To advance our collective understanding of insider threats, the Center for Threat-Informed Defense developed the Insider Threat TTP Knowledge Base, a collection of TTPs used by insiders in IT environments. This Knowledge Base builds upon data collected on insider threat incidents and lessons learned and experience from the ATT&CK knowledge base. With this lexicon of known insider threat TTPs as a foundation, defenders will detect, mitigate, and emulate insider actions on IT systems and stop them.
| Resource | Description |
|---|---|
| design-principles-and-methodology.pdf | A document describing the design principles and methodology of the Insider Threat TTP Knowledgebase |
| insider-threat-ttp-kb.csv | A spreadsheet containing the Insider Threat TTP Knowledgebase |
| insider-threat-ttp-kb.json | An ATT&CK navigator layer representing the Insider Threat TTP Knowledgebase (View in Navigator) |
| insider-threat-heatmap.json | An ATT&CK navigator layer representing the Insider Threat TTP Knowledgebase as a heatmap (View in Navigator) |
This initial Knowledge Base is an evidence-based examination of detected, documented insider threat actions on IT systems from across various organizations and industries. There are several ways that you can get involved with this work and help advance threat-informed defense:
- Review the KB, use it, and tell us what you think. We need your help to validate or refute this initial analysis. We welcome your review and feedback on the methodology and resources.
- Apply the methodology and share your data. We seek to learn about your insider threat use cases and data sources, enabling us to mature this KB and raise the level of difficulty for any insider. Help us expand the knowledge base by contributing your data. Contact us at [email protected] to learn more about contributing to the knowledge base.
- Share your ideas. We are interested in developing additional resources to help the community understand and make threat-informed decisions regarding insider threat. If you have ideas or suggestions, please let us know.
Publishing the Knowledge Base is a first step toward establishing a community-wide collaboration to advance our collective understanding of insider threat. We are actively seeking feedback on this initial release and will continue to evolve it with your support. Please submit issues for any technical questions/concerns or contact [email protected] directly for more general inquiries.
Copyright 2022 MITRE Engenuity. Approved for public release. Document number CT0041.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent