Snitches Get Stitches – Mitre ATT&CK for Insider Threat Detection

The Problem 

Insider threat detection is tough, especially when dealing with an insider who knows what they are doing. Think of the rogue IT admin, software engineer, or financial analyst. As a security practitioner and threat hunter extraordinaire, your goal is to identify anomalies in their daily behavior that could indicate suspicious activity. Thankfully, as with many challenges cyber security analysts face, the folks at Mitre are trying to provide tools and frameworks to help. 

Mitre ATT&CK For Insider Threat 

Hunting for insider threats follows a lot of the same prep work as hunting for external threats. You need to understand the ins and outs of the environment you're hunting (people, processes, and technology) and develop a hypothesis based on how the threat actor (insider threat) will stage and execute their attack. Earlier this year Mitre published the Insider Threat TTP Knowledge Base to assist with that hypothesis formation and follow-on analytic development. To create this knowledge base, Mitre collected and analyzed real-world insider threat cases submitted by the community. During this analysis, they mapped insider threat activity to TTP and even created heatmaps depicting the most and least commonly observed techniques leveraged by insider threats. Finally, they drew conclusions on the most commonly observed end-state objectives and the methods (Techniques) they used to achieve those objectives.  

For example, in the Insider Threat TTP Knowledge Base we see that T1213: Data from Information Repositories, specifically related to OneDrive or Sharepoint, is the most commonly observed Collection technique by insider threats. With the understanding of this technique, we can begin developing potential hypotheses such as: 

• An insider threat will download a large volume of files from Sharepoint or OneDrive to their local device or a removable media device when preparing to exfiltrate corporate data 

• An insider threat will download a small number of files from Sharepoint or OneDrive every day to the same file path over the course of a week when preparing to exfiltrate corporate data 

While these hypothesis examples are straightforward, they should illustrate how this Knowledge Base is a great starting point for developing hunt hypotheses to track down and catch insider threats. Additionally, as with the full Mitre ATT&CK Matrix, you can leverage this knowledge base as a reference when considering how to best develop insider threat-themed detection analytics.