Data breaches caused by insiders are on the rise—both in terms of frequency and their cost to the business. In fact, data losses from insider-driven events are expected to pile up in 2024, with a single event potentially costing as much as $15 million, according to reports.
The problem has become so severe that MITRE has developed an Insider Threat Knowledge Base (ITKB) through its MITRE Engenuity Center for Threat-Informed Defense. An insider is typically defined as an individual with legitimate access to company assets who causes harm to the business—whether intentionally or unintentionally. Threats could come from current employees, former employees, contractors, or partners who have access (or previously had access) to an organization’s systems or data.
The ITKB offers an evidence-based, multi-organizational and publicly-available compendium of insider threat tactics, techniques and procedures (TTPs) mapped to MITRE ATT&CK. This endeavor was developed in partnership between MITRE Engenuity, Next DLP, CrowdStrike, HCA Healthcare, JPMorgan Chase Bank, Lloyds Banking Group, Microsoft and Verizon Business.
In early May, data loss prevention and insider threat solutions vendor Next DLP announced that their Reveal Platform is the first insider risk management solution to automatically map detection events to the expanded ITKB.
"We have been collaborating and partnering with the MITRE Engenuity group on their insider threat knowledge base since last year," Connie Stack, CEO at Next DLP told ChannelE2E. "They've been working on this research for the last few years. Just as MITRE has done with their ATT&CK framework, which has become something of a universal, global framework that folks are building their threat detection and response programs around, they wanted to develop something similar for the TTPs and indicators of insider risks as well," Stack said.
For MSPs and MSSPs, Next DLP can offer a great way to help customers deploy the procedural and technical improvements to better detect and prevent insider threats by turning their information security focus inward. Stack adds that being one of the first vendors to incorporate the MITRE ITKB into their solution gives the company an innovation edge and helps develop a reputation as a trusted partner.
"Since we are the first vendor that's actually incorporated them into our solution, we benefit as well from the fact that MITRE is so well respected. It's a familiar and trusted name, familiar trusted brand, familiar and trusted framework that's now being translated to the insider risk side," she said.
Insider Threat Knowledge Base
According to a blog post from Next DLP, Next's Reveal platform aligns with the MITRE Insider Threat Knowledge Base for the following attack vectors:
1. Data Exfiltration
MITRE's Knowledge Base emphasizes the techniques employed by insider threats to exfiltrate data without authorization. Specifically, exfiltration over Bluetooth, Network, USB, Web Service to Cloud Storage and encrypted network protocol.
2. Lateral Movement
Insider threats often move laterally within an organization to access sensitive data. Based on the center’s participant-validated evidence, lateral movement of data ATT&CK techniques used by insiders include exploiting remote services, including remote desktop protocol (RDP) and SSH. Reveal continuously monitors and analyzes user behavior to identify unusual patterns such as privilege escalation, unauthorized access, and lateral movement.
3. Credential Misuse
MITRE recognizes the common occurrence of credential misuse from password stores and managers in insider threat scenarios. Reveal monitors user access and identifies anomalies in login patterns, making it easier for organizations to identify and rectify potential security breaches. As part of an incident-based training program, Reveal can be used to train employees to double-check links and prompts that may be embedded in phishing emails before entering a username and password combination.
4. Anomaly Detection
MITRE's insider threat knowledge base underscores the importance of identifying anomalies in user behavior. The knowledge base calls out that malicious insiders use reconnaissance, access and discovery techniques such as scanning and service and account access to carry out detrimental activities. Reveal uses machine learning algorithms to detect unusual activities and deviations from established norms.
5. Other Insider Threat Indicators
Reveal brings together and correlates multiple indicators of compromise, including defense evasion -- such as disabling or modifying tools, renaming files, deleting or destroying files and clearing event logs. These techniques equip organizations with actionable threat intelligence, aligning with MITRE's recommendations to collect and analyze relevant indicators. This allows organizations to swiftly adapt to emerging threats and mitigate them; for instance, limiting a suspicious endpoint by isolating it from the network or locking it so the user cannot use it.
Next DLP Competitors and Alternatives
Next DLP isn't the only company working with MSPs and MSSPs to provide data loss protection solutions. Others include Trellix DLP, Digital Guardian, and Forcepoint DLP.
