ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT103
  • Created: 22nd September 2024
  • Updated: 22nd September 2024
  • Contributor: The ITM Team

Photographic Identification Comparison

During the recruitment or onboarding process, the individual’s appearance in in-person or online interviews should be compared with their government-issued photographic identification, which must match the details provided by the applicant before the interview. This helps detect potential fraudulent discrepancies and reduces the risk of one person attending the interview while another carries out the work for the organization.

Sections

ID Name Description
MT001Joiner

A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies.

MT017Espionage

A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.

PR027Impersonation

The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.

 

Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls.

PR027.001Deepfake or Synthetic Identity Use in Hiring

The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.

 

Common methods include:

  • Using AI-generated (GAN-based) profile photos that cannot be reverse-image searched.
  • Employing real-time deepfake tools during video interviews to alter facial appearance or impersonate another individual.
  • Substituting a more technically skilled individual to complete a remote hiring assessment or interview under a fabricated identity.
  • Presenting credentials or documentation (e.g., CVs, diplomas, certifications) created using forgery tools or generative AI.

 

This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.

 

Example Scenarios:

  • A subject uses a synthetic LinkedIn profile with AI-generated imagery and falsified work history to apply for a remote DevOps role. During the live video interview, they use a deepfake overlay to match their fabricated profile photo.
  • A technically skilled individual conducts a coding interview using a deepfake of another person, allowing a less qualified "puppet" to be hired under false credentials. The qualified subject later assists or directs actions remotely.
  • A malicious actor obtains employment under an assumed identity to infiltrate a target organization on behalf of a third party, using synthetic documents and deepfake liveness checks to pass onboarding.
PR027.003Physical Impersonation Through Dress, Uniforms, or Appearance

The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.

 

Common methods include:

  • Wearing uniforms or branded clothing associated with the target organization or a trusted third party.
  • Mimicking attire patterns of specific departments (e.g., IT, facilities, catering).
  • Carrying props such as tools, ID lanyards, or delivery equipment to reinforce the impersonated role.

 

Example Scenarios:

  • A subject dresses in a facilities maintenance uniform to gain access to server rooms under the pretense of conducting HVAC repairs, with no scheduled work order.
  • An insider recruits an accomplice who dresses as a delivery driver to stage equipment drops and tailgate into a secure loading dock.
  • During an internal staff shift, the subject wears a borrowed lanyard and IT polo shirt to move through restricted floors without being challenged.
  • A former contractor retains high-visibility branded clothing and uses it months later to re-enter a secure building undetected.
PR027.004Cloning or Forging ID Cards for Physical Access

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

 

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

 

Example Scenarios:

  • A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
  • A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
  • The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
  • A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.