The misuse of ones privileges is an intentional, malicious attack pattern. Most of the data breaches in 2021 in this category were caused by privilege abuse or data mishandling. They were mostly initiated by internal actors (“insider threat”) and financially motivated. Healthcare and finance were the top industries threatened by this attack pattern over the last years. [1,2]
Proactive and reactive security measures
In order to address this attack pattern, organizations should follow a considerate approach on access management and implement detective controls.
Proper access management should start with the definition of user roles and access profiles. It is very important to align these roles and profiles with the organizations IT services and resources. In a second step, processes for adding, changing and removing access rights should be established. A process for ensuring, that only authorized identities may get granted access to a resource, is essential. IT service management (ITSM) frameworks like ITIL may help organizations to implement access management with best-practice guidelines.
In order to detect insider threats in a timely manner a security information and event management (SIEM) including 24/7 monitoring should be established. With the help of MITREs recently published knowledge base of insider threat tactics, techniques and procedures (TTP) the detection abilities for activities related to this attack pattern can be automated. This community project focuses on “real-world adversary behaviors” and helps to look for what is probable instead of what is possible 
Check if your organization tackles the threat of privilege misuse:
- Are identities and access within the organization managed with proper processes and governance?
- Are sources like firewall or active directory logs constantly monitored?
- Are security events specifically related to insider threats detected?
Need help implementing access management or security information and event management? Contact us for more information.