses, misclassification of export-controlled items, or the improper handling of technical data subject to regulatory oversight. The relevant legal frameworks may include the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and similar export control regimes in other jurisdictions.
Insiders may contribute to export violations by sending restricted files abroad, sharing controlled technical specifications with foreign nationals (even within the same organization), or circumventing export controls through the use of unauthorized communication channels or cloud services. These actions are considered violations regardless of the recipient’s sanction status and may occur entirely within legal jurisdictions if export-controlled information is shared with unauthorized individuals.
Export violations are distinct from sanction violations in that they pertain specifically to the nature of the goods, data, or services exported, and the mechanism of transfer, rather than the status of the recipient. Failure to comply with export control laws can result in civil and criminal penalties, loss of export privileges, and reputational damage to the organization. | |||||||||||||||||||||||||||||||||||
IF023.002 | Sanction Violations | Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.
Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.
Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.
Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes. | |||||||||||||||||||||||||||||||||||
IF023.003 | Anti-Trust or Anti-Competition | Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.
Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.
Examples of Anti-Trust or Anti-Competition Violations:
Regulatory Framework:
Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act. | |||||||||||||||||||||||||||||||||||
ME024.003 | Access to Critical Environments (Production and Pre-Production) | Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.
Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.
In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.
Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.
Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security. | |||||||||||||||||||||||||||||||||||
ME024.005 | Access to Physical Spaces | Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.
Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.
This type of access can be leveraged to:
Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.
Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.
The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints. | |||||||||||||||||||||||||||||||||||
ME025.002 | Leadership and Influence Over Direct Reports | A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:
In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.
Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain. |