Detections
- Home
- - Detections
- -DT052
- ID: DT052
- Created: 08th June 2024
- Updated: 25th July 2024
- Contributor: The ITM Team
Audit Logging
Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.
Sections
ID | Name | Description |
---|---|---|
PR005 | IT Ticketing System Exploration | A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information. |
ME007 | Privileged Access | A subject has privileged access to devices, systems or services that hold sensitive information. |
IF022 | Data Loss | Data loss refers to the unauthorized, unintentional, or malicious disclosure, exposure, alteration, or destruction of sensitive organizational data caused by the actions of an insider. It encompasses incidents in which critical information—such as intellectual property, regulated personal data, or operationally sensitive content—is compromised due to insider behavior. This behavior may arise from deliberate exfiltration, negligent data handling, policy circumvention, or misuse of access privileges. Data loss can occur through manual actions (e.g., unauthorized file transfers or improper document handling) or through technical vectors (e.g., insecure APIs, misconfigured cloud services, or shadow IT systems). |
ME021.003 | Physical Access Credentials | Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used. |
ME021.004 | API Keys | API keys that were available to the subject during employment are not revoked and can still be used. |
ME021.005 | SSH Keys | SSH keys that were available to the subject during employment are not revoked and can still be used. |
IF014.004 | Modification of Access Controls | The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts. |
IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account. |
IF011.001 | Intentionally Weakening Network Security Controls For a Third Party | The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls. |
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|
IF013.001 | File or Data Deletion | A subject deletes files or data that cause disruption of business operations. |
ME021.006 | Multi-Factor Authentication | MFA tokens or hardware devices (such as physical security keys) issued to the subject during employment are not deactivated and can still be utilized. |
IF022.001 | Intellectual Property Theft | A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.
Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm. |
ME024.002 | Access to Privileged Groups and Non-User Accounts | A subject with access to privileged groups (e.g., Domain Admins, Enterprise Admins, or Security Groups) or non-user accounts (such as service accounts, application identities, or shared mailboxes) gains elevated control over systems, applications, and sensitive organizational data. Access to these groups or accounts often provides the subject with knowledge of security configurations, user roles, and potentially unmonitored or sensitive activities that occur within the system.
Shared mailboxes, in particular, are valuable targets. These mailboxes are often used for group communication across departments or functions, containing sensitive or confidential information, such as internal discussions on financials, strategic plans, or employee data. A subject with access to shared mailboxes can gather intelligence from ongoing conversations, identify targets for further exploitation, or exfiltrate sensitive data without raising immediate suspicion. These mailboxes may also bypass some security filters, as their contents are typically considered routine and may not be closely monitored.
Access to privileged accounts and shared mailboxes also allows subjects to escalate privileges, alter system configurations, access secure data repositories, or manipulate security settings, making it easier to both conduct malicious activities and cover their tracks. Moreover, service and application accounts often have broader access rights across systems or environments than typical user accounts and are frequently excluded from standard monitoring protocols, offering potential pathways for undetected exfiltration or malicious action.
This elevated access gives subjects insight into critical system operations and internal communications, such as unencrypted data flows or internal vulnerabilities. This knowledge not only heightens their potential for malicious conduct but can also make them a target for external threat actors seeking to exploit this elevated access. |