Inside Out: Let’s build a community-sourced insider threat knowledge base

Published in

MITRE-Engenuity

4 min readSep 21, 2023

Written by Cassidy Olsen, Shelley Folk, and Suneel Sundar.

Trusted insiders are one of the greatest assets and threats to any organization. They can wreak havoc on an organization without suspicion causing immeasurable damage to both the business and its reputation. Security operations centers (SOCs) and the networks they protect are often focused on protecting from outside attacks and sometimes regard protection against insider threats as an additional duty. Networks are generally designed to allow employees easy access to organization resources to increase efficiency. However, this can be a dangerous game, one that insiders can easily exploit.

Because of these threats and the need for real data, the Center for Threat-Informed Defense created the Insider Threat Knowledge Base. The Insider Threat Knowledge Base documents the tactics, techniques, and procedures (TTPs) that insiders use to conduct harmful activities. We share that information with the public, giving insider threat programs evidence driven research to improve their detection and mitigation programs. This knowledge base collects and shares TTPs used by insider threats across organizations and across sectors.

We developed and published version 1 (v1) of the knowledge base in collaboration with our participants. V1 identified 54 individual TTPs by combing through real case data supplied by our participants and the community. You can view our previous work on our project page. With you, we can go much further.

Insider threats exploit our unwillingness to share

We can do this with your input and your data! We have created an authenticated portal where you, the boots on the ground investigator, the Insider Threat Program Manager, can submit real cases without attribution. We are looking to you, the insider threat community, to get word out about the project, help us to get more data, and uncover insider activity. Please request access to our Insider TTP Submission Portal on our project page.

By trusting employees to do the right thing and not abuse their privileges, organizations leave themselves open to harm unless they have proper safeguards and monitoring in place. Some insider threats do this with intent. These malicious insiders are often the most difficult to identify. They often blend in with other employees and use their accesses to skirt network protections. Others violate the rules because of complacency, expedience, or simple ignorance. These threats have been known about for a long time, but this knowledge is often siloed or limited only to those with direct experience. Gathering real world data from these cases to create community-wide knowledge has been hard to come by. Insider Threat Programs are rarely willing to share sensitive case information.

Insider threats exploit our unwillingness to share among the security community. If I am only aware of insider TTPs that I have seen on my network, then I won’t defend against the techniques that you have seen but I have not. We designed the Insider Threat Knowledge Base to give insider threat practitioners the ability to share much needed information without giving data on the individuals involved nor exposing sensitive information about the company.

Advance community knowledge

Oftentimes, insiders are discovered only after they’ve harmed their companies. If organizations are able to identify potential indicators of an insider threat prior to an incident, then organizations can orchestrate their defenses to prevent harm. Insider Threat version 2 will answer these questions with your help and the help of our research sponsors: CrowdStrike, Inc., HCA- Information Technology & Services, Inc., JPMorgan Chase Bank, N.A., Lloyds Banking Group plc, Microsoft Corporation, Next DLP, and Verizon Business.

What are the techniques insiders use?

We will gain insight into new TTPs of insiders by analyzing insider threat case data provided by organizations. These are cases of real insiders, not what insiders could have done, but what they have done.

How can we detect, prevent, and otherwise mitigate them?

TTPs provide the baseline for the mitigation mappings we will propose to help you protect your organization effectively. We will identify current mitigations mapped to MITRE ATT&CK® and apply them to the techniques used by insiders.

What are observable, objective indicators of an insider threat?

Along with the additional TTPs and mitigations, we want to understand more about the distinguishing features of insiders — we are calling these observable human indicators (OHIs).

How long have they been with the company?
What accesses do they have?
Are they currently undergoing, or have they ever had a security investigation opened against them?

These indicators are not thoughts or feelings or sentiment– things that can change day by day or make an investigator guess. These indicators are observable and measurable regardless of the insider threat’s intent, regardless of their ambivalence to rules and policies, regardless of their foreknowledge of the harm they cause. These are unambiguous indicators that will inform how we assess insiders.

Insider threats, intentional or not, harm organization and the people within them. We want you to share your observed insider TTPs and likewise defend against the TTPs seen and contributed by your peers. We all win when defenders detect and mitigate insider threat activity on IT systems and limit the damage. Join us and turn the Inside out!

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.