Preventions
- Home
- - Preventions
- -PV057
- ID: PV057
- Created: 28th April 2025
- Updated: 28th April 2025
- Contributor: The ITM Team
Structured Request Channels for Operational Needs
Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.
Implementation Approaches
- Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
- Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
- Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
- Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
- Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.
Operational Principles
- Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
- Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
- Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
- Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.
Sections
ID | Name | Description |
---|---|---|
AF023 | Browser or System Proxy Configuration | A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.
By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries. While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.
Technical MethodBoth browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:
Once defined, the behavior is as follows:
Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.
This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts. |
MT015.001 | Opportunism | The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.
Characteristics
Example ScenarioSenior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain. |
IF001.006 | Exfiltration via Generative AI Platform | The subject transfers sensitive, proprietary, or classified information into an external generative AI platform through text input, file upload, API integration, or embedded application features. This results in uncontrolled data exposure to third-party environments outside organizational governance, potentially violating confidentiality, regulatory, or contractual obligations.
Characteristics
Example ScenarioA subject copies sensitive internal financial projections into a public generative AI chatbot to "optimize" executive presentation materials. The AI provider, per its terms of use, retains inputs for service improvement and model fine-tuning. Sensitive data—now stored outside corporate control—becomes vulnerable to exposure through potential data breaches, subpoena, insider misuse at the service provider, or future unintended model outputs. |
AF022.002 | Use of Windows Subsystem for Linux (WSL) | The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.
WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.
Example Scenarios:
|