Prohibition of Devices On-site

A subject attempts to defeat physical security controls by smuggling an item (potentially an innocent item at first) into a controlled area to facilitate an infringement (such as a smart phone with a camera).

A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings.

Exfiltration via media capture refers to the extraction of sensitive information through the recording of visual or auditory content using capture mechanisms that operate outside organizational control. This includes the use of external devices, embedded system tools, or third-party applications to record screens, documents, or conversations and convert them into transferable media formats such as images, video, audio, or structured transcripts.

This category is defined not by the type of data being accessed, but by the method of extraction, specifically, the transformation of information into captured media in order to bypass conventional monitoring and control mechanisms. In these scenarios, the subject does not transfer files or data through approved or monitored channels. Instead, they reproduce the information in an alternate form that can be removed without generating traditional indicators of exfiltration.

Media capture techniques are particularly effective in environments where digital controls are mature, such as strong data loss prevention (DLP), restricted file transfer mechanisms, or monitored endpoints. As these controls limit conventional exfiltration paths, subjects may shift toward out-of-band capture methods that operate beyond system visibility.

This behavior may be opportunistic or deliberate. In lower-control environments, subjects may casually capture information with minimal consideration of detection. In higher-control environments, the use of media capture may indicate awareness of monitoring capabilities and an intentional effort to circumvent them. In both cases, the technique exploits a fundamental gap between information exposure and information control, once data is visible or spoken, it becomes inherently difficult to contain.

Media capture also varies in its execution and detectability. Some techniques are rapid and discrete, such as still photography, while others involve sustained collection, such as video recording or continuous audio capture.

From an investigative perspective, this section represents a class of behaviors where traditional telemetry is limited or absent. Detection often relies on indirect indicators, environmental controls, or post-event analysis of leaked material. As a result, prevention and deterrence play a critical role, particularly through physical controls, policy enforcement, and attribution mechanisms such as watermarking.

This section is closely related to broader data loss behaviors, but is distinct in its reliance on out-of-band capture methods rather than direct data transfer .

A subject can mount and write to removable media.

The subject enumerates organizational CCTV coverage through physical reconnaissance, network-based probing, or a combination of both. This behavior aims to identify surveillance blind spots, coverage patterns, and system weaknesses in order to plan insider activity such as unauthorized entry, covert data removal, or sabotage.

• Physical enumeration involves walking routes to observe camera placement, photographing or sketching locations, and identifying fields of view, blind spots, or coverage overlaps. Subjects may test movement within blind zones or note environmental features (e.g., pillars, furniture) that obstruct visibility.

• Network enumeration targets digital surveillance systems, including IP cameras, DVRs, NVRs, and PoE switches. Subjects may scan for active devices, query configurations, or attempt login with default credentials to discover camera IPs, firmware details, and accessible streams.

When combined, physical and network enumeration provide a sophisticated map of surveillance infrastructure. For example, a subject may confirm camera placement through on-site observation, then validate viewing angles and live coverage zones by remotely accessing the corresponding camera feeds across the network. This dual approach allows the subject to identify exact surveillance gaps, test whether specific areas are monitored, and plan movement or concealment with high confidence.

This behavior is a strong indicator of deliberate preparation, as it requires technical effort, situational awareness, and intent to circumvent organizational surveillance.

The subject performs work-related tasks on an unauthorized, non-organization-owned device, likely violating organizational policy. Without the organization’s security controls in place, this device could be used to bypass established safeguards. Moreover, using a personal device increases the risk of sensitive data being retained or exposed, particularly after the subject is offboarded, as the organization has no visibility or control over information stored outside its managed systems.

An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.

The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment.

The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control.

Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise.

This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses.

The subject uses an external recording device, such as a personal mobile phone, tablet, wearable camera, or dedicated camera, to capture photographs, video, or audio of sensitive information displayed or stored within the organization’s environment.

This method is commonly used to collect information from computer screens, whiteboards, printed documents, internal dashboards, source code repositories, financial records, or physical access areas. The subject may position the device discreetly to photograph multiple screens, record walkthroughs of restricted areas, or document proprietary material during meetings or presentations.

A subject operates in an environment where non-corporate, unmanaged devices can be introduced, carried, or used within organizational premises without effective restriction, monitoring, or control. These devices may include personal laptops, removable media, mobile phones, or small-form hardware capable of storage, processing, or network connectivity. Unlike sanctioned Bring Your Own Device (BYOD) arrangements, this condition exists outside formal governance, with no enforced linkage between the device and the subject's identity or role.

The presence of unmanaged devices establishes a persistent and unmonitored means through which a subject may bypass established security controls. This includes enabling offline data collection, covert data exfiltration, unauthorized recording, or the introduction of rogue systems. It also supports preparatory activity, such as staging data for removal or facilitating external interaction beyond controlled organizational channels.

