back
Insider Threat Matrix
Open framework for computer-enabled insider threat investigations by Forscie Limited. 157 techniques across 5 categories — Motive, Means, Preparation, Infringement, Anti-Forensics.
The reason or underlying cause that prompts a subject to engage in an infringement.
MT022Boundary TestingMT012CoercionMT021Conflicts of InterestMT018CuriosityMT017EspionageMT009Fear of ReprisalsMT011HubrisMT016Human ErrorMT020IdeologyMT008Lack of AwarenessMT003LeaverMT013Misapprehension or DelusionMT005Personal GainMT004Political or Philosophical BeliefsMT015RecklessnessMT024RecognitionMT007ResentmentMT023RevengeMT019Rogue NationalismMT010Self SabotageMT006Third Party Collusion Motivated by Personal Gain
The mechanisms or circumstances required for an infringement to occur.
ME026Ability to Modify Cloud ResourcesME024AccessME018Aiding and AbettingME004BluetoothME022Bring Your Own Device (BYOD)ME012ClipboardME029Corporate-Issued DeviceME027Credential Access and ExposureME028Delegated Access via Managed Service ProvidersME030Enterprise-Integrated AI PlatformsME009FTP ServersME003Installed SoftwareME013Media CaptureME008Network Attached StorageME017Physical Disk AccessME025PlacementME014PrintingME007Privileged AccessME005Removable MediaME011Screenshots and Screen RecordingME023Sensitivity Label LeakageME015SMB File SharingME010SSH ServersME016System Startup Firmware AccessME001Unauthorized Access to Unassigned HardwareME031Unmanaged Device PresenceME002Unrestricted Software InstallationME021Unrevoked AccessME006Web Access
The activities conducted by a subject to aid or enable an infringement.
PR038AI-Assisted Capability DevelopmentPR017Archive DataPR030Authorization Token StagingPR011Boot Order ManipulationPR007CCTV EnumerationPR018Circumventing Security ControlsPR020Data ObfuscationPR016Data StagingPR035Delegated Preparation via AI AgentsPR002Device MountingPR015Email CollectionPR014External Media FormattingPR025File DownloadPR004File ExplorationPR036Hardware-Based Remote Access (IP-KVM)PR027ImpersonationPR024Increase PrivilegesPR005IT Ticketing System ExplorationPR033JoinerPR034Media Capture via External DevicePR032MoverPR021Network ScanningPR039Observational Information GatheringPR028On-Screen Data CollectionPR037Oversight Circumvention and Control DegradationPR029Persistent Access via BotsPR012Physical Disk RemovalPR009Physical ExplorationPR008Physical Item SmugglingPR019Private / Incognito BrowsingPR001Read Windows RegistryPR026Remote Desktop (RDP)PR006Security Software EnumerationPR022Social Engineering (Outbound)PR003Software InstallationPR010Software or Access RequestPR023Suspicious Web BrowsingPR013Testing Ability to PrintPR040Testing Security ControlsPR031VPN Usage
The act that harms or undermines an organization.
IF029Codebase Integrity CompromiseIF022Data LossIF028Delegated Execution via AI AgentsIF026Denial of ServiceIF033Digital DefacementIF013Disruption of Business OperationsIF017Excessive Personal UseIF034Exfiltration via Automated TranscriptionIF010Exfiltration via EmailIF003Exfiltration via Media CaptureIF005Exfiltration via Messaging ApplicationsIF004Exfiltration via Other Network MediumIF002Exfiltration via Physical MediumIF024Exfiltration via Screen SharingIF030Exfiltration via SMS/MMSIF001Exfiltration via Web ServiceIF032External Credential SharingIF021Harassment and DiscriminationIF008Inappropriate Web BrowsingIF027Installing Malicious SoftwareIF009Installing Unapproved SoftwareIF025Internal Credential SharingIF016Misappropriation of FundsIF036Misuse of Corporate Communication ChannelsIF019Non-Corporate DeviceIF037Physical SabotageIF011Providing Access to an Unauthorized Third PartyIF012Public Statements Resulting in Brand DamageIF023Regulatory Non-ComplianceIF018Sharing on AI Chatbot PlatformsIF015TheftIF014Unauthorized Changes to IT SystemsIF031Unauthorized Presence in Restricted Physical AreasIF006Unauthorized Printing of DocumentsIF020Unauthorized VPN ClientIF035Unauthorized Work LocationIF038Undisclosed Concurrent EmploymentIF007Unlawfully Accessing Copyrighted Material
The actions undertaken by a subject to frustrate any subsequent investigation.
AF024Account MisuseAF004Clear Browser ArtifactsAF027Clear Email ArtifactsAF031Code Contribution Obfuscation and MisrepresentationAF019Decrease PrivilegesAF025Delayed Execution TriggersAF013Delete User AccountAF020Deletion of Volume Shadow CopyAF006Disk WipingAF015File DeletionAF005File EncryptionAF012Hide ArtifactsAF001Hiding or Destroying Command HistoryAF002Log DeletionAF026Log ModificationAF030Message DeletionAF033Message ModificationAF007Modify Windows RegistryAF029Network ObfuscationAF011Physical Destruction of Storage MediaAF010Physical Removal of Disk StorageAF028StallingAF008SteganographyAF014System ShutdownAF032System Time ModificationAF003TimestompingAF018TripwiresAF016Uninstalling SoftwareAF022Virtualization
Data sourced from insiderthreatmatrix.org · 157 techniques · 5 categories · GitHub