The framework is set to soft launch at this year’s Black Hat conference in Las Vegas, and will be a free, open resource that accepts contributions from the community (not unlike similar threat matrices like MITRE ATT&CK) to provide a comprehensive reference point for investigations.
ITM’s mission is to provide a way to formalize and increase corporate entities’ ability to respond to insider threat in the same way the public sector does, by better equipping investigators to detect and prevent threats more quickly.
The team’s vision for ITM is to see it being used for detection engineering and mapping rules in a similar way to how one might map to MITRE ATT&CK.
Drawing from James’ background in the Metropolitan Police, and leaning heavily into its investigative nature, the framework borrows terminology from policing. James shares:
There currently isn’t really a language to talk about insider threat, and ITM puts flesh on that.
Having both worked to defend against insider threats in the real world, both Joshua and James agreed that tools like this are very much lacking in the industry. The framework’s conception was also part of a larger conversation the pair had on the lack of insider threat training for the private sector.
As such, Joshua and James also plan to release a certification that teaches cyber defenders the key investigative skills they need to identify and mitigate insider risk. The Certified Insider Threat Investigator (CITI) certification will be a culmination of their many years of shared experience and be powered by Security Blue Team’s highly regarded training platform. While not much more can be said about the certification at this time, the team believes it will be an industry game-changer.
“It’s about reframing the idea of threats as coming from the outside in, and rather looking at how they can move from the inside out.”
James says: "We wanted to collaborate and create a great way to train people on the subject of insider risk. This will include how to conduct investigations, use lateral thinking, and explore how investigations are concluded in a corporate environment.
Joshua adds:
This framework and the wider training we are developing represent the merging of two different worlds. The public sector is very attuned to the world of insider threat already, and the private sector is starting to catch up to the risks they face. There is a greater chance of an attack not being detected when people are working on the inside rather than attacking from the outside. Also, threat actors are learning that they can cause impact to a state via third parties and the supply chains of which private enterprises comprise, which is why this knowledge is so vital, now more than ever.
The Insider Threat Matrix TM is available to access now.