technique-vocab
Own account (1.1)
Insider uses their granted access in order to commit their attack
Privileged Access Abuse (1.2)
Insider uses their granted privileged access in order to commit their attack
Shared Account (1.3)
Insider accesses an account they share with other employees
Dormant or Expired Account (1.4)
Insider uses a company account that was either dormant or expired
Unattended Workstation (Unsecured) (1.5)
Insider uses a workstation that was unassigned to an employee or uses a colleague’s workstation when the colleague is not at their desk
Own Account After Termination/Resignation (1.6)
Insider gains access to their company account after their termination date
Compromised Account (1.7)
Insider uses the compromised account of another employee (e.g., the insider copied another employee’s account and password prior to being terminated)
Unauthorized Access Path (1.8)
Insider accesses systems using a previously unknown access path that they created (e.g., the insider used a backdoor account in order to gain access to the organization’s systems)
Authorized Third-Party Account (1.9)
Insider uses a third party account such as a vendor’s account
Coworker’s Account (1.10)
Insider uses a coworker’s account
Customer’s Account (1.11)
Insider uses a customer’s account
Database Administrator Account (1.12)
Insider uses a database administrator’s account
Supervisor’s Account (1.13)
Insider uses their supervisor’s account
System Administrator Account (1.14)
Insider uses a system administrator’s account
Outsider Recruits Insider (2.1)
An outside entity that is not a competing organization encourages the insider to become an insider (e.g., the insider is contacted by known hacking specialist who asks the insider to divulge company secrets to the hacker)
Insider Recruited Outside Aid (2.2)
The insider recruites people outside of the organization to further their scheme (e.g., the insider recruits their unemployed friend into the scheme)
Insider Recruited Coworker(s) (2.3)
Insider recruits fellow employees to further their scheme
Insider Recruited by Coworker(s) (2.4)
Insider is recruited by fellow employees to further their scheme
Sells Information (3.1)
Insider or accomplice sells, or attempts to sell, organizational information, data, or property (e.g., the insider tried to sell company secrets on an online auction site)
Payoffs From Insider (3.2)
Insider promises or gives other individuals or entities some amount of monetary compensation for aiding their scheme (e.g., the insider promises to give a fellow employee $1,000 if they steal confidential information)
Payoffs to Insider (3.3)
Insider benefits financially or is promised compensation from an outside entity (e.g., a competing organization promises the insider $500 for every line of code stolen)
Received/Transferred Fraudulent Funds (3.4)
Insider or accomplice receives or transfers funds that were fraudulently obtained (e.g., the insider took out cashier’s checks on behalf of customers and used them for personal gain)
Fraudulent Purchases (3.5)
Insider or accomplice uses fraudulently obtained funds to make purchases (e.g., the insider used general ledger funds from their organization to purchase cashier’s checks in the amount of $10,000)
Filed Fraudulent Tax Return (3.6)
Insider or accomplice files a fraudulent tax return. Often, this is using the identity of another person (e.g., the insider submitted multiple purported U.S. individual tax returns in the name of multiple people).
Insider Created/Used Fraudulent Asset (3.7)
Insider creates an asset to use for future monetary gain (e.g., the insider defrauded the organization by providing false documentation claiming they wanted $250,000 to expand their business)
Backdoor (4.1)
A malicious program that allows an attacker to perform actions on a remote system, such as transferring files, acquiring passwords, or executing arbitrary commands
Bootkit (4.2)
A malicious program which targets the Master Boot Record of the target computer
Keylogger (4.3)
The insider used either a hardware or software keylogger as part of their scheme
Exploit Kit (4.4)
A software toolkit to target common vulnerabilities
Ransomware (4.5)
A type of malware that encrypts files on a victim’s system, demanding payment of ransom in return for the access codes required to unlock files
Remote Access Trojan (4.6)
A remote access trojan program (or RAT) is a trojan horse capable of controlling a machine through commands issued by a remote attacker
Resource Exploitation Software (4.7)
A type of malware that steals a system’s resources (e.g., CPU cycles) such as a malicious bitcoin miner
Rogue Security Software (4.8)
A fake security product that demands money to clean phony infections
Rootkit (4.9)
A type of malware that hides its files or processes from normal methods of monitoring in order to conceal its presence and activities
Screen Capture Software (4.10)
A type of malware used to capture images or video from the target systems screen, used for exfiltration and command and control
Spyware (4.11)
Software that gathers information on a user’s system without their knowledge and sends it to another party. Spyware is generally used to track activities for the purpose of delivering advertising.
