The document discusses insider threats in organizations and how to utilize the MITRE ATT&CK framework to identify and mitigate them. It categorizes insider threats into types such as oblivious users, negligent users, and malicious insiders, highlighting the importance of understanding each profile to build intelligent detections. The document emphasizes the necessity of creating tailored insider threat programs, collaborating with legal and HR departments, and continuously testing detection methods.

1. ©2022 VMware, Inc.
When Insiders
ATT&CK!!!
Matt Snyder
Program Lead – Advanced Security Analytics
March 2022

2. ©2022 VMware, Inc. 2
Program Lead - Advanced Security Analytics
• Over the past 17 years, I have been fortunate to work in a wide range of
IT/Security positions; from systems admin, to digital forensics and incident
response during one of the 1st major credit card breaches in 2013, and most
recently security engineering.
• In my current position at VMware, I work on the Security Intelligence &
Response Team (SIRT), where I enjoy building advanced analytics and
detections.
Matt Snyder – VMware
Speaker Introduction

3. ©2022 VMware, Inc.
Agenda
3
• Types of Insider Threats
• How to use MITRE ATT&CK to identify key TTPs
• How to use MITRE ATT&CK to build intelligent detections

4. 4
©2022 VMware, Inc.
Everyone has an Insider Threat
problem.

5. ©2022 VMware, Inc. 5
Insider Threats are Evolving
Is your company prepared?
Source: https://www.code42.com/resources/report-2021-data-exposure Source: Hitachi ID shorturl.at/fwEFV

6. ©2022 VMware, Inc. 6
Types of Insider Threats
Knowing is half the battle…
Well intentioned
but makes poor
decisions
Knows better but
still takes
unacceptable
risks
Intentionally tries
to cause
harm/damage
Is acting on
behalf of a 3rd
party
Knowingly stores
data in
unapproved
locations
Oblivious User Negligent Malicious
Saboteur/
Espionage
Data Hoarder

7. 7
©2022 VMware, Inc.
How to use MITRE ATT&CK to
identify key TTPs

8. ©2022 VMware, Inc. 8
Getting Started…
Sometimes looks like this…

9. ©2022 VMware, Inc. 9
We don’t have to start from scratch
MITRE ATT&CK to the Rescue!
With the MITRE ATT&CK
framework, we have a
comprehensive map of
relevant TTPs we can
choose from.
Using news and threat
intel reports, as well as
previous incidents, we
can begin to map TTPs of
greatest concern.

10. ©2022 VMware, Inc. 10
Data Exfiltration/Theft
I’ll Take That…
Here we focus on
techniques related to the
exfiltration of data from an
Insider Threat.
Threat Profiles:
• Oblivious User
• Negligent User
• Data Hoarder
• Saboteur/Espionage

11. ©2022 VMware, Inc. 11
Data Exfiltration/Theft Cont.
I’ll Take That…
Insider Threats typically
have access to data
sources, so all they need
to worry about is
collecting and then
exfiltrating that
information.

12. ©2022 VMware, Inc. 12
Rogue Employee
Vengeance is Mine!!
With a Rogue Insider, the
possibilities are endless:
- Data Exfiltration
(possibly for extortion)
- Business Impact/Cause
Outages
- Enable Persistence
Threat Profiles:
• Malicious User
• Saboteur/Espionage

13. ©2022 VMware, Inc. 13
Rogue Employee Cont.
Vengeance is Mine!!
A rogue employee might use
numerous techniques so they
can maintain persistence or
cover their tracks.
With a goal to carry out an
attack against their employer,
you may even see them try to
emulate an APT group to
conceal their involvement.

14. ©2022 VMware, Inc. 14
Accident or Intentional?
Ignorance is Bliss…
They have no idea that what
they are doing will have any
impact or do they? Some
examples:
- Serial Phishing offender
- Stores sensitive data
everywhere
-Leaks credentials on GitHub
Threat Profiles:
• Oblivious User
• Negligent User
• Saboteur/Espionage

15. ©2022 VMware, Inc. 15
Accident or Intentional? Cont.
Ignorance is Bliss…
It can be complicated to
determine the motive or
reasoning behind these types
of incidents.
Accidents happen and people
make mistakes.
Completing a through
investigation is key to
determining the truth.

16. 16
©2022 VMware, Inc.
How to use MITRE ATT&CK to
build intelligent detections
Reduce false positives without loosing visibility

17. ©2022 VMware, Inc. 17
Intelligent Alerting
DLP Type Case

18. ©2022 VMware, Inc. 18
Intelligent Alerting
Employee Gone Rogue

19. ©2022 VMware, Inc. 19
Oops….
Oblivious User

20. ©2022 VMware, Inc. 20
Follow the ATT&CK…
One Alert to Rule them All!

21. ©2022 VMware, Inc. 21
Test Your Detections!
Don’t wait for an attacker, test today!!
Here is a basic python
script to help
generate some canary
files you can use to
test out your
detections.
This example and
more can be found
here:
https://github.com/m
att-snyder-
stuff/python_canary_
files

22. ©2022 VMware, Inc. 22
• Minor deviations from normal activity
• Has motive to carry out attack
• Impacted items are directly related to their
work
• Absence of any indicators of compromise
• Random activity not associated with user’s work
• Activity algins with groups that target your
industry
• Activity is beyond the employee’s technical
capabilities
• Unusual Access Events
Insider Threat APT or External Threat
Insider Threat vs APT
How can you tell them apart?

23. 23
©2022 VMware, Inc.
Wrapping it Up

24. ©2022 VMware, Inc. 24
• There are endless attack possibilities,
you might not catch them all, but
you won't catch any if you don’t get
started, so get started.
• Begin with use cases that are top of
mind for your company.
• Utilize the data you are already
collecting.
• With your custom Insider Threat
matrix in hand, get the additional
logs you need.
• Team up with your Legal and HR
departments, find out what is
important to them.
• Work with your business partners to
better understand their concerns.
• Have plan and workflow on how to
support investigations and
remediation efforts. Then test it (Live
Fire, Tabletop, Round Table)!
Lessons Learned
Prioritize and Execute Work with the Business Follow the ATT&CK
• Look for the patterns of risky
behavior, this reduces false positives
and wasted time.
• You must build your own detections!
DLP tools alone are NOT an Insider
Threat program!

25. ©2022 VMware, Inc. 25
• MITRE’s Insider Threat TTP Knowledge Base
https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/
• Insider Threat Matrix
https://github.com/Insider-Threat/Insider-Threat
• National Insider Threat Task Force (NITTF)
https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf
• NITTF Maturity Framework
https://www.dni.gov/files/NCSC/documents/nittf/20181024_NITTF_MaturityFramework_web.pdf
• CISA
https://www.cisa.gov/sites/default/files/publications/Insider%20Threat%20Mitigation%20Guide_Final_508.pdf
• DNI
https://www.dni.gov/files/NCSC/documents/nittf/NITTF-Insider-Threat-Guide-2017.pdf
• Code42 Report
https://www.code42.com/resources/report-2021-data-exposure
• Hitachi ID Report
https://www.hitachi-
id.com/hubfs/A.%20Key%20Topic%20Collateral/Ransomware/%5BInfographic%5D%20The%20Rising%20Insider%20Threat%20%7C%20Hackers%20Have%20Approached%2
065%25%20of%20Executives%20or%20Their%20Employees%20To%20Assist%20in%20Ransomware%20Attacks.
Additional Resources

26. Confidential │ ©2019 VMware, Inc.
Thank You