ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV016
  • Created: 01st June 2024
  • Updated: 19th July 2024
  • Contributor: The ITM Team

Enforce a Data Classification Policy

A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file.

Sections

ID Name Description
IF002Exfiltration via Physical Medium

A subject may exfiltrate data via a physical medium, such as a removable drive.

IF003Exfiltration via Media Capture

A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media.

IF004Exfiltration via Other Network Medium

A subject exfiltrates files through a network. A network can be an Internet Protocol (IP) network or other technology enabling the communication of data between two or more digital devices.

ME014Printing

A subject has the ability to print documents and other files.

MT008Lack of Awareness

A subject is unaware that they are prohibited from accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies.

IF018Sharing on AI Chatbot Platforms

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

ME023Sensitivity Label Leakage

Sensitivity label leakage refers to the exposure or misuse of classification metadata—such as Microsoft Purview Information Protection (MIP) sensitivity labels—through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.

 

This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.

 

Examples of Use:

  • An insider accesses file properties on a shared drive to identify documents labeled Highly Confidential with the intention of exfiltrating them later.
  • Sensitivity labels are exposed in outbound email headers or logs, revealing the internal classification of attached files.
  • Files copied to an unmanaged device retain their label metadata, inadvertently disclosing sensitivity levels if examined later.
IF001.004Exfiltration via Webhook

A subject may use an existing, legitimate external Web service to exfiltrate data

IF001.001Exfiltration via Cloud Storage

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://www.dropbox[.]com
  • hxxps://drive.google[.]com
  • hxxps://onedrive.live[.]com
  • hxxps://mega[.]nz
  • hxxps://www.icloud[.]com/iclouddrive
  • hxxps://www.pcloud[.]com
IF001.002Exfiltration via Code Repository

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://github[.]com
  • hxxps://gitlab[.]com
  • hxxps://bitbucket[.]org
  • hxxps://sourceforge[.]net
  • hxxps://aws.amazon[.]com/codecommit
IF001.003Exfiltration via Text Storage Sites

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://pastebin[.]com
  • hxxps://hastebin[.]com
  • hxxps://privatebin[.]net
  • hxxps://controlc[.]com
  • hxxps://rentry[.]co
  • hxxps://dpaste[.]org
IF002.001Exfiltration via USB Mass Storage Device

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

IF002.002Exfiltration via Physical Access to System Drive

A subject exfiltrates data by retrieving the physical drive used by a system.

IF002.003Exfiltration via New Internal Drive

A subject exfiltrates data by connecting an additional drive to a system using the Serial Advanced Technology Attachment (SATA) interface on a motherboard, and copying files to the new storage device.

IF002.004Exfiltration via Floppy Disk

A subject exfiltrates data using a floppy disk drive.

IF003.001Exfiltration via Photography

A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information.

IF003.002Exfiltration via Video Capture

A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information.

IF003.003Exfiltration via Audio Capture

A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations.

IF004.001Exfiltration via Bluetooth

A subject exfiltrates files using BlueTooth as the transportation medium.

IF004.002Exfiltration via AirDrop

A subject exfiltrates files using AirDrop as the transportation medium.

IF005.001Exfiltration via Installed Messaging Application

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

IF005.002Exfiltration via Web-Based Messaging Application

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

IF002.005Exfiltration via Physical Documents

A subject tansports physical documents outside of the control of the organization.

ME014.001External Printing

A subject has the ability to print documents and other files with a printer outside of the organisation’s control.

IF004.003Exfiltration via Personal NAS Device

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.

IF002.006Exfiltration via USB to USB Data Transfer

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

IF001.005Exfiltration via Note-Taking Web Services

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

  • hxxps://www.evernote[.]com
  • hxxps://keep.google[.]com
  • hxxps://www.notion[.]so
  • hxxps://www.onenote[.]com
  • hxxps://notebook.zoho[.]com
IF004.004Exfiltration via Screen Sharing Software

A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer.

IF018.001Exfiltration via AI Chatbot Platform History

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

IF018.002Reckless Sharing on AI Chatbot Platforms

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.

IF002.010Exfiltration via Bring Your Own Device (BYOD)

A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.

IF022.002PII Leakage (Personally Identifiable Information)

PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.

 

Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.

 

The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.

 

Examples of Infringement:

  • An employee downloads and shares a list of customer contact details without authorization.
  • PII is inadvertently exposed in error logs or email footers shared externally.
  • HR data containing employee National Insurance or Social Security numbers is copied to a personal cloud storage account.
IF022.003PHI Leakage (Protected Health Information)

PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.

 

HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.

 

In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.

 

This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.

 

Examples of Infringement:

  • A healthcare worker intentionally accesses a patient's medical records without authorization for personal reasons, such as to obtain information on a celebrity or acquaintance.
  • An employee negligently sends patient health data to the wrong recipient via email, exposing sensitive health information.
  • An insider bypasses security controls to access and exfiltrate medical records for malicious use, such as identity theft or selling PHI on the dark web.
IF023.002Sanction Violations

Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.

 

Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.

 

Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.

 

Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes.

IF023.003Anti-Trust or Anti-Competition

Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.

 

Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.

 

Examples of Anti-Trust or Anti-Competition Violations:

 

  • A subject shares sensitive pricing or bidding information between competing companies, enabling coordinated pricing or market manipulation.
  • An insider with knowledge of a merger or acquisition shares details with competitors, leading to coordinated actions that suppress competition.
  • An employee uses confidential market data to form agreements with competitors on market control, stifling competition and violating anti-trust laws.

 

Regulatory Framework:

 

Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act.