9 min read time

Insider Threats Demystified: Enhancing Security with ITDR and MITRE ATT&CK Frameworks

by   in Cybersecurity

Understanding Insider Threats

Insider threats encompass a spectrum that includes both direct insiders with malicious or negligent intentions and compromised insiders manipulated by external forces. Within the landscape of an organization, these threats manifest through a variety of behaviors, ranging from selling secrets out of greed to unintentionally enabling access to external attackers through careless actions like clicking on a phishing email.

The evolution of the workplace, particularly through digital transformation, remote work, and the adoption of cloud-based tools, has not only increased the potential for traditional insider threats but has also broadened the scope for external actors to exploit insider identities. This shift has resulted in a complex challenge for security teams: monitoring an expanded perimeter where distinguishing between normal and suspicious behavior becomes increasingly difficult.

Compromised insiders, though not insiders in the traditional understanding, represent a significant risk as they are external threats cloaked with the legitimacy of an insider’s access. These actors often employ methods such as social engineering to acquire employee credentials and breach the network. This threat vector underscores the critical need for organizations to implement robust authentication and monitoring systems, enhancing their ability to detect and mitigate such intrusions effectively.

In this dynamic, the focus is not just on the intentional or negligent insider but also on ensuring that security measures are adept at identifying and responding to external threats that have successfully masqueraded as insiders. This comprehensive approach to insider threat management is essential in the contemporary digital workplace, where the lines between insider and outsider become increasingly blurred.

The Impact of an Insider Threat Incident

The rise in insider threats is not anecdotal but is supported by a wealth of statistics. The 47% increase in insider attacks over the last two years is a testament to the growing sophistication of attackers and the expanding attack surface. This increase is not merely a security challenge but also a financial one, with the cost of insider threats nearly doubling from 2018 to 2023. The financial impact is particularly acute in North America, but it is a global issue, affecting over a third of businesses worldwide annually.

The comprehensive 2023 Cost of Insider Risks study conducted by the Ponemon Institute sheds light on the escalating financial repercussions of insider threats. The study reveals that the majority of insider threat incidents stem from employee negligence, costing an average of $7.2 million annually to remediate. This figure starkly contrasts with the costs associated with criminal or malicious insiders and credential theft incidents, which, although less frequent, incur substantially higher individual costs. Such disparities in incident costs underscore the nuanced landscape of insider threats, necessitating a multifaceted response strategy.

Alarmingly, the time to contain insider incidents has stagnated, averaging 85 days, virtually unchanged from the previous year, and highlighting a persistent challenge in insider threat management. This duration points to the complex nature of detecting, investigating, and mitigating insider threats, further emphasized by the fact that a mere 13% of incidents are contained in less than a month.

Expanding globally, the Ponemon Institute's research now encompasses a diverse array of organizations across regions, including North America, Europe, the Middle East, Africa, and Asia-Pacific, reflecting the universal challenge of insider threats. The prevalence of such incidents is on the rise, with a significant portion of companies reporting an increase in the frequency of insider-related security events.

Diving deeper into the costs associated with managing insider threats, the Ponemon study identifies monitoring and surveillance, investigation, escalation, incident response, containment, ex-post analysis, and remediation as key drivers of expenditure. The research highlights the importance of privileged access management (PAM), user training, and awareness programs in mitigating the financial impact of insider risks, with PAM alone potentially saving millions.

The study also sheds light on the sectors most affected by insider threats, with financial services and service industries bearing the brunt of the highest costs. Interestingly, the size of an organization significantly influences the cost of dealing with insider incidents, with larger entities facing more substantial financial burdens.

This wealth of data not only illustrates the economic imperative for organizations to invest in comprehensive insider threat programs but also emphasizes the need for a holistic approach that includes technology, policy, and training to safeguard against the diverse spectrum of insider risks.

Mitigation Strategies: Expanding the Toolkit

Mitigation of insider threats requires a multi-layered strategy that combines technology, policy, and culture. However, an example of how technology can significantly help, Gartner's introduction of "identity threat detection and response" (ITDR) marks a significant evolution in the realm of cybersecurity, specifically in the battle against insider threats.

The value of ITDR to thwarting Insider Threats

ITDR encompasses a comprehensive suite of tools and methodologies designed to safeguard identity systems, which are often the first target in a series of insider attacks. By focusing on identity systems, ITDR addresses the critical junction where insider threats frequently manifest, ensuring that unauthorized access attempts are swiftly identified and mitigated.

The core principles of ITDR—prevention, detection, and response—serve as foundational elements in constructing a robust security posture against insider threats. Prevention mechanisms aim to stop attacks before they occur, employing stringent access controls and policies to ensure that only authorized users can access sensitive systems and data. However, given the sophisticated nature of insider threats, prevention alone is insufficient. This is where the detection and response capabilities of ITDR come into play, acting as the second and third lines of defense.

