To advance our collective understanding of insider threats, the Center for Threat-Informed Defense developed the Insider Threat TTP Knowledge Base, a collection of TTPs used by insiders in IT environments. This Knowledge Base builds upon data collected from insider threat incidents, lessons learned, and data from the ATT&CK® knowledge base. With this lexicon of known insider threat TTPs as a foundation, defenders will detect, mitigate, and protect against insider actions on IT systems.
Table Of Contents:
Read the methodology paper to familiarize yourself with the project's overall goals, constraints, and methods. Access the TTP data in CSV, JSON, or ATT&CK® Navigator format.
Resource | Description |
---|---|
Project Website | The project website containing data, analsysis, and all project artifacts. |
Insider Techniques – Excel | A spreadsheet containing the Insider Threat TTP Knowledge Base. |
Insider Techniques – ATT&CK Navigator | An ATT&CK Navigator layer containing the Insider Threat TTP Knowledge Base. |
This Knowledge Base is an evidence-based examination of detected and documented insider threat actions on IT systems from across various organizations/industries. There are several ways that you can get involved with this work and help advance threat-informed defense:
- Review the KB, use it, and tell us what you think. We need your help to validate or improve upon our analysis. We welcome your review and feedback on the methodology and resources.
- Apply the methodology and share your data. We seek to learn about your insider threat use cases and data sources, enabling us to mature this KB and raise the level of difficulty for any insider. Help us expand the knowledge base by contributing your data. Contact us at ctid@mitre-engenuity.org to learn more about contributing to the knowledge base.
- Share your ideas. We are interested in developing additional resources to help the community understand and make threat-informed decisions regarding insider threat. If you have ideas or suggestions, please let us know.
Publishing the Knowledge Base is a first step toward establishing a community-wide collaboration to advance our collective understanding of insider threat. We are actively seeking feedback on this initial release and will continue to evolve it with your support. Please see the guidance for contributors if are you interested in contributing or simply reporting issues.
Please submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.
Copyright 2024 MITRE Engenuity. Approved for public release. Document numbers CT0041, CT0102.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®