Launching a community-driven insider threat knowledge base

Published in

MITRE-Engenuity

7 min readFeb 17, 2022

Written by Adam Hlavek, Shelley Folk, Suneel Sundar, and Jon Baker.

Malicious insiders represent a unique threat to organizations. Modern enterprise networks are frequently designed to defend against external threats while implicitly trusting their internal user base. That trust, while essential, affords opportunities for abuse from those within the organization. Employees can potentially do grave financial, operational, and reputational damage through malicious actions such as stealing sensitive data or deliberately sabotaging key systems. Thus, the detection and mitigation of the “insider threat” has become one of the standing challenges within the realm of cybersecurity. To make that detection precise, security operations centers (SOCs) and insider threat analysts need to know which technical mechanisms are used by insiders, and what controls mitigate those threats.

To advance our collective understanding of insider threats, the Center for Threat-Informed Defense created the Insider Threat TTP Knowledge Base. This collection of tactics, techniques, and procedures (TTPs) used by known insiders in IT environment was developed with support from participants including Citigroup Technology, Inc., CrowdStrike, Inc., HCA — Information Technology & Services, Inc., JPMorgan Chase Bank, N.A., Microsoft Corporation, and Verizon Business Services. With this lexicon of known insider threat TTPs as a foundation, defenders will detect, mitigate, and emulate insider actions on IT systems and stop them.

Publishing the Knowledge Base is our first step towards establishing a community-wide collaboration to advance our collective understanding of insider threats. Our initial publication is based on analysis of insider threat case data contributed by our participants and identified 54 techniques that have been used by insiders. As this release is just the first step in establishing a common lexicon for defenders, we also created a supporting methodology and process to allow us to systematically work with the cybersecurity community to develop and expand the Insider Threat TTP KB.

Our findings — data collection & exfiltration dominate

We partnered with Center participants to collect and analyze insider threat case data, leveraging the structure and content of MITRE ATT&CK® for Enterprise to systematically identify those tactics and techniques in ATT&CK that were observed in the case data. To date, case data shows that data collection and exfiltration are prevalent — insider threats often staged the resources before they exfiltrated them through their chosen avenue. Many of them also removed large document dumps multiple times before they were caught or left the company.

There may be several reasons why we saw so many cases of data exfiltration, beginning with their detection being relatively easy. These techniques also require little skill to use, so they are available to a wider range of people. It is similarly possible that the specific sections within the organizations submitting the case data only had access to certain types of cases. While these findings are not in themselves surprising, they do provide early validation of our approach.

ATT&CK Navigator view of validated insider TTPs.

Our scope — a SOC perspective

If you have seen one insider threat program, well then, you’ve seen one insider threat program… This play on the “if you have seen one, you’ve seen them all” idiom is certainly true of our observations of insider threat programs. Organizations take different approaches to tackling insider threats which leads to significant differences in who has access to what data (SOC, HR, physical security, etc.) and how insider threat cases are handled. Given the Center’s focus on cyber threat, we found a common ground and opportunity among our participants — SOC teams had a role in insider threat programs and had access to a subset of insider case data.

Based on this common ground, we saw an opportunity to illuminate the set of insider threat TTPs that are observable by a SOC in the IT environment. While this scope is only a slice of the larger insider threat problem area, advancing our collective understanding of these TTPs will better prepare defenders and advance insider threat programs.

Our scope — what insiders did, not what is possible

At its foundation, threat-informed defense is about focusing our defenses on real-world adversary behaviors. Network defenders often focus on the TTPs of the last major insider threat case to hit the news, anticipating that every insider threat will act like a Manning, Snowden, or Hanssen. When so much attention is paid to the one-in-a-million indicators associated with these notorious cases, more “mundane” but equally damaging actions are overlooked. Hunting the one-in-a-million cases puts defenders in the mindset of thinking about what is possible instead of what is probable. It causes defenders to “be creative” when designing sensors or searching for indicators because defenders must speculate on techniques that an insider could hypothetically execute. This creativity causes insider threat programs and SOCs to lose focus.

We deemed these possible TTPs as “could” — as in an insider threat could use these TTPs to harm an organization. Frederick the Great is quoted as saying “he who defends everything defends nothing.” Could is comprised of a superset of actual, hypothetical, and fantastical insider actions. We aim to enable organizations to shift their insider threat mitigations from “could” to actionable detections and response.

We reduced the set of TTPs that an insider could use down to a much more reasonable set that an insider would. These TTPs that have a more reasonable chance of being used by an insider threat provided a baseline for analyzing insider case data. Case data was then mapped or coded to the set of TTPs in the would list derived from ATT&CK. This approach simplified the task of reviewing and coding cases by reducing the volume of candidate TTPs.

The Insider Threat TTP KB is limited to those that TTPs that “did” occur — validated with case data with our participants.

Focusing our defenses on real-world insider threat behaviors — the “did”

Creating a community focal point

This draft Knowledge Base is an evidence-based examination of detected, documented insider threat actions on IT systems across organizations and industries. From this data set, which is small in relation to the case data present across the security community, we deduced some patterns of insider actions. In the near-term, we need your help to validate or refute that analysis. Submit your insider cases, coded to the Knowledge Base, in accordance with the Design Principles & Methodology.

To gain community support, we will share our process and results through one-on-one conversations with your insider threat team, in webinars with curious cyber defenders, and at conferences of serious security practitioners. We seek to learn your insider threat use cases and your data sources, enabling us to raise the level of difficulty for any insider. Together we will create a forum where not only is the insider threat brought out, but where defenders can learn from each other. The insider may no longer operate under the cover of legitimate use; we will detect the insider threat prior to its costly and embarrassing impact on our organizations.

Future research — a foundation for detection and mitigation

Establishing these defined and documented TTPs gives us the foundation to expand from an understanding of insider threats to the detection and mitigation of insider threats. As the Knowledge Base matures, the Center will pursue further research into detection; identifying a threat is one, albeit critical, step towards stopping one. Our future research will map insider threat TTPs, as evinced in the Knowledge Base, to TTP mitigations — providing critical resources for defenders and illuminating gapes in our defenses.

Join us

We are actively seeking feedback on this initial release and will continue to evolve it with your support. Your support is critical to establishing an open knowledge base of insider threat TTPs that will empower defenders to detect and mitigate insider threats.

Share your use cases with us — How will your organization using this knowledge base? And for those early adopters, what benefits or challenges have you seen?
Expand the knowledge base — Contact us to learn more about contributing to the knowledge base.

You can contact us at ctid@mitre-engenuity.org or file issues on our GitHub repository.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.