ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT114
  • Created: 28th April 2025
  • Updated: 28th April 2025
  • Contributor: The ITM Team

Baseline System Performance Profiling

Establish and monitor baseline system performance metrics for all critical endpoints, servers, and cloud workloads to detect deviations that may indicate unauthorized activities, such as crypto mining, data staging, or malware execution. Deviations from expected resource usage profiles can serve as an early indicator of operational misuse, compromise, or unauthorized software deployment.

 

Detection Methods

  • Collect and baseline key performance metrics (e.g., CPU utilization, GPU load, memory consumption, disk I/O, and network throughput) for each system class based on normal operational workloads.
  • Continuously monitor and analyze live system telemetry against established baselines using security information and event management (SIEM), endpoint detection and response (EDR), or cloud-native monitoring tools.
  • Set threshold alerts for resource utilization that significantly exceeds normal variance ranges over sustained periods without corresponding change tickets, scheduled tasks, or workload justifications.
  • Correlate performance anomalies with process monitoring to identify unauthorized or unexpected processes consuming system resources.
  • Integrate anomalous performance detections into insider threat investigation workflows, focusing on unexplained deviations, especially on systems not expected to experience significant workload fluctuations (e.g., office endpoints, file servers, idle cloud instances).

 

Indicators

  • Sustained CPU or GPU utilization significantly above baseline norms, particularly during non-peak operational hours.
  • Persistent high memory usage, disk I/O, or network traffic inconsistent with documented business activities.
  • Systems exhibiting performance profiles typical of known unauthorized activities (e.g., high sustained CPU with low disk I/O suggestive of mining workloads).
  • Lack of approved change requests or business justification corresponding with the onset of anomalous resource usage.
  • Anomalies clustered around users, departments, or system groups known for prior boundary-testing or policy violations.

Sections

ID Name Description
IF013Disruption of Business Operations

The subject causes interruptions, degradation, or instability in organizational systems, processes, or data flows that impair day‑to‑day operations and affect availability, integrity, or service continuity. This category encompasses non‑exfiltrative and non‑theft forms of disruption, distinct from data exfiltration or malware aimed at permanent destruction.

 

Disruptive actions may include misuse of administrative tools, intentional misconfiguration, suppression of services, logic interference, dependency tampering, or selective disabling of critical functions. The objective is operational impact; slowing, blocking, or misrouting workflows, rather than data removal or theft.

IF009.006Installing Crypto Mining Software

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

 

Characteristics

  • Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
  • May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
  • Often configured to throttle resource usage during business hours to evade human and telemetry detection.
  • Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
  • Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
  • Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

 

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.

IF013.002Operational Disruption Impacting Customers

The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust.

 

Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access.

 

Examples include:

 

  • Intentionally disabling authentication or API endpoints
  • Modifying DNS, firewall, or routing rules to block legitimate traffic
  • Tampering with load balancers or HA/failover logic
  • Altering service configurations to break dependency chains (e.g. pointing production systems to empty dev databases)
  • Injecting false flags into monitoring or orchestration tools to trigger auto-scaling failures or mis-alerts
  • Enabling excessive logging or computation to induce service latency or memory exhaustion
  • Locking critical service accounts, API keys, or secrets in vault systems

 

These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly.