Nov 08 2021

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Category: Attack MatrixDISC @ 10:39 am

Unmasking/Uncovering the Real Insider Threat

According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat. 

The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for. 

What is Considered an Insider Threat?

An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker. 

  • Malicious Insider â€“ As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
  • Compromised Insider â€“ This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing. 
  • Negligent Insider â€“ Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public. 

Let’s take a look at some of the recent insider attacks to understand the magnitude of the impact.  – Updated MITRE ATT&CK TTPs Used in Insider Threat Attacks

ATT&CK™ Framework and open source tools

Tags: MITRE ATT&CK

Leave a Reply

You must be logged in to post a comment. Login now.