ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV023
  • Created: 19th June 2024
  • Updated: 19th June 2024
  • Contributor: The ITM Team

Access Reviews

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

Sections

ID Name Description
ME021Unrevoked Access

The subject has left the organization but still has access to services or data that is reserved for employees.

MT015Recklessness

The subject does not have a threatening motive. However, the subject under takes actions without due care and attention to the outcome, which causes an infringement.

PR024Increase Privileges

A subject uses a mechanism to increase or add privileges assigned to a user account under their control. This enables them to access systems, services, or data that is not possible with their standard permissions.

AF019Decrease Privileges

A subject uses a mechanism to decrease or remove the privileges assigned to a user account under their control. This may represent an anti-forensics technique where the subject attempts to obscure previously held privileges that could associate them with activity relating to an infringement.

ME024Access

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

 

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

 

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

ME025Placement

A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.

 

Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.

 

Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity.

ME021.001User Account Credentials

User credentials that were available to the subject during employment are not revoked and can still be used.

ME021.002Web Service Credentials

Web credentials that were available to the subject during employment are not revoked and can still be used.

ME021.003Physical Access Credentials

Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.

ME021.004API Keys

API keys that were available to the subject during employment are not revoked and can still be used.

ME021.005SSH Keys

SSH keys that were available to the subject during employment are not revoked and can still be used.

AF018.002Environment Tripwires

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

 

This tripwire API is embedded within various parts of the environment:

  • Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
  • Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
  • Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

 

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

  • Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
  • Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
  • System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

 

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

 

Upon detecting activity, the API tripwire can take immediate evasive actions:

  • Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
  • Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
  • Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
  • Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.
PR020.002Modification of Sensitivity Labels

The subject modifies or downgrades the sensitivity label of a file in an attempt to bypass DLP or other security controls.

PR020.003Misclassification of Sensitivity Labels

The subject intentionally misclassifies the sensitivity label of a file in an attempt to bypass DLP or other security controls.

IF011.003Providing Unauthorized Access to a Collaboration Platform

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

ME021.006Multi-Factor Authentication

MFA tokens or hardware devices (such as physical security keys) issued to the subject during employment are not deactivated and can still be utilized.

IF022.002PII Leakage (Personally Identifiable Information)

PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.

 

Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.

 

The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.

 

Examples of Infringement:

  • An employee downloads and shares a list of customer contact details without authorization.
  • PII is inadvertently exposed in error logs or email footers shared externally.
  • HR data containing employee National Insurance or Social Security numbers is copied to a personal cloud storage account.
IF022.003PHI Leakage (Protected Health Information)

PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.

 

HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.

 

In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.

 

This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.

 

Examples of Infringement:

  • A healthcare worker intentionally accesses a patient's medical records without authorization for personal reasons, such as to obtain information on a celebrity or acquaintance.
  • An employee negligently sends patient health data to the wrong recipient via email, exposing sensitive health information.
  • An insider bypasses security controls to access and exfiltrate medical records for malicious use, such as identity theft or selling PHI on the dark web.
IF023.002Sanction Violations

Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.

 

Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.

 

Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.

 

Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes.

IF023.003Anti-Trust or Anti-Competition

Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.

 

Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.

 

Examples of Anti-Trust or Anti-Competition Violations:

 

  • A subject shares sensitive pricing or bidding information between competing companies, enabling coordinated pricing or market manipulation.
  • An insider with knowledge of a merger or acquisition shares details with competitors, leading to coordinated actions that suppress competition.
  • An employee uses confidential market data to form agreements with competitors on market control, stifling competition and violating anti-trust laws.

 

Regulatory Framework:

 

Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act.

ME024.001Access to Customer Data

A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration.

Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.

 

In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse.

ME024.002Access to Privileged Groups and Non-User Accounts

A subject with access to privileged groups (e.g., Domain Admins, Enterprise Admins, or Security Groups) or non-user accounts (such as service accounts, application identities, or shared mailboxes) gains elevated control over systems, applications, and sensitive organizational data. Access to these groups or accounts often provides the subject with knowledge of security configurations, user roles, and potentially unmonitored or sensitive activities that occur within the system.

