Unauthorized Changes to IT Systems

A subject provisions cloud-based resources without prior authorization or a documented business justification. This unauthorized activity may circumvent established governance, security, or cost-management controls, potentially exposing the organization to operational, financial, or regulatory risk.

A subject deliberately or negligently deletes cloud-based resources, leading to the disruption, degradation, or complete interruption of organizational operations. Deletion of critical resources may result in the permanent loss of data, service outages, impaired system performance, or the failure of customer-facing applications. Such actions often violate organizational policies governing change management, data retention, disaster recovery, and access control, and may expose the firm to significant operational, financial, legal, and reputational risks.

• 
  Characteristics:
  May involve deletion of compute instances, storage buckets, databases, networking components, IAM configurations, or application services.
  Can be motivated by malice (e.g., retaliation, sabotage) or negligence (e.g., misunderstanding scope of permissions, error during unsanctioned activities).
  Deletions may occur directly via administrative consoles, APIs, or CLI tools, often outside of approved change management processes.
  Recovery may be delayed or impossible if backup, replication, or retention mechanisms are improperly configured or bypassed.
  Associated activity often correlates with other early indicators, such as privilege escalation, unauthorized access attempts, or policy circumvention behaviors.

Example Scenario:
A subject with elevated cloud access privileges, dissatisfied with an impending termination, manually deletes production virtual machines and storage buckets without authorization. This leads to an extended outage of the organization’s primary customer platform, resulting in contractual penalties, regulatory reporting obligations, and long-term reputational damage. Post-incident investigation reveals inadequate enforcement of least privilege policies and incomplete backup coverage for critical resources.

The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records.

The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts.

The subject creates, deletes, or edits DNS records resulting in harm. Examples include altering MX records to affect the availability of email communication, removing A records to affect the availability of web resources, or altering A records to redirect traffic to an unintended location.

A subject makes an unauthorized change to the rule table of a network-based firewall, resulting in impaired security or impacted availability.

A subject interferes with physical security controls, such as an identification card system used to control access to areas of a site, to cause disruption or gain unauthorized access.