ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT052
  • Created: 08th June 2024
  • Updated: 25th July 2024
  • Contributor: The ITM Team

Audit Logging

Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.

Sections

ID Name Description
PR005IT Ticketing System Exploration

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

ME007Privileged Access

A subject has privileged access to devices, systems or services that hold sensitive information.

IF022Data Loss

Data loss refers to the unauthorized, unintentional, or malicious disclosure, exposure, alteration, or destruction of sensitive organizational data caused by the actions of an insider. It encompasses incidents in which critical information—such as intellectual property, regulated personal data, or operationally sensitive content—is compromised due to insider behavior. This behavior may arise from deliberate exfiltration, negligent data handling, policy circumvention, or misuse of access privileges. Data loss can occur through manual actions (e.g., unauthorized file transfers or improper document handling) or through technical vectors (e.g., insecure APIs, misconfigured cloud services, or shadow IT systems).

ME021.003Physical Access Credentials

Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.

ME021.004API Keys

API keys that were available to the subject during employment are not revoked and can still be used.

ME021.005SSH Keys

SSH keys that were available to the subject during employment are not revoked and can still be used.

IF014.004Modification of Access Controls

The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts.

IF011.003Providing Unauthorized Access to a Collaboration Platform

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

IF011.001Intentionally Weakening Network Security Controls For a Third Party

The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.

AF018.002Environment Tripwires

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

 

This tripwire API is embedded within various parts of the environment:

  • Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
  • Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
  • Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

 

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

  • Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
  • Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
  • System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

 

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

 

Upon detecting activity, the API tripwire can take immediate evasive actions:

  • Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
  • Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
  • Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
  • Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.
IF013.001File or Data Deletion

A subject deletes files or data that cause disruption of business operations.

ME021.006Multi-Factor Authentication

MFA tokens or hardware devices (such as physical security keys) issued to the subject during employment are not deactivated and can still be utilized.

IF022.001Intellectual Property Theft

A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.

 

Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm.

ME024.002Access to Privileged Groups and Non-User Accounts

A subject with access to privileged groups (e.g., Domain Admins, Enterprise Admins, or Security Groups) or non-user accounts (such as service accounts, application identities, or shared mailboxes) gains elevated control over systems, applications, and sensitive organizational data. Access to these groups or accounts often provides the subject with knowledge of security configurations, user roles, and potentially unmonitored or sensitive activities that occur within the system.

 

Shared mailboxes, in particular, are valuable targets. These mailboxes are often used for group communication across departments or functions, containing sensitive or confidential information, such as internal discussions on financials, strategic plans, or employee data. A subject with access to shared mailboxes can gather intelligence from ongoing conversations, identify targets for further exploitation, or exfiltrate sensitive data without raising immediate suspicion. These mailboxes may also bypass some security filters, as their contents are typically considered routine and may not be closely monitored.

 

Access to privileged accounts and shared mailboxes also allows subjects to escalate privileges, alter system configurations, access secure data repositories, or manipulate security settings, making it easier to both conduct malicious activities and cover their tracks. Moreover, service and application accounts often have broader access rights across systems or environments than typical user accounts and are frequently excluded from standard monitoring protocols, offering potential pathways for undetected exfiltration or malicious action.

 

This elevated access gives subjects insight into critical system operations and internal communications, such as unencrypted data flows or internal vulnerabilities. This knowledge not only heightens their potential for malicious conduct but can also make them a target for external threat actors seeking to exploit this elevated access.