MITRE ATT&CK Update Covers Insider Threat Attack Techniques - Exabeam

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Published
October 04, 2021

Author
Shubham Goel

Unmasking/Uncovering the Real Insider Threat

According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat. 

The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for. 

What is Considered an Insider Threat?

An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker. 

  • Malicious Insider – As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
  • Compromised Insider – This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing. 
  • Negligent Insider – Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public. 

Let’s take a look at some of the recent insider attacks to understand the magnitude of the impact. 

  1. An employee unlawfully accessed a Fortune 500 company’s infrastructure and deployed code which deleted multiple virtual machines supporting their video conferencing team’s application for clients.
  2. Two members of one of Canada’s largest company’s support team abused their access rights to obtain records of customer transactions for a little over 150 merchants.
  3. Hackers conducted a social engineering attack on employees, stole their credentials, and gained access to the administrator tool. Attackers then targeted 100+ high profile people and posted scam messages from their accounts.
  4. In 2018, an employee stole sensitive intellectual property and sabotaged existing operations at the electric car-maker’s battery plant.

Types of Users Exploited 

As you can see from these insider threat attacks there is a rise in the number of insider attacks in the past. This is caused by the increased attack surface exposure due to the different types of users in any organization that include contractors, full time employees and vendors. Some of the most common ones are:  

Privileged users and administrators – There are varying levels of access for different employees. These are certain privileged users due to the specific requirements of their work or access required and different types of administrators for different accounts and services. Because of their high level of access, unusual activity by privileged users is difficult to detect as they don’t break any cybersecurity rules when accessing sensitive resources.

Regular employees – Regular users may not be an area of concern but they can harm any organization due to their negligence or other motives. For instance, they can misuse corporate data, send confidential emails to outsiders, install unauthorized applications and so on.  

Third-parties and temporary workers – These are temporary workers who may not follow the same level of security practices as a regular employee and can be an important target for attackers or misuse their access for illegal practices. 

Privileged business users and executives – C-level executives have access to the most confidential and sensitive information about an organization and are a common target for threat actors. 

Updated MITRE ATT&CK TTPs Used in Insider Threat Attacks

In this section we will discuss a selection of common threat scenarios from insiders, map them to MITRE ATT&CK TTPs included in the last update, types of insiders and understand their motives. Every quarter or so, MITRE either adds, modifies some techniques; it could be a minor edit or something major that has to be changed for detection or mitigation. Although, there could be more scenarios in this list these are the ones MITRE updated or added in the latest update. 

Threat ScenarioType(s) of InsiderAdded/Updated ATT&CK TTPsPossible Motive
Insider exfiltrating dataMalicious, CompromisedT1537 – Transfer Data to Cloud AccountsT1608 – Stage Capabilities Financial
Insider sending code or trade secretMalicious, CompromisedT1020 – Automated ExfiltrationT1041, T1567Espionage
Insider using resources for personal gainsMalicious, CompromisedT1496 – Resource HijackingFinancial
Insider clicked on a phishing linkCompromised, NegligentT1566 – PhishingT1534 Internal Spear PhishingLack of knowledge
Insider accessing customer dataMalicious, CompromisedT1213 – Data from Information RepositoriesFinancial, Personal Interest
Insider misconfiguring the access to servers/dataNegligent, Compromised, MaliciousT1190 – Exploit Public Facing ApplicationLack of knowledge
Insider deleting their logsMalicious, CompromisedT1070 – Indicator removal on hostHide the tracks for bigger tasks
Insider accessing other unapproved machines/serversMalicious, CompromisedT1078 – Valid AccountsPersonal Interest, Financial 
Insider altering/destroying dataMalicious, Compromised, NegligentT1485 – Data DestructionPersonal Interest, Vengeance, Lack of knowledge

Each technique mentioned above can be detected via different methodologies and with the right context and correct log sources. 

We will take one technique as an example to demonstrate a detection methodology. For example, in the case of Resource Hijacking, it is important to make a list of all possible scenarios for this use case. Although, as time evolves, this list of possible scenarios will grow but we can cover all the base cases for resource hijacking use cases and build on top of it. Before we move forward, we need to understand the definition of resource hijacking. As the name suggests, it is a technique used by an attacker to perform unintended activities with all the available resources. This is fairly common on a cloud infrastructure because of the large amount of resources. As an example, an attacker will try to gain control of the infrastructure and create an instance and use it for cryptomining. Some of common scenarios are: 

  1. Storage enumeration
  2. Compute enumeration
  3. Compute creation
  4. Compute manipulation
  5. Compute load exploit

All cloud environments provide certain methods and calls to perform all the functions. In the event of an attack with the proper log monitoring, each of the techniques mentioned above can be detected. In this case before hijacking the resources, it is important for adversaries to gain more information about the environment. In order to gain information about exploitable locations to create and upload malicious resources or to discover sensitive machines, attackers will perform certain enumeration tasks. 

Once the attacker acquires the right information, they will create the instance to exfiltrate data. Creating an instance for the first time or with an abnormal amount of resources should create some flags and be investigated. Additionally, an attacker can manipulate the current running instance and might use the snapshot to exfiltrate data. Monitoring not only the creation of new instances but also identifying the modification and listing down all the abnormal ones are the key to detecting insider threat.

Detecting Insider Threats with Exabeam

Our use case and scenario library is specially tailored toward identifying the key methods targeted by insiders and we have prepared a robust detection methodology for these use cases. 

Since insider threats are difficult to detect, the most effective tools that apply machine learning and user behavioral analysis to baseline normal behavior for every user, device and peer group can help build a resilient security posture to detect threats from within. 

Tools that detect anomalous behaviors that indicate insider risk behavior, regardless of the attackers’ techniques are necessary to help security analysts secure their organizations. Detecting the following activities through their techniques can pinpoint activity that indicates a breach. 

  • Compromised credentials
  • Lateral movement
  • Privilege escalation
  • Privileged activity
  • Account manipulation
  • Data exfiltration
  • Evasion

In Conclusion

Every company is exposed to insider threats and the consequences of these attacks are often devastating as seen from the examples we listed. With the right set of behavior-based modeling, abnormal behavior from insiders can be tracked, mapped to attack scenarios and can be stopped before it becomes an issue for an organisation. 

Recent Information Security Articles

Cybersecurity Awareness Month: Time to Recalibrate and Prioritize Security

Read More

Ransomware: Prevent, Detect and Respond

Read More

What Are TTPs and How Understanding Them Can Help Prevent the Next Incident

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More



Recent Information Security Articles

Exabeam Fusion XDR and Exabeam Fusion SIEM now available in Google Cloud Marketplace

Read More

SOC Analyst: Job Description, Skills, and 5 Key Responsibilities

Read More

Cybersecurity Awareness Month: Time to Recalibrate and Prioritize Security

Read More

SOC Processes and Best Practices in a DevSecOps World

Read More

Cloud SIEM: Features, Capabilities, and Advantages

Read More

Ransomware: Prevent, Detect and Respond

Read More