ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV057
  • Created: 28th April 2025
  • Updated: 28th April 2025
  • Contributor: The ITM Team

Structured Request Channels for Operational Needs

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

 

Implementation Approaches

  • Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
  • Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
  • Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
  • Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
  • Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

 

Operational Principles

  • Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
  • Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
  • Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
  • Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

 

Sections

ID Name Description
AF023Browser or System Proxy Configuration

A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.

 

By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries.

While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.

 

Technical Method

Both browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:

  • Declaring a proxy server IP address or hostname (e.g., 198.51.100.7)
  • Assigning a port (e.g., 8080, 3128)
  • Specifying bypass rules for local or internal traffic (e.g., localhost, *.corp)

 

Once defined, the behavior is as follows:

 

  • Outbound Traffic Routing: All HTTP and HTTPS traffic is redirected through the proxy server, often using tunneling methods (e.g., HTTP CONNECT).
  • DNS Resolution Shift: The proxy, not the local device, resolves domain names—bypassing internal DNS logging and threat intelligence correlation.
  • Destination Obfuscation: To enterprise firewalls, CASBs, and Secure Web Gateways, the endpoint appears to connect only to the proxy—not to actual external services.
  • Encrypted Traffic Concealment: If the proxy does not participate in the organization’s SSL inspection chain, encrypted traffic remains opaque and unlogged.
  • System-Level Impact: When configured at the OS level, the proxy may affect all applications—not just browsers—expanding the anti-forensic footprint to tools such as command-line utilities, development environments, or exfiltration scripts.

 

Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.

 

This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts.

MT015.001Opportunism

The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.

 

Characteristics

  • Motivated by immediate self-interest rather than deep-seated grievance or ideology.
  • May rationalize actions as minor, justified, or harmless ("no one will notice," "this helps everyone," "it's not a big deal").
  • Often triggered by environmental factors such as poor oversight, operational stress, or unmet personal needs.
  • May escalate over time if not detected and corrected early.
  • Subjects often do not view themselves as "threat actors" and may retain a positive view of their organization.
  •  

Example Scenario

Senior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain.

IF001.006Exfiltration via Generative AI Platform

The subject transfers sensitive, proprietary, or classified information into an external generative AI platform through text input, file upload, API integration, or embedded application features. This results in uncontrolled data exposure to third-party environments outside organizational governance, potentially violating confidentiality, regulatory, or contractual obligations.

 

Characteristics

  • Involves manual or automated transfer of sensitive data through:
  • Web-based AI interfaces (e.g., ChatGPT, Claude, Gemini).
  • Upload of files (e.g., PDFs, DOCX, CSVs) for summarization, parsing, or analysis.
  • API calls to generative AI services from scripts or third-party SaaS integrations.
  • Embedded AI features inside productivity suites (e.g., Copilot in Microsoft 365, Gemini in Google Workspace).
  • Subjects may act with or without malicious intent—motivated by efficiency, convenience, curiosity, or deliberate exfiltration.
  • Data transmitted may be stored, cached, logged, or used for model retraining, depending on provider-specific terms of service and API configurations.
  • Exfiltration through generative AI channels often evades traditional DLP (Data Loss Prevention) patterns due to novel data formats, variable input methods, and encrypted traffic.

 

Example Scenario

A subject copies sensitive internal financial projections into a public generative AI chatbot to "optimize" executive presentation materials. The AI provider, per its terms of use, retains inputs for service improvement and model fine-tuning. Sensitive data—now stored outside corporate control—becomes vulnerable to exposure through potential data breaches, subpoena, insider misuse at the service provider, or future unintended model outputs.

AF022.002Use of Windows Subsystem for Linux (WSL)

The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.

 

WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.

 

Example Scenarios:

 

  • The subject downloads and processes sensitive files inside the WSL environment using native Linux tools (e.g., scp, gpg, rsync), preventing access and modification timestamps from appearing in Windows Explorer or standard audit logs.
  • A subject extracts and stages exfiltration material in /mnt/c within WSL, using symbolic links and Linux file permissions to obscure its presence from Windows search and indexing services.
  • WSL is used to execute recon and credential-harvesting scripts (e.g., nmap, hydra, ssh enumeration tools), with no execution trace in Windows Event Logs.
  • Upon completion of activity, the subject deletes the WSL distribution, leaving minimal residue on the host system—especially if no antivirus or EDR coverage extends into the WSL layer.