Detections
- Home
- - Detections
- -DT103
- ID: DT103
- Created: 22nd September 2024
- Updated: 22nd September 2024
- Contributor: The ITM Team
Photographic Identification Comparison
During the recruitment or onboarding process, the individual’s appearance in in-person or online interviews should be compared with their government-issued photographic identification, which must match the details provided by the applicant before the interview. This helps detect potential fraudulent discrepancies and reduces the risk of one person attending the interview while another carries out the work for the organization.
Sections
ID | Name | Description |
---|---|---|
MT001 | Joiner | A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies. |
MT017 | Espionage | A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state. |
PR027 | Impersonation | The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.
Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls. |
PR027.001 | Deepfake or Synthetic Identity Use in Hiring | The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.
Common methods include:
This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.
Example Scenarios:
|
PR027.003 | Physical Impersonation Through Dress, Uniforms, or Appearance | The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.
Common methods include:
Example Scenarios:
|
PR027.004 | Cloning or Forging ID Cards for Physical Access | The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.
Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.
Example Scenarios:
|