Is the time right for a unified lexicon of known tactics, techniques and procedures (TTP) used by insiders who opt to break trust with their employers? MITRE thinks so and has positioned itself to serve as the locus for insider threat knowledge.
In mid-February, MITRE Engenuity’s Center for Threat Informed Defense, supported by a phalanx of multi-sector powerhouses including Citigroup Technology, Microsoft, Crowdstrike, Verizon, and JP Morgan Chase, published their Design Principles and Methodology for the Insider Threat TTP Knowledge Base.
Malicious insiders “a unique threat”
Contemporaneously with the TTP knowledge base effort, a MITRE Engenuity blog post by Jon Baker, director of research and development at the Center for Threat-Informed Defense, posited something every CISO is aware of, “Malicious insiders represent a unique threat to organizations.” Baker’s post acknowledged the focus is on the cyber threat and activities which were “observable by a SOC in the IT environment.” CISOs will be well served to take note of Baker’s admonishment to not, “focus on the TTPs of the last major insider threat case to hit the news.”
14 techniques of malicious insiders
The TTP highlighted 14 separate areas of interest, which included 54 identified techniques with respect to the behavior of the malevolent insider:
- Resource development
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
- Command and control
It is often posited how the trusted insider who stays within their swim lane may never percolate onto the radar of the insider threat management program. The MITRE effort is designed to put a fork into that position and demonstrate that even those who stay in their swim lane can be detected when they take actions in support of their having broken trust.
Common malicious insider tactics
The design principles, of the program, astutely included an assessment of the skill level required for each TTP and highlighted those where case files existed as having occurred as “did” and not hypothetical, “would” and “could” parameters. Their findings noted these inferences:
- “Insider threats routinely use unsophisticated TTPs to access and exfiltrate data.”
- “Insider threats routinely leverage existing privileged access to facilitate data theft or other malicious actions.”
- “Insiders routinely ‘stage’ data they intend to steal prior to exfiltration.”
- “External/removable media remains a common exfiltration channel.”
- “Email remains a common exfiltration channel.”
- “Cloud storage represents both a collection target for insiders and a common exfiltration channel.”
They then took those inferences and assigned a weight of “frequency of use,” assigning “Frequent”, “Moderate” or “Infrequent” tags to each threat-based, to help practitioners sort the likelihood of a technique being used and to ensure those which occurred with greater frequency were covered. The accompanying GitHub documents are designed to assist teams with their categorizing their experiences.
Entities with limited resources should focus their attention on the “probable” and save the “possible” when the queue permits. Focusing on what is possible, though improbably, according to Baker, while creative, “causes insider threat programs and SOCs to lose focus.” Appropriately, he goes on to quote Frederick the Great, “He who defends everything defends nothing.” So CISOs should adopt those with the biggest bang for the buck.
Focus on the most likely insider threat scenarios
While nation-state suborning of an employee is a very real possibility, the greater likelihood is the realized insider malicious action will be in support of the individual and their career. This may range from individuals harvesting information to launch their own endeavor, to sell the commodity at hand (the IP and trade secrets of their employer), or to taking the information/data as a condition of their next employment gig.
The purpose of creating the TTP and community is to ensure that, “The insider may no longer operate under the cover of legitimate use; we will detect the insider threat prior to its costly and embarrassing impact on our organizations.” This will be accomplished by industry sharing, of processes and procedures, webinars, and conferences, where use cases are shared and “defenders can learn from each other.”
Putting structure around the cyber activity quotient of the insider threat makes sense and CISOs should minimally review the MITRE TTPs for applicability with an eye toward determining how one might adopt the philosophy and avail themselves to the community of entities all rowing in the same direction to thwart the malevolent insider.