Source: Gartner’s ITDR Research: Enhance Your Cyberattack Preparedness with Identity Threat Detection and Response

Detection mechanisms are designed to identify unusual or unauthorized activities that might indicate a breach or misuse of identity systems. This involves monitoring user behaviors, access patterns, and other indicators of compromise that could suggest an insider threat. Once a potential threat is detected, the response component of ITDR is activated to mitigate the impact, containing the breach and initiating recovery procedures to restore normal operations and prevent future incidents.

The importance of ITDR in the context of insider threats cannot be overstated. Insider threats often exploit legitimate access rights to carry out their actions, making them particularly challenging to detect and prevent. ITDR's focus on identity systems provides a critical layer of security, ensuring that only legitimate, authorized activities occur within the network. By integrating ITDR into their cybersecurity frameworks, organizations can significantly enhance their ability to detect and respond to insider threats, safeguarding their critical assets and maintaining the integrity of their operations.

In their ITDR document, Gartner states that the MITRE ATT&CK framework should be used to correlate ITDR techniques with attack scenarios to ensure that well-known attack vectors are addressed.

Enhancing Insider Threat Detection with MITRE ATT&CK and ITDR

Leveraging the MITRE ATT&CK framework in conjunction with ITDR provides a powerful methodology for organizations to enhance their threat detection capabilities, specifically in addressing well-known attack vectors. Gartner's recommendation to utilize MITRE ATT&CK for correlating ITDR techniques with attack scenarios underscores the framework's effectiveness in identifying adversarial behavior through specific techniques used during attacks. This approach focuses not just on the symptoms of an attack but on understanding the underlying tactics, techniques, and procedures (TTPs) employed by adversaries, making it a potent tool for detecting malicious activity.

The integration of MITRE ATT&CK with ITDR is exemplified in the concept of the Pyramid of Pain, which illustrates the relationship between detection methods and the disruption caused to adversaries. By prioritizing the detection of TTPs, ITDR systems can force attackers to alter their methods, thereby increasing the cost and complexity of their operations. This prioritization is crucial because it shifts the focus from speculative defense strategies, which are often based on high-profile but rare insider threat cases, to actionable mitigation, detection, and response strategies that are applicable to a broader range of scenarios.

Source: Gartner’s ITDR Research: Enhance Your Cyberattack Preparedness with Identity Threat Detection and Response

MITRE’s Insider Threat TTP Knowledge Base project represents a significant advancement in this area, providing a repository of insider threat TTPs based on real-world cases from diverse industries. This knowledge base moves away from hypothetical scenarios, focusing instead on actionable insights that can inform defenders where to allocate their resources most effectively. The alignment of all insider threat TTPs within the Knowledge Base with the TTPs in the MITRE ATT&CK framework further reinforces the framework's central role in modern cybersecurity strategies.

In conclusion, the synergy between MITRE ATT&CK and ITDR offers a strategic advantage in the fight against insider threats. By grounding defense strategies in the detailed understanding of adversary behaviors provided by MITRE ATT&CK, organizations can develop more effective and targeted approaches to threat detection and response. This methodology not only enhances the security posture of organizations but also imposes greater challenges on adversaries attempting to compromise identity systems.

OpenText Cybersecurity: Leading the Charge Against Insider Threats

ArcSight Intelligence and ArcSight User Behavior Monitoring (UBM), an on-premises add-on for ArcSight Enterprise Security Manager (ESM), exemplify the kind of sophisticated tools needed to combat insider threats in the detection and response phases of ITDR. By leveraging machine learning models and behavior analysis, ArcSight Intelligence allows for the nuanced detection of insider threats that traditional security measures might miss. For organizations with operational constraints, such as those operating in highly regulated environments or restrictions on cloud usage, ArcSight UBM provides a powerful on-premises solution. This dual approach ensures we can meet the diverse needs of our customers, regardless of their deployment preferences.

And with regards to ATT&CK coverage, ArcSight out of the box default content + UBM covers 68 out of 79 attack techniques. That’s an 87% TTP coverage rate!

While this blog has focused on the detection and response aspects of ITDR in combating insider threats, it's important to highlight the preventative capabilities offered by OpenText NetIQ. This solution plays a crucial role in the early stages of safeguarding against insider threats, effectively addressing vulnerabilities before they can be exploited. OpenText NetIQ enhances organizational security by implementing strong access controls, identity management, and comprehensive monitoring of user activities and behaviors. By ensuring that users have only the necessary access rights and by flagging any deviation from normal activity patterns, NetIQ aids in preventing unauthorized access and potential insider threats. This preemptive approach is essential for a holistic cybersecurity strategy, ensuring that organizations are not just reactive but proactive in their defense mechanisms.


The battle against insider threats is ongoing and evolving. As organizations continue to navigate the challenges posed by these threats, partnerships with cybersecurity solution providers like OpenText Cybersecurity are invaluable. By adopting a comprehensive approach that includes advanced technological solutions, governing policies, and a strong culture of security awareness, organizations can protect themselves against the multifaceted risks posed by insiders.

Learn more:

Here are the products mentioned in this blog:

Additional Resources:


Security Operations