Mitre Engenuity’s Center for Threat-Informed Defense is a privately funded non-profit dedicated to advancing cybersecurity knowledge. It unites global organisations with skilled security teams. Leveraging Mitre ATT&CK, it extends threat-informed defence, a crucial framework enhancing enterprise security operations for both teams and vendors.

What is the Insider Threat Knowledge Base?

Mitre’s Center for Threat-Informed Defense, which Next DLP (Next) joined in 2023, established the Insider Threat Knowledge Base (ITKB), a comprehensive repository documenting insiders’ tactics, techniques and procedures (TTPs) to exfiltrate data. This knowledge base empowers insider threat programmes with evidence-based research to enhance their detection and mitigation strategies across a broad spectrum of organisations and sectors.

Aligning the Reveal Platform with the ITKB

Insider threats, originating from trusted personnel, pose significant cybersecurity risks. Detecting and preventing these threats is challenging due to their sophisticated tactics. Next’s Reveal Platform provides a robust defence aligned with the Mitre ITKB, aiding organisations in combating this menace effectively. These threats involve diverse malicious or unintentional actions by insiders with legitimate access to organisational assets.

Deep dive into Next DLP’s Reveal Platform

Executives hate surprises, particularly unforeseen data events. The Reveal Platform from Next learns what normal data movement and use look like in your environment, distinguishing between a user mistake and malicious intent. It’s a purpose-built solution to help organisations proactively identify and mitigate insider threats. It protects critical assets on and off the network, providing the visibility and control to prevent data loss in business-critical applications.

Mapping Reveal to the Mitre ITKB

Next’s Reveal platform aligns with the Mitre ITKB, offering organisations a comprehensive security solution that provides an integrated defence against insider threats. Here’s a breakdown of how Reveal maps to the techniques of the Mitre ITKB:

1. Data exfiltration

Mitre’s knowledge base highlights insider threat techniques like data exfiltration via Bluetooth, network, USB, web service to cloud storage, and encrypted network protocol. Reveal monitors data access and movement across these vectors, controlling unauthorised use. This ensures sensitive information remains within the organisation, mitigating the risk of falling into unauthorised hands.

2. Lateral movement

Insider threats often move laterally within an organisation to access sensitive data. Based on the centre’s participant-validated evidence, lateral movement of data ATT&CK techniques used by insiders include exploiting remote services, including remote desktop protocol (RDP) and SSH. Reveal goes beyond mere access control by continuously monitoring and analysing user behaviour. It can identify unusual patterns, such as privilege escalation, unauthorised access and lateral movement, offering invaluable insights to counteract potential threats.

3. Credential misuse

Mitre recognises credential misuse from password stores and managers in insider threat scenarios. Reveal closely monitors user access and swiftly identifies anomalies in login patterns, making it easier to identify and rectify potential security breaches. As part of an incident-based training programme, Reveal can be used to train employees to double-check links and prompts that may be embedded in phishing e-mails before entering a username and password combination.

4. Anomaly detection

Mitre’s Insider Threat Knowledge Base underscores the importance of identifying anomalies in user behaviour, highlighting that malicious insiders use reconnaissance, access and discovery techniques, such as scanning and service and account access, to carry out detrimental activities. Reveal leverages sophisticated machine learning algorithms to detect unusual activities and deviations from established norms. This allows organisations to respond promptly to insider threats, reducing the risk of data breaches and intellectual property theft.

5. Insider threat indicators

Reveal correlates various indicators of compromise, from defence evasion to impact techniques, alerting on actions like disabling tools, renaming files and clearing event logs. This aligns with Mitre’s guidance, enhancing threat detection. Organisations can swiftly respond, isolating suspicious endpoints or locking them to mitigate risks, adapting to emerging threats.

Watch this webinar to learn…

What the Mitre ITKB is, how it came about and key learning points from the phase-1 research project.
How using the ITKB within the Reveal Platform can provide visibility to the chain of attack and why traditional data loss prevention (DLP) falls short of detecting insider threat activity.
Details of the project objectives for phase 2 of the ITKB research programme.

Conclusion

Insider threats pose a substantial risk to organisations’ sensitive data and intellectual property. Next’s Reveal Platform provides a robust defence aligned with the Mitre Insider Threat Knowledge Base, ensuring comprehensive protection. By leveraging Reveal, organisations can proactively safeguard assets, detect threats swiftly and respond effectively, establishing a data-centric approach to mitigation. With Reveal, businesses gain true insight into insider risks, empowering them to protect their valuable assets effectively.