Identifying and Mitigating Threats
The MITRE ATT&CK® framework has mapped data sources and mitigations, where applicable, to each of the techniques detailed in the ATT&CK for Enterprise knowledge base. These have been validated in terms of external actors, but the Center research team behind the Insider Threat Knowledge Base is validating these for their applicability to insider threats as well. The Center team is working under the assumption that many or most of the mitigations and data sources listed will help both efforts, but that there will likely be some differences or additional data sources and mitigations for insider threat.
Mitigations
Mitigations have been identified through their mappings to ATT&CK® TTPs and through validation by Center participants. Currently all insider threat TTPs within the Knowledge Base are also TTPs in ATT&CK, therefore the team has reviewed all corresponding mitigations defined in ATT&CK. All mitigations for ATT&CK for enterprise are relevant to insider threats. Through discussion with project participants, further mitigations may be identified in the future. The table below details the tactic, technique, and mitigation mappings specific to insider threat.
Technique ID |
Mitigation IDs |
|---|---|
M1056 |
|
M1056 |
|
M1056 |
|
M1027, M1018, M1026, M1013, M1017, M1015, M1036 |
|
M1032, M1026, M1017 |
|
M1038, M1040 |
|
M1030, M1028, M1032, M1026 |
|
M1032, M1026 |
|
M1018, M1026, M1040 |
|
M1030, M1042, M1035, M1032 |
|
M1027, M1018, M1026, M1013, M1017, M1015, M1036 |
|
M1027, M1015, M1026, M1032, M1036, M1017, M1018 |
|
M1032, M1026, M1017 |
|
M1038, M1028, M1052, M1026, M1018, M1047, M1022 |
|
M1054, M1018, M1038, M1022, M1024, M1047 |
|
M1038, M1024, M1018, M1022 |
|
M1041, M1029, M1022 |
|
M1022, M1029, M1041 |
|
M1017, M1045, M1040, M1022, M1049, M1038 |
|
M1047, M1040, M1017, M1049 |
|
M1027, M1018, M1026, M1013, M1017, M1015, M1036 |
|
M1032, M1026, M1017 |
|
M1026, M1027 |
|
M1051, M1054, M1027 |
|
M1042, M1031, M1030 |
|
M1028 |
|
M1042, M1016, M1050, M1030, M1019, M1048, M1026, M1051 |
|
M1018, M1042, M1032 |
|
M1047, M1035, M1030, M1028, M1042, M1018, M1032, M1026 |
|
M1042, M1032, M1018 |
|
M1047 |
|
M1047 |
|
M1029, M1041 |
|
M1017, M1018, M1047 |
|
M1017, M1047, M1018, M1032 |
|
M1047, M1018, M1017 |
|
M1057 |
|
M1032, M1041, M1047 |
|
M1041 |
|
M1038, M1037, M1031 |
|
M1030, M1057, M1037, M1031, M1022, M1018 |
|
M1037, M1031, M1030 |
|
M1042, M1028 |
|
M1042, M1028 |
|
M1057, M1034, M1042 |
|
M1042, M1034, M1057 |
|
M1021, M1057 |
|
M1021 |
|
M1053 |
|
M1056 |
|
M1056 |
|
M1056 |
|
M1056 |
|
M1032, M1018, M1030 |
|
M1030, M1018, M1032, M1026, M1028 |
|
M1032 |
|
M1041, M1029, M1022 |
|
M1027 |
|
M1041, M1051, M1017, M1015, M1027, M1028, M1037, M1022, M1035, M1047, M1026 |
|
M1047, M1017 |
|
M1042, M1031, M1030 |
|
M1041, M1029, M1030, M1022 |
|
M1022, M1029, M1041 |
|
M1053 |
|
M1053 |
|
M1017, M1018 |
|
Data Sources
Data sources that are useful for providing relevant information for insider threat identification have been detailed. Identifying the most common data sources to detect insider threat will enhance the community’s ability to mitigate insider threats. The data sources have been identified first through mappings from ATT&CK, like the mitigations, with follow-on confirmation from project participants. The table below details the tactic, technique, and data source mappings specific to insider threat.
