Is the time right for a unified lexicon of known tactics, techniques and procedures (TTP) used by insiders who opt to break trust with their employers? MITRE thinks so and has positioned itself to serve as the locus for insider threat knowledge.In mid-February, MITRE Engenuity\u2019s Center for Threat Informed Defense, supported by a phalanx of multi-sector powerhouses including Citigroup Technology, Microsoft, Crowdstrike, Verizon, and JP Morgan Chase, published their Design Principles and Methodology for the Insider Threat TTP Knowledge Base.Malicious insiders \u201ca unique threat\u201dContemporaneously with the TTP knowledge base effort, a MITRE Engenuity blog post by Jon Baker, director of research and development at the Center for Threat-Informed Defense, posited something every CISO is aware of, \u201cMalicious insiders represent a unique threat to organizations.\u201d Baker\u2019s post acknowledged the focus is on the cyber threat and activities which were \u201cobservable by a SOC in the IT environment.\u201d CISOs will be well served to take note of Baker\u2019s admonishment to not, \u201cfocus on the TTPs of the last major insider threat case to hit the news.\u201d14 techniques of malicious insidersThe TTP highlighted 14 separate areas of interest, which included 54 identified techniques with respect to the behavior of the malevolent insider: \u00a0ReconnaissanceResource developmentInitial accessExecutionPersistencePrivilege escalationDefense evasionCredential accessDiscoveryLateral movementCollectionCommand and controlExfiltrationImpactIt is often posited how the trusted insider who stays within their swim lane may never percolate onto the radar of the insider threat management program. The MITRE effort is designed to put a fork into that position and demonstrate that even those who stay in their swim lane can be detected when they take actions in support of their having broken trust.Common malicious insider tacticsThe design principles, of the program, astutely included an assessment of the skill level required for each TTP and highlighted those where case files existed as having occurred as \u201cdid\u201d and not hypothetical, \u201cwould\u201d and \u201ccould\u201d parameters. Their findings noted these inferences:\u201cInsider threats routinely use unsophisticated TTPs to access and exfiltrate data.\u201d\u201cInsider threats routinely leverage existing privileged access to facilitate data theft or other malicious actions.\u201d\u201cInsiders routinely \u2018stage\u2019 data they intend to steal prior to exfiltration.\u201d\u201cExternal\/removable media remains a common exfiltration channel.\u201d\u201cEmail remains a common exfiltration channel.\u201d\u201cCloud storage represents both a collection target for insiders and a common exfiltration channel.\u201dThey then took those inferences and assigned a weight of \u201cfrequency of use,\u201d assigning \u201cFrequent\u201d, \u201cModerate\u201d or \u201cInfrequent\u201d tags to each threat-based, to help practitioners sort the likelihood of a technique being used and to ensure those which occurred with greater frequency were covered. The accompanying GitHub documents are designed to assist teams with their categorizing their experiences.Entities with limited resources should focus their attention on the \u201cprobable\u201d and save the \u201cpossible\u201d when the queue permits. Focusing on what is possible, though improbably, according to Baker, while creative, \u201ccauses insider threat programs and SOCs to lose focus.\u201d Appropriately, he goes on to quote Frederick the Great, \u201cHe who defends everything defends nothing.\u201d So CISOs should adopt those with the biggest bang for the buck.Focus on the most likely insider threat scenariosWhile nation-state suborning of an employee is a very real possibility, the greater likelihood is the realized insider malicious action will be in support of the individual and their career. This may range from individuals harvesting information to launch their own endeavor, to sell the commodity at hand (the IP and trade secrets of their employer), or to taking the information\/data as a condition of their next employment gig.The purpose of creating the TTP and community is to ensure that, \u201cThe insider may no longer operate under the cover of legitimate use; we will detect the insider threat prior to its costly and embarrassing impact on our organizations.\u201d This will be accomplished by industry sharing, of processes and procedures, webinars, and conferences, where use cases are shared and \u201cdefenders can learn from each other.\u201dPutting structure around the cyber activity quotient of the insider threat makes sense and CISOs should minimally review the MITRE TTPs for applicability with an eye toward determining how one might adopt the philosophy and avail themselves to the community of entities all rowing in the same direction to thwart the malevolent insider.