MITRE ATT&CK Update Covers Insider Threat Attack Techniques
Unmasking/Uncovering the Real Insider Threat
According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat.
The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for.
What is Considered an Insider Threat?
An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker.
- Malicious Insider – As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
- Compromised Insider – This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing.
- Negligent Insider – Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public.
Let’s take a look at some of the recent insider attacks to understand the magnitude of the impact.
- An employee unlawfully accessed a Fortune 500 company’s infrastructure and deployed code which deleted multiple virtual machines supporting their video conferencing team’s application for clients.
- Two members of one of Canada’s largest company’s support team abused their access rights to obtain records of customer transactions for a little over 150 merchants.
- Hackers conducted a social engineering attack on employees, stole their credentials, and gained access to the administrator tool. Attackers then targeted 100+ high profile people and posted scam messages from their accounts.
- In 2018, an employee stole sensitive intellectual property and sabotaged existing operations at the electric car-maker’s battery plant.
Types of Users Exploited
As you can see from these insider threat attacks there is a rise in the number of insider attacks in the past. This is caused by the increased attack surface exposure due to the different types of users in any organization that include contractors, full time employees and vendors. Some of the most common ones are:
Privileged users and administrators – There are varying levels of access for different employees. These are certain privileged users due to the specific requirements of their work or access required and different types of administrators for different accounts and services. Because of their high level of access, unusual activity by privileged users is difficult to detect as they don’t break any cybersecurity rules when accessing sensitive resources.
Regular employees – Regular users may not be an area of concern but they can harm any organization due to their negligence or other motives. For instance, they can misuse corporate data, send confidential emails to outsiders, install unauthorized applications and so on.
Third-parties and temporary workers – These are temporary workers who may not follow the same level of security practices as a regular employee and can be an important target for attackers or misuse their access for illegal practices.
Privileged business users and executives – C-level executives have access to the most confidential and sensitive information about an organization and are a common target for threat actors.
Updated MITRE ATT&CK TTPs Used in Insider Threat Attacks
In this section we will discuss a selection of common threat scenarios from insiders, map them to MITRE ATT&CK TTPs included in the last update, types of insiders and understand their motives. Every quarter or so, MITRE either adds, modifies some techniques; it could be a minor edit or something major that has to be changed for detection or mitigation. Although, there could be more scenarios in this list these are the ones MITRE updated or added in the latest update.
|Threat Scenario||Type(s) of Insider||Added/Updated ATT&CK TTPs||Possible Motive|
|Insider exfiltrating data||Malicious, Compromised||T1537 – Transfer Data to Cloud AccountsT1608 – Stage Capabilities||Financial|
|Insider sending code or trade secret||Malicious, Compromised||T1020 – Automated ExfiltrationT1041, T1567||Espionage|
|Insider using resources for personal gains||Malicious, Compromised||T1496 – Resource Hijacking||Financial|
|Insider clicked on a phishing link||Compromised, Negligent||T1566 – PhishingT1534 Internal Spear Phishing||Lack of knowledge|
|Insider accessing customer data||Malicious, Compromised||T1213 – Data from Information Repositories||Financial, Personal Interest|
|Insider misconfiguring the access to servers/data||Negligent, Compromised, Malicious||T1190 – Exploit Public Facing Application||Lack of knowledge|
|Insider deleting their logs||Malicious, Compromised||T1070 – Indicator removal on host||Hide the tracks for bigger tasks|
|Insider accessing other unapproved machines/servers||Malicious, Compromised||T1078 – Valid Accounts||Personal Interest, Financial|
|Insider altering/destroying data||Malicious, Compromised, Negligent||T1485 – Data Destruction||Personal Interest, Vengeance, Lack of knowledge|
Each technique mentioned above can be detected via different methodologies and with the right context and correct log sources.
We will take one technique as an example to demonstrate a detection methodology. For example, in the case of Resource Hijacking, it is important to make a list of all possible scenarios for this use case. Although, as time evolves, this list of possible scenarios will grow but we can cover all the base cases for resource hijacking use cases and build on top of it. Before we move forward, we need to understand the definition of resource hijacking. As the name suggests, it is a technique used by an attacker to perform unintended activities with all the available resources. This is fairly common on a cloud infrastructure because of the large amount of resources. As an example, an attacker will try to gain control of the infrastructure and create an instance and use it for cryptomining. Some of common scenarios are:
- Storage enumeration
- Compute enumeration
- Compute creation
- Compute manipulation
- Compute load exploit
All cloud environments provide certain methods and calls to perform all the functions. In the event of an attack with the proper log monitoring, each of the techniques mentioned above can be detected. In this case before hijacking the resources, it is important for adversaries to gain more information about the environment. In order to gain information about exploitable locations to create and upload malicious resources or to discover sensitive machines, attackers will perform certain enumeration tasks.
Once the attacker acquires the right information, they will create the instance to exfiltrate data. Creating an instance for the first time or with an abnormal amount of resources should create some flags and be investigated. Additionally, an attacker can manipulate the current running instance and might use the snapshot to exfiltrate data. Monitoring not only the creation of new instances but also identifying the modification and listing down all the abnormal ones are the key to detecting insider threat.
Detecting Insider Threats with Exabeam
Our use case and scenario library is specially tailored toward identifying the key methods targeted by insiders and we have prepared a robust detection methodology for these use cases.
Since insider threats are difficult to detect, the most effective tools that apply machine learning and user behavioral analysis to baseline normal behavior for every user, device and peer group can help build a resilient security posture to detect threats from within.
Tools that detect anomalous behaviors that indicate insider risk behavior, regardless of the attackers’ techniques are necessary to help security analysts secure their organizations. Detecting the following activities through their techniques can pinpoint activity that indicates a breach.
- Compromised credentials
- Lateral movement
- Privilege escalation
- Privileged activity
- Account manipulation
- Data exfiltration
Every company is exposed to insider threats and the consequences of these attacks are often devastating as seen from the examples we listed. With the right set of behavior-based modeling, abnormal behavior from insiders can be tracked, mapped to attack scenarios and can be stopped before it becomes an issue for an organisation.