CrowdStrike Partners with MITRE CTID, Reveals Real-world Insider Threat Techniques

  • Remote working has exposed companies to greater levels of insider risk, which can result in data exfiltration, fraud and confidential information leakage
  • CrowdStrike is a founding sponsor and lead contributor to the new MITRE Insider Threat Knowledge Base, continuing its industry leadership in protecting organizations from external attacks and internal threats 
  • The CrowdStrike Falcon® platform detects and defends against these new techniques, protecting data by providing visibility into insider threats across hosts, user identities, cloud infrastructure and business applications 

CrowdStrike continues to support coverage of MITRE, first through the MITRE ATT&CK® framework and now with the latest findings from the MITRE Center for Threat-Informed Defense (CTID). Today MITRE CTID released a report examining threat trends and patterns frequently used by malicious insiders to exfiltrate data, access confidential information and commit fraud. In its report, MITRE CTID incorporated real-world data from the CrowdStrike Security Cloud and CrowdStrike’s expert security analysts. Enterprises use MITRE findings and guidance as an industry-recognized method to gain visibility and mitigate threats.  

“CrowdStrike contributed a significant amount of the data needed to kick start the knowledge base,” said Jon Baker, Director of Research & Development, Center for Threat-Informed Defense, MITRE. “Without their support, and the support of other companies engaged in this project, we would still only be talking about theory instead of reality.” 

Insider Risk TTP Observations

Using the MITRE ATT&CK enterprise matrix as a baseline for mapping real-world insider threat techniques, MITRE CTID identified a subset of techniques frequently associated with insider threats. While the actions are identified using log files and structured data, the techniques are based on actions presented from actual case files (including from CrowdStrike’s global incident response and threat intelligence teams), helping security operations centers (SOCs), security analysts and cyber defense teams better understand how to respond to insider threats. 

The findings reveal that data exfiltration is the prevailing goal, and the most common techniques to facilitate data theft or malicious actions are unsophisticated tactics, techniques and procedures (TTPs) and existing privileged access, such as valid accounts. 

The report also noted that SOCs and insider threat programs detect only what they train analysts to find. A primary purpose of this project has been to identify TTPs used by insider threats so organizations can better protect themselves. Defenders often focus on threats from outside the organization because they have a better understanding of how those actors operate. 

The following insider threat trends and patterns were observed in the MITRE CTID study:

  1. Insider threats routinely use unsophisticated TTPs to access and exfiltrate data. Perhaps unsurprisingly, malicious insiders were frequently observed using relatively “low tech” techniques that are readily available to most enterprise users. 
  2. Insider threats routinely leverage existing privileged access to facilitate data theft or other malicious actions. 
  3. Insiders routinely “stage” data they intend to steal prior to exfiltration. 
  4. External/removable media remains a common exfiltration channel.
  5. Email remains a common exfiltration channel. 
  6. Cloud storage represents both a collection target for insiders and a common exfiltration channel.

Figure 1. Insider Threat MITRE ATT&CK TTP Knowledge Base Overview

CrowdStrike’s in-house Insider Risk team utilizes multiple Falcon modules to provide enhanced visibility into data movements and potential insider risks,” said Tim Briggs,  Director of Incident Response at CrowdStrike. “This includes device control policies, which allow an organization to manage removable media usage in a manner that allows employee productivity employees and also visibility and protection of sensitive files, and identity protection, which enables our team to track if an employee, or someone with employee credentials, is attempting to use valid but infrequently used accounts to gain access to data stores.” 

“So often defenders need to rely on best guesses and theory on how insider threats operate,” said MITRE’s Baker. “Without case submissions from partners like CrowdStrike, this project would still be only theory.”

The launch of the new Insider Threat Knowledge Base this week is just the beginning of the project. CrowdStrike’s partnership with the MITRE Center for Threat-Informed Defense will continue to help organizations improve visibility into insider techniques by sharing real-world insider threat casefiles to help defenders gain visibility and context into malicious or benign actions. We remain committed to helping customers and organizations secure data and protect their environments from any threat, including insider risks.

Additional Resources

Related Content