Introduction
Project Goal
The goal of the Insider Threat TTP Knowledge Base project is to create a repository of insider threat tactics, techniques, and procedures (TTPs) based on cases seen throughout diverse industries such as healthcare, finance, and technology. These cases provide insight into the TTPs that insider threat actors use and help organizations identify future threats. By understanding the most commonly used TTPs, insider threat programs can take conscientious actions to defend their systems.
Why ATT&CK
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The Insider Threat TTP Knowledge Base uses this framework as a basis for collecting information about insider threat cases. The Enterprise ATT&CK matrix provides the foundation for partners to identify tactics and techniques. Participating organizations labeled insider techniques within their case files by identifying existing techniques and proposing techniques deemed novel or unique to insider threats.
As the Knowledge Base evolves, Center researchers anticipate discovering and documenting new insider techniques that may not fit within Enterprise ATT&CK. These novel insider techniques will be added to the Insider Threat Knowledge Base, where eventually, the Knowledge Base will consist of a mix of techniques referenced in Enterprise ATT&CK along with techniques that are unique to insider threats.
Scoping the Insider Threat TTP Knowledge Base
The project addresses the unique challenges that insider threats pose by starting with a modest scope in pursuit of an evidence-based result. Version 1 of the project constrained the research effort to technical mechanisms that insiders use on information technology (IT) systems - deliberately excluding physical insider threat actions, such as workplace violence or smuggling documents on one’s person; those are non-technical and independent of IT systems.
In Version 2 of the project, we identified some interesting non-technical indicators in the case data, so the scope was widened to include these non-technical indicators.
Furthermore, the Center team does not include discussions of the insider’s motive or what the insider did and could do once off the IT systems. This distinction is important. Within a single organization, different departments that have purview over insider threats may define the insider differently. This project compounds that complexity by seeking to rigorously define insider TTPs that can be used across all organizations. We were able to meet this goal by defining insider TTPs for security operations centers (SOCs) and cyber defenders, and by following the model of the Enterprise ATT&CK framework, which is well-established for SOCs and cyber defense professionals.
Method and Design
Network defenders often focus on the TTPs of high-profile insider threat cases, such as Chelsea Manning, Edward Snowden, or Robert Hanssen, causing them to overlook more mundane but equally damaging actions. This focus on one-in-a-million cases leads to prioritizing what is possible rather than what is probable, leading to speculative defense strategies.
Prior research on insider TTPs emphasized TTPs that could or would happen, but these are generally hypothetical or fantastical insider actions that are far out of the ordinary. However, organizations can shift their focus to actionable mitigation, detection, and response by using the Insider Threat TTP Knowledge Base which can inform defenders where their resources are best spent.
The TTPs in the Knowledge Base are actions that insiders actually did. These have been observed in documented case files, providing a data-driven approach to insider threat defense. This enables organizations to better allocate their limited resources and focus their efforts where they are most beneficial.