ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV001
  • Created: 25th May 2024
  • Updated: 14th June 2024
  • Contributor: The ITM Team

No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Sections

ID Name Description
AF015File Deletion

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

ME006Web Access

A subject can access the web with an organization device.

ME011Screenshots

A subject can take screenshots on a device.

ME012Clipboard

A subject can use the clipboard on a device (copy & paste).

AF001Clear Command History

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

AF011Physical Destruction of Storage Media

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

AF014System Shutdown

A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis.

PR012Physical Disk Removal

A subject removes the physical disk of a target system to access the target file system with an external device/system.

PR023Suspicious Web Browsing

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

AF001.002Clear Bash History

A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost.

On Linux-based operating systems different terminal software may store command history in various locations, with the most common being /home/%username%/.bash_history. Using the command history -c will clear the history for the current session, preventing it from being written to .bash_history when the session ends.

On MacOS the Terminal utility will write command history to /Users/%username%/.zsh_history or /Users/%username%/.bash_history based on operating system version.

AF001.001Clear PowerShell History

A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline.

A subject can delete their own PSReadline file without any special permissions.

A subject may attempt to use the Clear-History Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.

PR016.001Local Data Staging

A subject stages collected data in a central location or directory local to the current system prior to exfiltration.

PR020.001Renaming Files or Changing File Extensions

A subject may rename a file to obscure the content of the file or change the file extension to hide the file type. This can aid in avoiding suspicion and bypassing certain security filers and endpoint monitoring tools. For example, renaming a sensitive document from FinancialReport.docx to Recipes.txt before copying it to a USB mass storage device.

AF004.001Clear Chrome Artifacts

A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.003Clear Firefox Artifacts

A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.002Clear Edge Artifacts

A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.