Logic Bomb (4.12)
A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met (e.g., a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company)
Wiper (4.13)
A piece of malware whose primary aim is to delete files or entire disks on a machine
Bypassed Physical Security of Organizational Facilities (5.1)
Gains unauthorized physical access to organizational facilities (e.g., the insider gained access to the company building late on a Sunday night)
Exploited Known Security Vulnerabilities (5.2)
Uses a security vulnerability known to the organization to further their scheme (e.g., the organization knew the insider didn’t have a firewall on their computer but did nothing about it, and the insider was able to use this security vulnerability to compromise the system)
Social Engineering of Employees (5.3)
Uses a social engineering technique as part of the attack (e.g., the insider sent a phishing e-mail to co-workers)
Used/Executed Unauthorized Software (5.4)
Uses or executes any sort of unauthorized software on an organizational system (e.g., the insider used a credit card skimmer in order to obtain customer PII). This grouping includes installing or running unauthorized software.
Falsified Information (6.1)
Insider or accomplice manipulates information or identity falsely to aid in their attack (e.g., the insider falsely signed a claim stating that they returned all organizational property upon resignation)
Omitted Information (6.2)
Insider or accomplice manipulates information or identity through omission to aid in their attack (e.g., the insider omits previous work for a competitor during a background check)
Modified/Deleted Logs/Activity (6.3)
Insider or accomplice deletes or modifies log files or other information that would connect them to the incident (e.g., the insider tried to conceal their communications with their accomplice by deleting files from their personal email account)
Physically Destroyed/Hid Evidence (6.4)
Insider or accomplice physically destroys or hides evidence that would connect them to the incident (e.g., the insider shredded papers containing employee PII that they had printed out to commit credit card fraud)
Fled or Attempted to Flee (6.5)
Insider or accomplice flees or attempts to flee their home state in order to avoid detection of their scheme (e.g., the insider fled the country)
Created/Used an Alias (6.6)
Insider or accomplice uses the identity of another person (e.g., the insider went under the alias “John Doe” when conducting business in their startup to cover their tracks)
Framed another Individual (6.7)
Insider or accomplice takes steps to plant evidence or otherwise falsely prove that someone else committed the insider’s actions
False Statements/Denied Involvement (6.8)
Insider or accomplice makes any sort of statement that is false or denys their involvement in the incident (e.g., the insider lied to their supervisor, saying that they had not taken confidential information from them when they actually did)
Concealment of Current Illicit Activity - Other Technical (6.9)
Any other technical method used by the insider or accomplice in an attempt to hide malicious activities
Concealment of Current Illicit Activity - Other Non-Technical (6.10)
Any other non-technical method used by the insider or accomplice in an attempt to hide malicious activities
Paper (7.1)
Data exfiltration through printed or hand-written materials (e.g., the insider takes screenshots of important data, prints the screenshots, and walks out of work with them)
Removable Media (7.2)
Data exfiltration through digital equipment or media (e.g., the insider had trade secrets owned by the victim organization on a flash drive and sent the flash drive to the competitor to be copied)
Email (7.3)
Data exfiltration through electronic mail (e.g., the insider e-mailed confidential information to competitor)
Cloud Storage (7.4)
Data exfiltration to external cloud storage (e.g., the insider downloaded company PII and uploaded it to their personal Box account)
Web-Based (7.5)
Data exfiltration to any based with the World Wide Web (e.g., the insider posted the stolen employee PII to the Internet). The category includes data exfiltrated over various web protocols that are not covered more specifically by another grouping, such as exfiltration using the File Transfer Protocol (FTP) or exfiltration over a Virtual Private Network (VPN).
Verbal (7.6)
Data exfiltration by stating it verbally to someone else
Mobile Device (7.7)
Data exfiltration via mobile device
Laptop (7.8)
Data exfiltration by taking it out of the organization on a laptop
Other Technical/Digital (7.9)
Data exfiltration using other technical or digital means not listed in this vocabulary
Other Non-Technical (7.10)
Data exfiltration using other non-technical means not listed in this vocabulary
Physical Attack to Organizational Equipment (8.1)
Insider or accomplice physically harms any of the organization’s physical equipment (e.g., the insider pours glue into USB ports in all desktops)
Modified Critical Data (8.2)
Insider or accomplice modifies data that is critical to the victim organization (e.g., the insider was able to remotely access the victim organization’s systems to modify employee information and change passwords)
Deleted Critical Data (8.3)
Insider or accomplice deletes data that is critical to the victim organization (e.g., the insider was able to remotely access the victim organization’s systems to delete files)
Used Data in Identity Theft (8.4)
Insider or accomplice uses data to pretend to be someone else (e.g., to submit false tax returns, open bank accounts, etc.)
Posted Data Publicly (8.5)
Posted internal, sensitive, or confidential data in a public forum
Sold or Gave Away Critical Data (8.6)
Sold or gave away internal data to an external individual or company
Doxxed Individuals (9.1)
Publicly posted information about individuals (customers or employees) online for purpose of instigating outside harassment
Threatened Violence (9.2)
Threatened violence or physical harm against other individuals in the organization
Threatened Suicide (9.3)
Threated physical harm to theirself
Attempted Violence (9.4)
Attempted violence or physical harm against other individuals in the organization (successful or unsuccesful)
Attempted Suicide (9.5)
Attempted physical harm to theirself (successful or unsuccessful)