Skip to content

The principal objective of this project is to develop a knowledge base of the tactics, techniques, and procedures (TTPs) used by insiders in the IT environment. It will establish an Insider Threat TTP Knowledge Base, built upon data collected on insider threat incidents and lessons learned and experience from the ATT&CK knowledge base.

License

Notifications You must be signed in to change notification settings

center-for-threat-informed-defense/insider-threat-ttp-kb

Repository files navigation

MITRE ATT&CK® v14

Insider Threat TTP Knowledge Base

To advance our collective understanding of insider threats, the Center for Threat-Informed Defense developed the Insider Threat TTP Knowledge Base, a collection of TTPs used by insiders in IT environments. This Knowledge Base builds upon data collected from insider threat incidents, lessons learned, and data from the ATT&CK® knowledge base. With this lexicon of known insider threat TTPs as a foundation, defenders will detect, mitigate, and protect against insider actions on IT systems.

Table Of Contents:

Getting Started

Read the methodology paper to familiarize yourself with the project's overall goals, constraints, and methods. Access the TTP data in CSV, JSON, or ATT&CK® Navigator format.

Resource Description
Project Website The project website containing data, analsysis, and all project artifacts.
Insider Techniques – Excel A spreadsheet containing the Insider Threat TTP Knowledge Base.
Insider Techniques – ATT&CK Navigator An ATT&CK Navigator layer containing the Insider Threat TTP Knowledge Base.

Getting Involved

This Knowledge Base is an evidence-based examination of detected and documented insider threat actions on IT systems from across various organizations/industries. There are several ways that you can get involved with this work and help advance threat-informed defense:

  • Review the KB, use it, and tell us what you think. We need your help to validate or improve upon our analysis. We welcome your review and feedback on the methodology and resources.
  • Apply the methodology and share your data. We seek to learn about your insider threat use cases and data sources, enabling us to mature this KB and raise the level of difficulty for any insider. Help us expand the knowledge base by contributing your data. Contact us at [email protected] to learn more about contributing to the knowledge base.
  • Share your ideas. We are interested in developing additional resources to help the community understand and make threat-informed decisions regarding insider threat. If you have ideas or suggestions, please let us know.

Questions and Feedback

Publishing the Knowledge Base is a first step toward establishing a community-wide collaboration to advance our collective understanding of insider threat. We are actively seeking feedback on this initial release and will continue to evolve it with your support. Please see the guidance for contributors if are you interested in contributing or simply reporting issues.

Please submit issues for any technical questions/concerns or contact [email protected] directly for more general inquiries.

Notice

Copyright 2024 MITRE Engenuity. Approved for public release. Document numbers CT0041, CT0102.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK® Terms of Use

About

The principal objective of this project is to develop a knowledge base of the tactics, techniques, and procedures (TTPs) used by insiders in the IT environment. It will establish an Insider Threat TTP Knowledge Base, built upon data collected on insider threat incidents and lessons learned and experience from the ATT&CK knowledge base.

Topics

Resources

License

Stars

Watchers

Forks