Insider Threat Matrix

⬛ Trying to determine when an account activates an eligible role via Entra ID PIM? We can use the Resource audit functionality to gain visibility, helping to detect Preparation activities, such as Increase Privileges (PR024), before an insider event occurs. "Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account." Microsoft Entra ID Privileged Identity Management Resource Audit (DT106): https://lnkd.in/eapUHp6m #insiderrisk #insiderthreat #DFIR #entraID #IAM #PIM

⬛ Investigate Microsoft Teams meetings and call history with IT troubleshooting tools 🕵 "From the Microsoft Teams admin center, reviewing previous Teams meetings or calls that a user account has joined is possible. These logs include key information such as meeting or call ID, start time, duration, and participants. The purpose of this information is to assist with troubleshooting meeting or call issues; however, investigators can use it to determine when users have participated in meetings or calls." Microsoft Teams admin Center Meeting and Call History (DT107): https://lnkd.in/ehN676zS #insiderrisk #insiderthreat #microsoftteams #DFIR

⬛️ An employee exports their entire mailbox, along with shared mailboxes, that contain sensitive and confidential communications. What do you do? ▪️ Is this activity expected? What are they doing with the PST, MBOX, or similar file? Is it leaving the organization’s control? Understand email exfiltration in its various forms here: https://lnkd.in/egFUCBWj #insiderrisk #insiderthreat #exfiltration #cybersecurity

⬛️ Are you using Group Policy to block read, write, and execute operations from removable storage devices on Windows systems? ▪️ Doing so can prevent insider threats from bringing in tools or malicious software, or exfiltrating data via a physical medium. Learn more, including how to configure this here: https://lnkd.in/exzAPNRP #insiderrisk #insiderthreat #cybersecurity

⬛️ Are you using LNK files in your Windows investigations to evidence program execution? ▪️ “These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, and the last time it was run. The prefetch directory can offer new and valuable insights, particularly when the original executable no longer exists.” Learn more here: https://lnkd.in/eWC5Yi-J #insiderthreat #insiderrisk #DFIR #digitalforensics

⬛️ Do you have employees using non-corporate devices to work? Are you aware of the risks? ▪️ “The subject performs work-related tasks on an unauthorized, non-organization-owned device, likely violating organizational policy. Without the organization’s security controls in place, this device could be used to bypass established safeguards - and increases the risk of sensitive data being retained or exposed, particularly after the subject is offboarded.” Learn more here: https://lnkd.in/eZ_TuUsX #insiderrisk #insiderthreat #cybersecurity

💡 Discover the Insider Threat Matrix (ITM) 💡 I've recently completed the Security Blue Team course and truly enjoyed its structured approach, hands-on labs, and excellent additional resources. 🔍 One standout discovery is the Insider Threat Matrix (ITM) — an open framework developed by James Weston and Joshua Beaman for investigating insider threats within organisations. These threats, whether from employees, contractors, or partners, can be devastating. The ITM helps map behaviour, motives, and methods, offering a structured approach to uncover and address risks. Explore the framework here 👇

⬛️ Are you ensuring access is revoked for Leavers, and monitoring for activity from their accounts? ▪️ “When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.” Unrevoked access, such as user account credentials, SSH keys, and API keys could allow a Leaver to commit an infringement, resulting in harm or loss to an organization post-employment. Learn more here: https://lnkd.in/eY5F5Ccs #insiderrisk #insiderthreat #cybersecurity

⬛️ Employees (or other insiders) suffering from financial difficulties may pose a bigger risk than you think. ▪️ “A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party, or conspiring with others to cause harm to the organization for financial gain.” Understand methods to try and prevent this Motive here - https://lnkd.in/eQFVBcAC #insiderrisk #insiderthreat #motive #cybersecurity

It was a pleasure to talk to 60 attendees at Microsoft about why we created the ITM, and how it can be used. Thanks for having us! #insiderrisk #insiderthreat