Insider Threat Knowledge Base 2.0: More Techniques, New Mitigations, and the Human Touch

Mike Cunningham
MITRE-Engenuity
Published in
5 min readMar 6, 2024

Written by Mike Cunningham and Suneel Sundar.

The cybersecurity landscape is perpetually evolving, and with it, the nature of insider threats. In response to this challenging environment, we created an expansion of the Insider Threat TTP Knowledge Base. This platform represents a significant update to our earlier work, adding new techniques, identifying mitigations, and creating a new data source to help identify insiders called Observable Human Indicators (OHIs).

For those new to this initiative, our methodology is detailed on our earlier blog post, which provides a foundational understanding of our approach.

A Pioneering Collaboration

The Insider Threat TTP KB is not just another database; it’s the first of its kind to offer an evidence-based, cross-sector, multi-organizational, and publicly-available compendium of insider threat tactics, techniques, and procedures (TTPs). This endeavor was conducted in partnership with our Center research participants CrowdStrike, HCA Healthcare, JPMorgan Chase Bank, N.A., Lloyds Banking Group, Microsoft Corporation, Next DLP, and Verizon Business.

Additionally, the expansion and refinement of our data repository was made possible by new cases and insights from our dedicated data contributors. Their contributions truly form the backbone of this project, and we extend our deepest gratitude for their support.

Progress and Discoveries

Let’s recap our journey! In our initial round, we validated 31 MITRE ATT&CK® techniques and 20 sub-techniques that were seen at least once in the cases we studied. These initial techniques laid the foundation for our knowledge base (KB).

The InT TTP KB now contains 47 ATT&CK techniques and 29 sub-techniques. Out of these techniques, 16 techniques and 9 sub-techniques were added to the KB during this release. This represents a more than 50% growth in techniques seen being using by insiders. It is rewarding to observe that community sourcing case studies has proven valuable. On the other hand, we see that insiders are using more of the ATT&CK matrix, which makes our work as defenders more difficult.

Insider Threat TTPs in the Knowledge Base

The Evolving Sophistication of Insiders

While analyzing the data, a few interesting patterns emerged. First, we saw a bump in sophistication from the most common techniques year over year. Insiders are now using techniques that an average user would not be executing on a regular basis. For instance, our first release featured techniques like Valid Accounts, Data from Information Repositories, and Exfiltration over Physical Medium, which are all behaviors that would be expected from a regular user under normal circumstances. With our latest release, we saw unexpected behaviors like Data Manipulation, Account Manipulation, and Impair Defenses. As such, they might provide defenders a better opportunity to detect insiders.

Fraud and Exfiltration

The next pattern identified was that there were two types of behavior that stood out in our case data: fraud and exfiltration.

Fraud: Insiders carrying out fraud would first research their victims, typically through Data from Information Repositories. Once the insider had enough information about their target victim, they would then find ways to Manipulate Accounts, which allowed them to process illegitimate refunds and payments. In most fraud cases, the insider received immediate distribution of funds, and in all cases we examined, the amount was less than $250, making it more difficult to detect their misdeeds.

Exfiltration: Exfiltration is an obvious goal, and it can sometimes be hard to detect; data exfiltration is a part of regular business operations. However, if we chain together the behaviors that were seen in the case data, defenders can have more detection points on which to catch insiders. Data exfiltration follows a distinct path involving Access to Data Repositories, Staging, Archiving, and eventually, Physical Removal of Data via Devices like USB drives.

Introducing ATT&CK Mitigations and Observable Human Indicators

We added two significant enhancements to our KB: mitigations and observable human indicators.

Mitigations: Using knowledge from ATT&CK and insider threat experts, we identified mitigations for each of the techniques we reviewed. Defenders, you can take action to protect against insider threats! The most identified mitigations are foundational security practices — user account management, privileged account management, multi-factor authentication, auditing, and disabling or removal of features or programs. These demonstrate that basic cyber hygiene is still essential and effective when designing a security program.

OHIs: We’ve also introduced Observable Human Indicators (OHIs), which are discernible and quantifiable attributes of individuals within an organization — such as job title, access level, and tenure. OHIs provide a factual basis for assessing potential insider threat risk that complements the techniques insiders deploy against IT systems.

Observable Human Indicators as viewed in our submission portal

Contribute to the Community

The Insider Threat TTP KB is a living resource, and its growth is contingent on the collective input of the cybersecurity community. Please visit our website, contribute data, and join our efforts in shaping a more secure digital future. Learn how to contribute here.

Your expertise and participation are essential to the security of organizations worldwide. Together, we can build a formidable defense against the ever-evolving threat that insiders pose.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

©2024 MITRE Engenuity. Approved for Public Release. Document number CT0102.

--

--

Mike Cunningham
MITRE-Engenuity

R&D Program Manger in the Center for Threat-Informed Defense at MITRE Engenuity