Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR007
- Created: 25th May 2024
- Updated: 08th September 2025
- Contributor: The ITM Team
CCTV Enumeration
The subject enumerates organizational CCTV coverage through physical reconnaissance, network-based probing, or a combination of both. This behavior aims to identify surveillance blind spots, coverage patterns, and system weaknesses in order to plan insider activity such as unauthorized entry, covert data removal, or sabotage.
- Physical enumeration involves walking routes to observe camera placement, photographing or sketching locations, and identifying fields of view, blind spots, or coverage overlaps. Subjects may test movement within blind zones or note environmental features (e.g., pillars, furniture) that obstruct visibility.
- Network enumeration targets digital surveillance systems, including IP cameras, DVRs, NVRs, and PoE switches. Subjects may scan for active devices, query configurations, or attempt login with default credentials to discover camera IPs, firmware details, and accessible streams.
When combined, physical and network enumeration provide a sophisticated map of surveillance infrastructure. For example, a subject may confirm camera placement through on-site observation, then validate viewing angles and live coverage zones by remotely accessing the corresponding camera feeds across the network. This dual approach allows the subject to identify exact surveillance gaps, test whether specific areas are monitored, and plan movement or concealment with high confidence.
This behavior is a strong indicator of deliberate preparation, as it requires technical effort, situational awareness, and intent to circumvent organizational surveillance.
Prevention
| ID | Name | Description |
|---|---|---|
| PV023 | Access Reviews | Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active. |
| PV053 | Government-Issued ID Verification | An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.
Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.
In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.
Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses. |
| PV069 | Identity Credential Challenge and Verification | Randomized, routine verification of physical identity credentials is a necessary preventive control in environments where access is gated by visual or badge-based authentication. Unverified presence within secured areas increases organizational tolerance for impersonation, tailgating, and badge misuse—especially where behavioral drift has eroded expectations of enforcement.
Identity challenge programs mitigate this drift by reinforcing that possession of an ID badge is not proof of authorization. When implemented effectively, they also surface expired, misused, or cloned credentials before they enable preparatory actions such as unauthorized access, lateral movement, or physical data collection.
Human-led or Automated challenge mechanisms
Credential Verification Points (CVPs): Assign roving or fixed-position security personnel equipped with access control readers capable of validating badge status and presenting the registered photo of the assigned individual. Personnel should challenge any subject whose badge fails to scan or whose appearance does not match the system photo.
Automated Robotic Challenge Systems: Deploy robotic guard platforms with integrated badge readers, cameras, and two-way audio connected to a live remote security agent. These systems can autonomously perform credential challenges without requiring direct physical confrontation. They are especially valuable in high-risk or high-traffic areas where human intervention may be inconsistent or prone to social engineering.
Implementation considerations
Separation of Challenge and Enforcement: Where feasible, separate the individual performing the challenge from the individual initiating an enforcement action. This reduces risks associated with escalation—such as confrontation with hostile subjects—or familiarity bias from onsite personnel.
Policy Integration: Embed the challenge expectation within the Acceptable Use Policy and physical security policy. Clarify that possession of a badge does not exempt any individual from verification.
Audit and Alerting: Log all challenge events (successful, failed, bypassed) to a centralized system. Include metadata such as badge ID, photo match result, time, location, and outcome. Flag repeat failures or unverified entries for investigative review. |
| PV038 | Insider Threat Awareness Training | Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion. |
| PV059 | Insider-Focused Threat Intelligence | Threat intelligence feeds that include indicators of insider tactics—rather than just malware or phishing IoCs—can inform policy decisions, access design, and targeted monitoring. These feeds allow organizations to anticipate adversarial interest in recruiting, coercing, or planting insiders, and to mitigate the tools and behaviors those insiders are likely to use.
Prevention Measures: Subscribe to threat intelligence services that provide curated insider threat profiles, including:
Use these feeds to inform:
Examples of Insider-Focused TI Sources: |
| PV022 | Internal Whistleblowing | Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters. |
| PV018 | Network Intrusion Prevention Systems | Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection. |
| PV032 | Next-Generation Firewalls | Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.
A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address. |
| PV011 | Physical Access Controls | Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge. |
| PV009 | Prohibition of Devices On-site | Certain infringements can be prevented by prohibiting certain devices from being brought on-site. |
Detection
| ID | Name | Description |
|---|---|---|
| DT052 | Audit Logging | Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns. |
| DT033 | Closed-Circuit Television | CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file. |
| DT097 | Deep Packet Inspection | Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, |
| DT098 | NetFlow Analysis | Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.
NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.
Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors. |
| DT042 | Network Intrusion Detection Systems | Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior. |