 

Shared mailboxes, in particular, are valuable targets. These mailboxes are often used for group communication across departments or functions, containing sensitive or confidential information, such as internal discussions on financials, strategic plans, or employee data. A subject with access to shared mailboxes can gather intelligence from ongoing conversations, identify targets for further exploitation, or exfiltrate sensitive data without raising immediate suspicion. These mailboxes may also bypass some security filters, as their contents are typically considered routine and may not be closely monitored.

 

Access to privileged accounts and shared mailboxes also allows subjects to escalate privileges, alter system configurations, access secure data repositories, or manipulate security settings, making it easier to both conduct malicious activities and cover their tracks. Moreover, service and application accounts often have broader access rights across systems or environments than typical user accounts and are frequently excluded from standard monitoring protocols, offering potential pathways for undetected exfiltration or malicious action.

 

This elevated access gives subjects insight into critical system operations and internal communications, such as unencrypted data flows or internal vulnerabilities. This knowledge not only heightens their potential for malicious conduct but can also make them a target for external threat actors seeking to exploit this elevated access.

ME024.003Access to Critical Environments (Production and Pre-Production)

Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.

 

Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.

 

In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.

 

Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.

 

Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security.

ME024.004Access to Physical Hardware

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

 

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

 

With this type of access, a subject can:

  • Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
  • Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
  • Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
  • Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
  • Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
  • Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

 

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

 

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

ME024.005Access to Physical Spaces

Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.

 

Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.

 

This type of access can be leveraged to:

  • Obtain unattended or discarded sensitive information, such as printouts, notes, or credentials left on desks.
  • Observe operational activity or decision-making, gaining insight into projects, personnel, or internal dynamics.
  • Access unlocked devices or improperly secured terminals, allowing direct system interaction or credential harvesting.
  • Bypass digital controls via physical means, such as tailgating into secure spaces or using misappropriated access cards.
  • Covertly install or remove equipment, such as data exfiltration tools, recording devices, or physical implants.
  • Eavesdrop on confidential conversations, either directly or through concealed recording equipment, enabling the collection of sensitive verbal disclosures, strategic discussions, or authentication procedures.

 

Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.

 

Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.

 

The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints.

ME025.001Proximity to Strategic Business Functions

A subject’s placement within critical business units or specialized teams can grant them access to highly sensitive operational data, strategic initiatives, and proprietary information. Roles within departments such as executive leadership, corporate strategy, legal, finance, R&D, supply chain management, and security operations position the subject to interact with confidential communications, forward-looking business plans, and strategic decision-making processes.

 

Subjects in close proximity to organizational leadership—including C-suite executives, senior directors, or key decision-makers—are uniquely positioned to access sensitive insights, manipulate decision-making, or gather intelligence on high-stakes initiatives. These individuals may be exposed to:

 

  • Privileged communications such as internal memos, executive briefings, and strategic planning documents that are typically restricted.
  • Pre-decisional data, including merger and acquisition strategies, product development pipelines, and market positioning strategies.
  • Strategic operational plans outlining organizational direction, key resource allocation, and long-term goals.

 

Having direct or indirect access to leaders facilitates eavesdropping on confidential conversations and provides early awareness of business initiatives. This proximity allows the subject to assess organizational vulnerabilities or identify high-value targets for insider exploitation. Furthermore, the subject may be positioned to:

 

  • Influence decision-making through the selective manipulation of information presented to decision-makers. This could include distorting risk profiles or promoting particular courses of action that align with their objectives.
  • Shape the outcome of high-value transactions such as mergers, acquisitions, and partnerships by influencing the information executives receive or the strategies they adopt.
  • Alter project and resource prioritization by subtly steering leadership towards certain initiatives, products, or investments.
  • Impact compliance and risk management practices, potentially distorting organizational responses to regulatory requirements or operational risks.

 

Subjects in such positions hold considerable power to shape business outcomes—both through direct influence over strategic initiatives and by gaining early insights into organizational direction, which can be exploited for personal gain, external manipulation, or other malicious intents.

 

Additionally, such individuals may become targets for recruitment by external entities seeking to exploit their access to confidential business data or influence over strategic decisions. Their proximity to leadership and critical business functions makes them an ideal conduit for conducting insider threats on behalf of external adversaries.