ITM is an open framework - Submit your contributions now.

Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Internal Whistleblowing

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

Restrict Windows System Time Modification

Windows Time Service Synchronization

Exchange Restrict Outbound Emails via Recipient Domain

Regulation Awareness Training

Implement MIP Sensitivity Labels

Privileged Access Management (PAM)

Managerial Approval

Social Media Screening

Employment Reference Checks

Criminal Background Checks

Government-Issued ID Verification

Human Resources Collaboration for Early Threat Detection

Enforce Multi-Factor Authentication (MFA)

Azure Conditional Access Policies

Structured Request Channels for Operational Needs

Consistent Enforcement of Minor Violations

Insider-Focused Threat Intelligence

Disable Proxy Configuration on Windows Systems

Disable Snipping Tool, Group Policy

Static Code Analysis via CI/CD Pipelines

Local DNS Sinkhole, Windows

Local DNS Sinkhole, Linux

Non-Disclosure Agreement

Security Vetting and Clearance

Psychological Risk Assessment Program

Microsoft Litigation Hold

Identity Credential Challenge and Verification

Service Desk Caller Verification Process

ID: PV049
Created: 23rd April 2025
Updated: 23rd April 2025
Platforms: Windows, Linux, MacOS,
Contributor: The ITM Team

Managerial Approval

The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate.

Sections

ID	Name	Description
PR010	Software or Access Request	A subject may make a request for software (such as an RDP, SSH or FTP client) or access (such as USB mass storage device access) to be installed or enabled on a target system, to facilitate the infringement.
IF013	Disruption of Business Operations	The subject causes interruptions, degradation, or instability in organizational systems, processes, or data flows that impair day‑to‑day operations and affect availability, integrity, or service continuity. This category encompasses non‑exfiltrative and non‑theft forms of disruption, distinct from data exfiltration or malware aimed at permanent destruction. Disruptive actions may include misuse of administrative tools, intentional misconfiguration, suppression of services, logic interference, dependency tampering, or selective disabling of critical functions. The objective is operational impact; slowing, blocking, or misrouting workflows, rather than data removal or theft.
PR027.002	Impersonation via Collaboration and Communication Tools	The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy. Impersonation in this context can be achieved through: Lookalike email addresses (e.g., spoofed domains or typo squatting). Cloned display names in collaboration tools. Shared calendar invites or chats initiated under false authority. Use of compromised or unused accounts from real employees, contractors, or vendors. The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds. Example Scenarios: A subject registers a secondary internal email alias (`john.smyth@corp-secure.com`) closely resembling a senior executive and uses it to request financial data from junior employees. A subject joins a sensitive Slack channel using a display name that mimics another department member and quietly monitors ongoing discussions related to mergers and acquisitions activity. A compromised service account is used by an insider to initiate SharePoint document shares with external parties, appearing as a legitimate internal action. The subject impersonates an IT support contact via Teams or email to socially engineer MFA tokens or password resets.
AF022.001	Use of a Virtual Machine	The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.
ME001.002	Purchase and Use of Unmanaged Corporate Hardware	The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment. Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls. This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data.
PR027.005	Service Desk Impersonation for Credential Manipulation	The subject deliberately impersonates a member of the organization—typically a colleague, manager, or IT representative—or otherwise misrepresents themselves in order to manipulate service desk staff into resetting a password, unlocking an account, or granting access to a system. These requests are framed to appear legitimate and urgent, often exploiting common support workflows or pressure tactics (e.g., deadline stress, executive impersonation). This behavior is especially dangerous because it abuses internal trust pathways and bypasses traditional authentication, detection, or technical controls. It can occur via phone, email, chat, or in-person interaction and is frequently used in preparation for unauthorized data access, surveillance, or exfiltration.
IF013.002	Operational Disruption Impacting Customers	The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust. Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access. Examples include: Intentionally disabling authentication or API endpoints Modifying DNS, firewall, or routing rules to block legitimate traffic Tampering with load balancers or HA/failover logic Altering service configurations to break dependency chains (e.g. pointing production systems to empty dev databases) Injecting false flags into monitoring or orchestration tools to trigger auto-scaling failures or mis-alerts Enabling excessive logging or computation to induce service latency or memory exhaustion Locking critical service accounts, API keys, or secrets in vault systems These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly.