ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT104
  • Created: 22nd September 2024
  • Updated: 22nd September 2024
  • Contributor: The ITM Team

Leaver Watchlist

In relevant security tooling (such as a SIEM or EDR), a watchlist (also known as a reference set) should be used to monitor for any activity generated by accounts belonging to employees who have left the organization, as this is unexpected. This can help to ensure that the security team readily detects any unrevoked access or account usage.

 

This process must be in partnership with the Human Resources team, which should inform the security team when an individual leaves the organization (during an Employee Off-Boarding Process, see PV024), including their full and user account names. Ideally, this process should be automated to prevent any gaps in monitoring between the information being sent and the security team adding the name(s) to the watchlist. All format variations should be considered as individual entries in the watchlist to ensure accounts using different naming conventions will generate alerts, such as john.smith, john smith, john.smith@company.com, and jsmith.

 

False positives could occur if there is a legitimate reason for interaction with the account(s), such as actions conducted by IT staff.

Sections

ID Name Description
MT003Leaver

A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies.

IF015Theft

A subject steals an item or items belonging to an organization, such as a corporate laptop or corporate mobile phone.

IF015.001Theft of a Corporate Laptop

A subject steals a corporate laptop belonging to an organization.

PR027.002Impersonation via Collaboration and Communication Tools

The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.

 

Impersonation in this context can be achieved through:

  • Lookalike email addresses (e.g., spoofed domains or typo squatting).
  • Cloned display names in collaboration tools.
  • Shared calendar invites or chats initiated under false authority.
  • Use of compromised or unused accounts from real employees, contractors, or vendors.

 

The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.

 

Example Scenarios:

  • A subject registers a secondary internal email alias (john.smyth@corp-secure.com) closely resembling a senior executive and uses it to request financial data from junior employees.
  • A subject joins a sensitive Slack channel using a display name that mimics another department member and quietly monitors ongoing discussions related to mergers and acquisitions activity.
  • A compromised service account is used by an insider to initiate SharePoint document shares with external parties, appearing as a legitimate internal action.
  • The subject impersonates an IT support contact via Teams or email to socially engineer MFA tokens or password resets.