ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT118
  • Created: 29th April 2025
  • Updated: 29th April 2025
  • Platform: Oracle Cloud Infrastructure (OCI)
  • Contributor: The ITM Team

OCI Unauthorized System or Service Modification

Monitor Oracle Cloud Infrastructure (OCI) Audit Logs to detect unauthorized system or service creation. Unauthorized provisioning in OCI can indicate insider threat activity aimed at illicit compute use, data staging, or security control bypass.

 

Where to Configure/Access

 

Detection Methods

Analyze Audit Events such as:

  • LaunchInstance (Compute instance creation)
  • CreateBucket (Object Storage creation)
  • CreateVolume (Block Volume creation)
  • CreateVcn (Virtual Network creation)

 

Configure Object Storage log exports and integrate with SIEM tools (e.g., Splunk, QRadar) for real-time detection.

 

Indicators

  • Compute or storage resources created in unauthorized compartments.
  • VCNs created without associated security lists or network ACLs.
  • Instances launched using high-compute shapes without approved business justification.

Sections

ID Name Description
ME028Delegated Access via Managed Service Providers

An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.

 

The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.

 

This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.

 

The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.

 

This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability.

IF009.006Installing Crypto Mining Software

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

 

Characteristics

  • Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
  • May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
  • Often configured to throttle resource usage during business hours to evade human and telemetry detection.
  • Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
  • Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
  • Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

 

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.