ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT112
  • Created: 28th April 2025
  • Updated: 28th April 2025
  • Contributor: The ITM Team

Asset Discovery Audit

A scheduled, systematic audit of organizational assets to verify that all hardware, software, and network infrastructure aligns with approved inventories and configuration baselines. The audit is designed to detect unauthorized, unapproved, or misconfigured assets that may have been introduced opportunistically by subjects circumventing standard processes.

 

Detection Methods

  • Conduct periodic formal asset discovery audits using network scanning tools, endpoint management platforms, and manual verification processes.
  • Reconcile discovered assets against authoritative asset management databases (e.g., CMDB, inventory systems).
  • Inspect critical operational areas physically to identify unauthorized devices such as rogue wireless access points, unsanctioned satellite terminals, or personally procured IT hardware.
  • Require supporting documentation (e.g., procurement records, change approvals) for all assets found during audits.
  • Audit virtual infrastructure and cloud accounts to detect unapproved services, instances, or network configurations introduced outside formal governance.

 

Indicators

  • Assets detected during the audit that are absent from official asset registries.
  • Devices operating without appropriate configuration management, endpoint security tooling, or monitoring integration.
  • Physical or virtual infrastructure deployed without associated change control, procurement, or authorization records.
  • Wireless networks or external connections operating without approved designations or safeguards.

Sections

ID Name Description
MT015.001Opportunism

The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.

 

Characteristics

  • Motivated by immediate self-interest rather than deep-seated grievance or ideology.
  • May rationalize actions as minor, justified, or harmless ("no one will notice," "this helps everyone," "it's not a big deal").
  • Often triggered by environmental factors such as poor oversight, operational stress, or unmet personal needs.
  • May escalate over time if not detected and corrected early.
  • Subjects often do not view themselves as "threat actors" and may retain a positive view of their organization.
  •  

Example Scenario

Senior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain.

IF014.007Creation of Cloud Resources

A subject provisions cloud-based resources without prior authorization or a documented business justification. This unauthorized activity may circumvent established governance, security, or cost-management controls, potentially exposing the organization to operational, financial, or regulatory risk.