Detections
- Home
- - Detections
- -DT144
- ID: DT144
- Created: 08th September 2025
- Updated: 08th September 2025
- Contributor: The ITM Team
Asset Register Correlation
Leverage the corporate asset register to correlate device ownership, user assignment, and provisioning status. This enables investigators to quickly determine:
- Which subject(s) are assigned to a given device
- Which devices are officially assigned to a given subject
- Whether a device exists in inventory without an assigned owner (unprovisioned)
- Whether a subject is using a device not present in the official register
By maintaining this cross-referenced view, investigators can detect orphaned assets, unauthorized re-use, and unmanaged endpoints that bypass provisioning controls. The asset register becomes both a baseline for enforcement and a forensic source of truth during insider threat investigations.
What an Asset Register Is
An asset register is a centralized, authoritative database that records all corporate hardware assets—most critically laptops, desktops, and other endpoints. Each record includes:
- Unique asset identifier (serial number, asset tag, or hardware UUID)
- Current assigned subject (mapped to Human Resources Information System (HRIS) identity)
- Device state (active, decommissioned, loaner, in repair, unassigned)
- Provisioning details (date issued, baseline configuration, security tooling enrollment)
- Custodial history (who previously held the device and when it was reassigned)
The asset register provides a single point of truth that investigators and defenders can use to validate whether a device is legitimately in use and under control.
Implementation Approaches
- Dedicated Asset Management Systems: Deploy enterprise-grade IT asset management platforms (e.g., ServiceNow, Lansweeper, Jamf, SCCM) with integrations to HRIS and Identity and Access Management (IAM).
- MDM/EDR Integration: Ensure that mobile device management (MDM) and endpoint detection and response (EDR) solutions feed device enrollment status into the asset register.
- HRIS Linkage: Automate assignment by linking HR onboarding/offboarding events directly to device provisioning and revocation workflows.
- Physical Asset Tagging: Label each device with a unique asset tag or barcode tied to the register to prevent informal reallocation.
- Audit and Recertification: Conduct periodic reconciliation (monthly or quarterly) to ensure the register reflects reality — identifying missing devices, duplicates, or ghost entries.
Sections
ID | Name | Description |
---|---|---|
ME001 | Unauthorized Access to Unassigned Hardware | The subject accesses or uses a corporate hardware asset, typically a laptop or other endpoint device, that is not assigned to them by role, provisioning, or inventory records. This behavior often emerges in environments with weak asset lifecycle controls, during periods of staff transition, or when hardware is reissued informally without updating allocation systems.
Subjects may obtain unassigned hardware through dormant inventory, “loaner” pools, peer handoffs, or by reactivating previously deprovisioned devices. Use of unassigned hardware circumvents standard monitoring, ownership attribution, and access governance. It may be leveraged to evade visibility, perform preparatory actions, or compartmentalize risky activity away from their primary, monitored device.
Investigators should view such access as a strong early indicator of potential infringement(s), particularly when associated with stale or unmanaged hardware, elevated privilege configuration, or the absence of endpoint telemetry. |
ME001.001 | Access to Asset Past Termination | The subject accesses a corporate hardware asset, most commonly a laptop or corporate mobile device, after their employment has formally ended. This typically occurs due to gaps in deprovisioning, delayed hardware recovery, or the subject physically retaining the device despite offboarding procedures. Post-termination access may be opportunistic or intentional, and may precede or coincide with data exfiltration, sabotage, or unauthorized continuation of internal access.
This sub-section is relevant in cases where the hardware asset is no longer linked to an active identity in HR systems but remains technically functional and capable of network, VPN, or service access. Such access undermines the assumption that termination alone revokes operational capability and may point to procedural drift in IT, HR, or facilities handover workflows. |
ME001.002 | Purchase and Use of Unmanaged Corporate Hardware | The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.
Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.
This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data. |