Technique ID |
Datasource IDs |
|---|---|
DS0029 |
|
DS0029 |
|
DS0029, DS0021 |
|
DS0028, DS0002 |
|
DS0002, DS0028 |
|
DS0009, DS0011 |
|
DS0009, DS0017, DS0002 |
|
DS0002, DS0009, DS0017 |
|
DS0011, DS0005, DS0022, DS0024, DS0017, DS0025, DS0009 |
|
DS0009, DS0017, DS0005 |
|
DS0029, DS0028, DS0015 |
|
DS0028, DS0002 |
|
DS0002, DS0028 |
|
DS0002, DS0028 |
|
DS0009, DS0002, DS0017, DS0022, DS0024 |
|
DS0022, DS0025, DS0018, DS0017, DS0012, DS0009, DS0024, DS0019, DS0002, DS0013, DS0027 |
|
DS0013, DS0009, DS0019, DS0024, DS0017, DS0027 |
|
DS0003, DS0022, DS0018, DS0002, DS0009, DS0015, DS0017, DS0024, DS0029 |
|
DS0017, DS0022, DS0009 |
|
DS0017, DS0022 |
|
DS0022, DS0009, DS0019, DS0007, DS0003, DS0017 |
|
DS0005, DS0012, DS0022, DS0011, DS0017, DS0009, DS0024 |
|
DS0028, DS0002 |
|
DS0002, DS0028 |
|
DS0022, DS0017, DS0009, DS0025 |
|
DS0009, DS0022, DS0017 |
|
DS0029, DS0017, DS0025 |
|
DS0009, DS0017 |
|
DS0029, DS0015 |
|
DS0011, DS0029, DS0017, DS0033, DS0005, DS0028, DS0009 |
|
DS0029, DS0028, DS0009 |
|
DS0028, DS0009, DS0029 |
|
DS0017, DS0012, DS0009, DS0022 |
|
DS0009, DS0017, DS0022 |
|
DS0017, DS0022, DS0012 |
|
DS0028, DS0015 |
|
DS0015, DS0028 |
|
DS0028, DS0015 |
|
DS0009, DS0012, DS0017, DS0022 |
|
DS0022, DS0024, DS0017 |
|
DS0022, DS0024, DS0017 |
|
DS0028, DS0015, DS0029, DS0022, DS0017 |
|
DS0022, DS0017 |
|
DS0009, DS0029 |
|
DS0010, DS0029, DS0017, DS0015, DS0022 |
|
DS0029, DS0017, DS0022 |
|
DS0029, DS0022, DS0017 |
|
DS0029, DS0017, DS0022 |
|
DS0022, DS0016, DS0009, DS0017 |
|
DS0009, DS0016, DS0022, DS0017 |
|
DS0029, DS0017, DS0022, DS0015 |
|
DS0029, DS0022, DS0017 |
|
DS0020, DS0009, DS0022, DS0007, DS0030, DS0034, DS0010, DS0017 |
|
DS0009, DS0013, DS0017 |
|
DS0029 |
|
DS0037, DS0004, DS0035 |
|
DS0004 |
|
DS0028, DS0029, DS0015 |
|
DS0017, DS0009, DS0026, DS0022, DS0036, DS0002 |
|
DS0015, DS0026, DS0002 |
|
DS0003, DS0022, DS0018, DS0002, DS0009, DS0015, DS0017, DS0024, DS0029 |
|
DS0028, DS0002 |
|
DS0024, DS0015, DS0017, DS0009, DS0022, DS0002 |
|
DS0015 |
|
DS0029, DS0017, DS0025 |
|
DS0017, DS0012, DS0009 |
|
DS0009, DS0017 |
|
DS0033, DS0017, DS0029, DS0022 |
|
DS0017, DS0009 |
|
DS0009, DS0029, DS0022 |
|
DS0022 |
|
DS0027, DS0016, DS0017, DS0009 |
|
DS0016, DS0027, DS0017, DS0009 |
|
DS0015 |
|
DS0029, DS0022, DS0013, DS0009, DS0017 |