A subject uses native mobile text messaging services, specifically Short Message Service (SMS) and Multimedia Messaging Service (MMS), to transmit sensitive organizational data to an external recipient. This behaviour enables data exfiltration through telecom-based channels that operate outside standard enterprise monitoring, logging, and data loss prevention controls.

Exfiltration via SMS is generally constrained to low-volume, text-based data such as credentials, contact lists, internal identifiers, or short excerpts of sensitive content. MMS expands this capability by allowing the transmission of images, screenshots, audio, or video, enabling higher-density data transfer including photographs or recordings of sensitive systems, documents, or physical environments.

The use of telecom-based messaging for data exfiltration presents significant investigative challenges. Evidence is frequently limited to device-level artifacts or external carrier records, which may be difficult to obtain. As such, this behaviour represents a high-risk exfiltration vector due to its low detectability, minimal technical barriers, and ability to bypass established security controls.

Exfiltration via automated transcription refers to the capture and conversion of spoken information into structured, persistent data through the use of transcription technologies, including AI-enabled note-taking tools, meeting assistants, and speech-to-text systems.

Unlike traditional media capture techniques, this behavior does not merely reproduce information, it transforms ephemeral verbal communication into searchable, shareable, and analyzable content. This significantly increases the utility and scalability of exfiltrated data, enabling subjects to accumulate large volumes of sensitive information over time with minimal manual effort.

This technique may occur using external tools operating outside organizational control or through misuse of approved or embedded transcription capabilities within enterprise platforms. As a result, it spans both out-of-band and in-band exfiltration paths, making it distinct from media capture behaviors.

In addition to software-based transcription tools, subjects may leverage dedicated or repurposed hardware to capture audio streams for later transcription or processing. This includes the use of intermediary devices capable of intercepting microphone input or headphone output, such as inline audio capture adapters, modified peripherals, or secondary recording devices connected to audio interfaces.

These methods enable the subject to capture high-quality audio directly from system inputs or outputs without relying on visible applications or introducing detectable software artifacts. In such cases, audio may be recorded covertly and later processed through transcription tools outside the organizational environment, further separating the point of capture from the point of transformation and exfiltration.

Exfiltration via automated transcription is particularly effective in environments where sensitive information is frequently communicated verbally, including strategic discussions, incident response, legal proceedings, and technical collaboration. The presence of this behavior may indicate deliberate collection of high-value conversational intelligence, especially where transcription outputs are retained, aggregated, or transferred beyond approved boundaries.

From an investigative perspective, this technique introduces a shift from event-based capture to continuous collection, where subjects build structured datasets over time. Detection therefore relies on identifying tool usage, data flows, and the presence of generated artifacts, rather than isolated capture events.

A subject exfiltrates files using AirDrop as the transportation medium.

A subject exfiltrates files using Bluetooth as the transportation medium.

A subject captures sensitive information by taking still images using an external device, most commonly a personal mobile phone. This typically involves photographing screens, printed documents, whiteboards, or other visual representations of sensitive data within the organization’s environment.

Unlike video capture, photography enables rapid, low-friction extraction of discrete information with minimal dwell time. A subject can capture high volumes of content in short bursts without sustained or conspicuous behavior, making this technique particularly effective in environments with physical proximity to sensitive material but strong digital controls.

This method often operates entirely outside controlled systems and therefore bypasses endpoint monitoring, data loss prevention (DLP), and network-based detection mechanisms. It is frequently opportunistic, occurring during routine access to sensitive information, but may also be deliberate, such as systematically photographing documents, screens, or workflows over time.

Photography-based exfiltration is especially prevalent in environments where:

• Sensitive data is visually accessible (e.g., call centers, trading floors, development environments)
  Physical device controls are weak or inconsistently enforced
  Subjects have legitimate access but limited ability to export data digitally

The presence of this behavior may indicate awareness of monitoring controls or a preference for low-risk, low-detectability exfiltration methods.

A subject records sensitive information by capturing video using an external device, such as a personal mobile phone or standalone camera. This behavior typically involves filming screens, documents, or physical environments where sensitive information is displayed or discussed.

Unlike software-based screen recording or screenshot tools, this method operates outside corporate control boundaries. The capture process occurs entirely outside the monitored endpoint, bypassing data loss prevention (DLP), endpoint detection, and audit logging mechanisms.

This technique is commonly observed in controlled environments where digital exfiltration is restricted or heavily monitored. It may be opportunistic (such as quickly recording a screen) or deliberate, involving repeated capture of large volumes of information over time. The use of an external device can indicate subject awareness of monitoring controls and an intent to avoid traceable data transfer.

A subject captures sensitive information by recording audio using an external device, most commonly a personal mobile phone or wearable device. This typically involves recording conversations, meetings, phone calls, or ambient discussions where sensitive information is disclosed verbally.

Unlike visual capture techniques, audio capture does not require direct interaction with systems or documents. It enables the subject to collect information passively, often without needing to position a device toward a specific target. As a result, this method can be sustained over longer periods with reduced risk of detection, particularly in collaborative or discussion-heavy environments.

