ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT048
  • Created: 02nd June 2024
  • Updated: 19th July 2024
  • Contributor: The ITM Team

Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Sections

ID Name Description
IF010Exfiltration via Email

A subject uses electronic mail to exfiltrate data.

ME007Privileged Access

A subject has privileged access to devices, systems or services that hold sensitive information.

ME009FTP Servers

A subject is able to access external FTP servers.

ME010SSH Servers

A subject is able to access external SSH servers.

IF010.001Exfiltration via Corporate Email

A subject exfiltrates information using their corporate-issued mailbox, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

IF010.002Exfiltration via Personal Email

A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

PR015.003Email Forwarding Rule

The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another.

IF002.005Exfiltration via Physical Documents

A subject tansports physical documents outside of the control of the organization.

ME005.002SD Cards

A subject can mount and write to an SD card, either directly from the system, or through a USB connector.

ME006.001Webmail

A subject can access personal webmail services in a browser.

ME006.002Cloud Storage

A subject can access personal cloud storage in a browser.

IF002.007Exfiltration via Target Disk Mode

When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer.

IF018.001Exfiltration via AI Chatbot Platform History

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

IF018.002Reckless Sharing on AI Chatbot Platforms

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.