Detections
- Home
- - Detections
- -DT050
- ID: DT050
- Created: 05th June 2024
- Updated: 05th June 2024
- Platform: Windows
- Contributor: The ITM Team
Impossible Travel
Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.
Sections
ID | Name | Description |
---|---|---|
IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
PR027 | Impersonation | The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.
Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls. |
IF025 | Account Sharing | The subject violates organizational policy by allowing or enabling the use of their credentials by another individual or by using credentials that do not align with their identity and/or they are not authorized to use.
Account sharing undermines accountability, auditability, and access control mechanisms, and is frequently linked to the obfuscation of intent, collusion, or circumvention of oversight. It is often rationalized as a convenience, but may also support broad policy evasion, unauthorized task delegation, or illicit collaboration. |
AF024 | Account Misuse | The subject deliberately misuses account constructs to obscure identity, frustrate attribution, or undermine investigative visibility. This includes the use of shared, secondary, abandoned, or illicitly obtained accounts in ways that violate access integrity and complicate forensic analysis.
Unlike traditional infringement behaviors, account misuse in the anti-forensics context is not about the action itself—but about how identity is obfuscated or displaced to conceal that action. These behaviors sever the link between subject and activity, impeding both real-time detection and retrospective investigation.
Investigators encountering unexplainable log artifacts, attribution conflicts, or unexpected session collisions should assess whether account misuse is being used as a deliberate concealment tactic. Particular attention should be paid in environments lacking centralized identity governance or with known privilege sprawl.
Account misuse as an anti-forensics strategy often coexists with more overt infringements—enabling data exfiltration, sabotage, or policy evasion while preserving plausible deniability. As such, its detection is crucial to understanding subject intent, tracing activity with confidence, and restoring the chain of custody in incident response. |
IF011.001 | Intentionally Weakening Network Security Controls For a Third Party | The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls. |
PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
ME003.002 | VPN Applications | A subject has access to a VPN application. |
IF023.002 | Sanction Violations | Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.
Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.
Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.
Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes. |
PR027.002 | Impersonation via Collaboration and Communication Tools | The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.
Impersonation in this context can be achieved through:
The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.
Example Scenarios:
|
MT017.001 | Nation-State Alignment | The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.
Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.
Example Scenarios:
|
AF024.001 | Account Obfuscation | The subject leverages multiple accounts under their control—each legitimate on its own—to distribute, disguise, or segment activity in a manner that defeats identity-based attribution. This technique, referred to as account obfuscation, is designed to frustrate forensic correlation between subject behavior and account usage.
Unlike role-sanctioned multi-account use (e.g., one account for user access, another for administrative tasks), account obfuscation involves the deliberate operational separation of actions across identities to conceal intent, evade controls, or introduce ambiguity. This may involve:
This behavior is often facilitated by weak identity governance, fragmented access models, or unmanaged role transitions. It is especially difficult to detect in environments where access provisioning is ad hoc, audit scopes are limited, or account correlation is not enforced at the SIEM or UAM level.
From an investigative standpoint, account obfuscation serves as a deliberate anti-forensics tactic—enabling subjects to operate with plausible deniability and complicating timeline reconstruction. Investigators should review cross-account behavior patterns, concurrent session overlaps, and role-permission inconsistencies when this technique is suspected. |
AF024.002 | Unauthorized Credential Use | The subject employs valid credentials that were obtained outside of sanctioned provisioning channels to conceal their identity or perform actions under a false or misleading identity. This behavior, categorized as unauthorized credential use, is distinct from traditional account compromise—it reflects insider-enabled misuse, not external intrusion.
Credentials may be acquired through casual observation (e.g., shoulder surfing or unlocked workstations), social engineering, prior access (e.g., retained credentials from a former role), or covert means such as password capture tools. In some cases, credentials may be voluntarily shared by a collaborator or acquired opportunistically from unmonitored or abandoned accounts.
This tactic allows the subject to dissociate their actions from their known identity, delay detection, and in some cases, redirect suspicion to another individual. When used within privileged or high-sensitivity environments, unauthorized credential use can enable significant harm while bypassing conventional identity-based controls and alerting mechanisms.
Unlike service account sharing or account obfuscation (which involve legitimate, active credentials assigned to the subject), this behavior revolves around unauthorized access to credentials not formally linked to the subject. Investigators should prioritize this sub-section when audit trails show activity under an identity that does not correspond to role expectations, known behavioral patterns, or device history.
Key forensic indicators include:
Unauthorized credential use is a high-risk concealment technique and often coincides with malicious or high-impact infringements. |