This technique operates entirely outside corporate monitoring controls, bypassing endpoint telemetry, data loss prevention (DLP), and access logging. It is particularly effective in environments where sensitive information is frequently communicated verbally, including meetings, support operations, incident response discussions, executive briefings, and informal conversations between colleagues.

Audio capture is often deliberate, as it requires forethought to record and later process the information. However, it may also be opportunistic, especially where subjects are routinely exposed to sensitive discussions. The presence of this behavior may indicate an intent to capture information that is not otherwise accessible in written or exportable form.

A subject can mount and write to a USB mass storage device.

A subject can mount and write to an SD card, either directly from the system, or through a USB connector.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

With this type of access, a subject can:

• Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
• Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
• Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
• Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
• Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
• Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.

Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.

This type of access can be leveraged to:

• Obtain unattended or discarded sensitive information, such as printouts, notes, or credentials left on desks.
• Observe operational activity or decision-making, gaining insight into projects, personnel, or internal dynamics.
• Access unlocked devices or improperly secured terminals, allowing direct system interaction or credential harvesting.
• Bypass digital controls via physical means, such as tailgating into secure spaces or using misappropriated access cards.
• Covertly install or remove equipment, such as data exfiltration tools, recording devices, or physical implants.
• Eavesdrop on confidential conversations, either directly or through concealed recording equipment, enabling the collection of sensitive verbal disclosures, strategic discussions, or authentication procedures.

Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.

Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.

The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints.

The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.

Characteristics

• Motivated by immediate self-interest rather than deep-seated grievance or ideology.
• May rationalize actions as minor, justified, or harmless ("no one will notice," "this helps everyone," "it's not a big deal").
• Often triggered by environmental factors such as poor oversight, operational stress, or unmet personal needs.
• May escalate over time if not detected and corrected early.
• Subjects often do not view themselves as "threat actors" and may retain a positive view of their organization.
•  

Example Scenario

Senior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain.

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

Characteristics

• Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
• May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
• Often configured to throttle resource usage during business hours to evade human and telemetry detection.
• Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
• Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
• Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.

The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.

Common methods include:

• Wearing uniforms or branded clothing associated with the target organization or a trusted third party.
• Mimicking attire patterns of specific departments (e.g., IT, facilities, catering).
• Carrying props such as tools, ID lanyards, or delivery equipment to reinforce the impersonated role.

Example Scenarios:

• A subject dresses in a facilities maintenance uniform to gain access to server rooms under the pretense of conducting HVAC repairs, with no scheduled work order.
• An insider recruits an accomplice who dresses as a delivery driver to stage equipment drops and tailgate into a secure loading dock.
• During an internal staff shift, the subject wears a borrowed lanyard and IT polo shirt to move through restricted floors without being challenged.
• A former contractor retains high-visibility branded clothing and uses it months later to re-enter a secure building undetected.

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

Example Scenarios:

• A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
• A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
• The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
• A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.

The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges, bypassing standard application control, endpoint detection, and logging.

Portable hypervisors are often used to:

• Run a fully isolated virtual environment on a corporate system without administrator rights.
• Avoid persistent installation footprints in the Windows registry, program files, or audit logs.
• Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools.
• Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk.
• Destroy or remove evidence simply by ejecting the device or deleting the VM directory.

Example Scenarios:

• The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session.
• A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system.
• The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.

A subject can leverage Apple’s native peer-to-peer file sharing protocol, namely AirDrop - to transfer files directly to nearby personal devices over Bluetooth and Wi-Fi Direct. AirDrop operates on both macOS and iOS, and functions entirely outside routed enterprise networks, bypassing traditional firewall, proxy, or DLP controls.

AirDrop sessions are proximity-based, require no shared credentials, and are often enabled by default. When used from a corporate-managed Apple device, AirDrop creates a covert and rapid pathway for off-network data transfer, even when connected to a corporate VPN or secured wireless configuration. Its convenience, invisibility to traditional network monitoring, and inconsistent endpoint logging make it especially attractive to subjects acting opportunistically or preparing for staged exfiltration.

A subject can exploit Android-based peer-to-peer file sharing technologies - most notably Quick Share (on Samsung and Google devices) and Nearby Share (across Android platforms) - to wirelessly transfer files between devices using Bluetooth, Wi-Fi Direct, or ad hoc wireless links. These protocols operate entirely outside routed enterprise networks, bypassing traditional firewall, inspection, and DLP enforcement.

Quick Share now extends beyond Android phones and tablets to support file sharing with Windows devices, including personal laptops not under enterprise management. This creates a seamless, low-friction transfer pathway between corporate mobile endpoints and uncontrolled personal systems — particularly dangerous in BYOD or loosely governed device environments.

As with Apple AirDrop, these tools expand the subject’s capacity to exfiltrate data outside monitored channels, often with minimal visibility or user prompts. They are especially useful to subjects working in shared or home environments, where proximity to personal devices is routine and trusted by default.