The Insider Attack Matrix

Some colleagues and I have recently released a new methodology to approach insider threat. A lot of fantastic work and case studies assess insider risk; however, it still lags behind the work on external risks. Partially because most work to remediate external risk also helps with insider risk, partly because the best work on insider risk is probably kept confidential. This is often done to ensure potential insiders don't understand what controls could catch them. This blog provides some additional context to the one above around the work we did. If you haven't already I recommend you read the blog above first.

Why we did this?

We were originally inspired by MITRE ATT&CK Matrix. If you haven't heard of the ATT&CK Matrix, it's an attempt to map the types of attacks adversaries use, categorising them using TTPs. TTPs stands for Tactics (think kill chain), Techniques (think action an attacker could do) and Procedures (think the specific thing a known APT did). The Matrix is a great way to simplify large amounts of APT attack data into something easy to review and analyse. What's particularly awesome is that everything is linked to/referenced by real world examples.

What's particularly awesome is that everything is linked to/referenced by real world examples.

We wanted to do something similar. There are too many hypotheticals, especially when it comes to insider risk. When someone already has access, their attack surface is much more vast than an external attacker's, who first has to breach the perimeter. By focusing on real-world case studies of insider attacks, we wanted to develop a similar way to assess the most common possible attacks while ignoring theoretical issues.

One other observation is that MITRE sits between STRIDE and CVEs in terms of conceptual hierarchy. STRIDE is much more abstract than MITRE, since it only focuses on high-level threats, while CVEs are more tangible specific, finite vulnerabilities from the real world. MITRE maps high-level threats to particular attacks and sits neatly between the two.[1]

Since the Insider Attack Matrix is a little more abstract, we sit above MITRE, aiming to describe attacks at a level that can affect any company or technology. If a company wanted to use the Insider Attack Matrix, they should map each of the high-level attacks we describe to their internal process/technology. For example, "Unauthorised Access" would map to the unauthorised access of the services you want to protect. This means we are not a direct mapping to MITRE; we are just inspired by MITRE.

What did we learn?

Most of our findings were quite intuitive, but it's always great to have new work that backs up your past belief

Firstly, while traditional security controls help stop insider attacks (for example auditing, separation of duty and strong access, authentication and authorisation), there are still gaps left afterwards that need to be remediated. The main gaps are around the "Turning Point" tactic. Companies often ignore the "Turning Point" tactic to favour controls elsewhere. In reality, you can probably detect a malicious insider here, before he starts managing to hurt you.

Most detection controls focus on network/audit logs to see if people are doing things they shouldn't be. Behavioural detection can be a practical approach that could pick up a number of the techniques within the turning points using data sources that SOC would typically ignore. For example, late reports, disciplinary reports, etc. Please note, I'm not saying someone who is often late to work is probably a malicious insider. Still, if someone goes from being a perfect employee to regularly late AND flags on a few other tactics within the Insider Attack Matrix, it might be worth double-checking.

Stopping staff from feeling slighted/disgruntled and giving them a clear and trusted path to have issues addressed can go a long way to making your company a better and more secure place to work.

There is even the possibility of adding preventative controls in that would stop would-be insider threats from ever turning and trying to hurt the company in the first place. Imagine the effectiveness here of making sure not only you detect and stop insider attacks but have found a way to stop them even deciding to be insiders in the first place? While more work needs to be done, I believe a strong culture of respect alongside having strong values helps reduce disgruntlement, which is often a key cause of an insider attack. Stopping staff from feeling slighted/disgruntled and giving them a clear and trusted path to have issues addressed can go a long way to making your company a better and more secure place to work.

What's next?

Right now the Matrix is available as a PDF here. We plan to do a few things to improve it.

Firstly, we plan to move it to a webpage that provides a better experience to interact with and analyse, the Matrix..

Secondly, we want to ingest lots more case studies to flesh out the examples and find additional attacks that might currently be missing. We are pulling data from news articles, reputable insider threat textbooks, court documentation, and the movie Office Space. Hopefully, we can remove Office Space once we have more citations elsewhere!

Thirdly, we want to start looking at how to defend against each of the identified techniques. We plan to go through each technique and identify possible controls (starting with known controls, e.g. NIST CSF/ISO 27k) to remediate them. Afterwards, we will then take any techniques without classical controls assigned and look at what else could fill the gap. Based on our findings, my hunch is that strong culture and practices that let your employees be heard will fall into here as viable security controls.

Additionally, there are probably lots of interesting data feeds and monitoring techniques that could be used and would help specifically with insider threat when it comes to detection.

In conclusion, there are many exciting ways to take this project forward, and I'm hoping it will help make insider threat easier for people to understand and react to in the future.