SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. Nowadays, we have multiple solutions, models and tools that allow us to increase our level of protection against different threats and attacks. However, there are multiple scenarios where the security will rely on how the users interact with their manage systems. 

SCKIPT is oriented to list and provide possible measures to respond against the mentioned threats in scenarios where most of the possible activities by users are not blocked or limited. This model is not focused from the perspective of possible attacks by bad actors (of which there are multiple initiatives and models), it is focused on threats arising from possible actions by our users. More explanations here.

UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference

SCKIPT User Behaviour Matrix
Source (UB)
Case Scenario (C)
Known Interactions (K)
Protection (P)
Threats (T)
UB1. Email
UB1.C1 – Send Emails
UB1.C2 – Open Emails
UB1.C3 -Enable Auto-Reply Messages
UB1.C4 – Email Sender Lists
UB1.C5 – Email Rules
UB1.C6 – Remove Emails
UB1.C7 – Delegate mailbox permissions
UB1.C1.K1 – Send attachments
UB1.C2.K1 – Open attachments
UB1.C2.K2 – Click on URL’s
UB1.C4.K1 – Add Domains or senders as trusted
UB1.C5.K1 – Auto-forwarding Rules
UB1.C1.K1.P1
– Split information to not allow to identify sensitive / confidential data from one source
– Whitemark, obfuscate, replace sensitive / Confidential data
– DLP/DRM
– Deny screenshot software and/or monitor screenshot software extensions
UB1.C1.K1.P2/UB1.C2.K1.P1
– BlockMonitor/Restrict attachment extensions
– BlockMonitor/Restrict file hashes
– BlockMonitor/Restrict file actions (execution, web redirection, OS modifications, and others)
UB1.C2.K2.P1
– Configure and monitor IP/Domains/URL IOC’s
– Monitor URL redirection
– Monitor sender domains and sender email addresses
UB1.C3.P1 – Block/Monitor/Restrict Auto-Replies messages (ex. Internally)
UB1.C4.K1.P1 – Monitor/Restrict Domains/Email Address added into Sender Lists
UB1.C5.K1.P1 – Block/Monitor/Restrict Auto-Forwarding Rules (ex. Internally)
UB1.C6.P1 – Backups and archive
UB1.C6.P2 -Audit Mailbox actions  
UB1.C6.P3 – Preserved and store emails after being removed by the user (ex. In-Place Hold and Litigation Hold in Exchange Server)
UB1.C7.P1 – Audit Mailboxes
UB1.C7.P2 -Block/Disable permission delegation feature or require on-demand approval
UB1.C1.K1.T1 – Send personal or confidential Data
UB1.C2.K1.T1
Open malicious or infected attachment files
UB1.C2.K2.T1
Click on URLs redirecting to malicious content
UB1.C3.T1 – Send private data externally in the Auto-Reply messages
UB1.C4.K1.T1 Add malicious domains or senders as trusted
UB1.C5.K1.T1 – Email Rules can forward sensitive data or/and trigger risky activities
UB1.C6.T1 – Lost of email non-reputation evidence
UB1.C7.T1 – Unauthorised user access to restricted or sensitive information over the delegated mailbox
UB1.C7.T2 -Lost of email non-reputation evidence
UB2. Devices
UB2.C1 – Use external Devices
UB2.C2 – Use external connections
UB2.C3 – Install Software
UB2.C4 – Establish Remote connections
UB2.C5 -Manage device services
UB2.C6 -Connect devices to charge stations via USB
UB2.C1.K1 – Connect PnP devices
UB2.C2.K1 – Use open WIFI’s
UB2.C2.K2 – Use unknown ISP’s
UB2.C2.K3 – DHCP IP assignment
UB2.C3.K1 – Have non-updated software
UB2.C5.K1 – Disable or stop services
UB2.C1.K1.P1 – Deny PnP devices by policy
UB2.C2.(K1-K2-K3)
VPN
Restrict Allowed connections depending on the network/DNS/DHCP configured
– Filter network traffic
-Revoke Tokens and password reset after risky or unknown connections
UB2.C3.K1.P1 – Configure Auto-Patch options
(It is recommended to deploy new software updates in a test/dev environment before applying them in production.)
UB2.C4.P1 – Monitor/Deny or Restrict Remote (RDP/SSH) connections internally
UB2.C5.K1.P1 – Configure policies and permissions to not allow modify device service status
UB2.C6.P1 – Add USB condom, Use AC power outlets or External batteries
UB2.C1.K1.T1 – Use non-updated PnP devices
UB2.C1.K1.T2- PnP devices on critical servers
UB2.C1.K1.T3 – PnP devices from Unknown PnP vendors
UB2.C2.K3.T1 – Use external or non-trusted DHCP servers
UB2.C2.K3.T2- Unknown DHCP servers added into device register keys
UB2.C3.K1.T1 Software with possible exploits and vulnerabilities
UB2.C4.T1 Non-allowed remote connections
UB2.C5.K1.T1 Stop or disable services related to antivirus ,antimalware, firewall or other threat monitoring software
UB2.C6.T1 Install Malware and/or steal device data via USB using Juice Jacking technique
UB3. Users
UB3.C1 – Scan QR Codes
UB3.C2 – User sign-in
UB3.C3 – Take screenshots-photos of company data
UB3.C4 -Users use different ISPs
UB3.C2.K1 – Sign-in attempts from anywhere
UB3.C2.K2 – Sign-in on non-owner devices
UB3.C4.K1 – Users contract and use non-secure ISP
UB3.C1.P1 – Monitor content/URLs behind QR Codes
UB3.C2.P1 – Restrict User Sign-in by Country
UB3.C3.P1
– Split information to not allow to identify sensitive / confidential data from one source
– Whitemark, obfuscate, replace sensitive / Confidential data
– DLP/DRM
– Deny screenshot software and/or monitor it file extensions
UB3.C4.K1.P1
– Monitor activities from non-secure ISP
UB3.C1.T1 – Access to malicious content through malicious URL after scan QR Codes
UB3.C2.K1.T1 – Suspicious sign-in attempts from multiple countries in a short time
UB3.C2.K2.T1 – User sessions remains active on non-owner devices after user activity
UB3.C3.T1 -Data leakage of sensitive or critical information
UB3.C4.K1.T1 -Sign-in attempts using non-secure ISP
UB4.
Network
UB4.C1 – Web Surfing
UB4.C1.K1 – Establish unencrypted communications
UB4.C2.K1 – Use plugins on websites.
UB4.C1.K1.P1
Enforce Last version of TLS
Enforce Strong Cipher Suite algorithms
Enforce highest curve encryption methods
UB4.C1.K1.T1 – Low/risk Cipher Suite algorithms
UB4.C1.K1.T2 – Low/risk Curve encryption established
UB5. Software
UB5.C1 Software updates
UB5.C2 Install software plugin and add-ons
UB5.C3 Software configurations
UB5.C1.K1 Install third-party software
UB5.C1.K2 Software with malicious DLL
UB5.C3.K1 – Users can add exclusions
UB5.C1.K1.P1 Restrict allowed software and requires approval for new programs
UB5.C1.K2.P1 Monitor DLL changes or/and updates
UB5.C2.P1 – Monitor/Restrict allowed software plugins and add-ons
UB5.C3.K1.P1 – Monitor/Restrict allowed exclusions actions
UB5.C1.K1.T1 Install malicious or non-allowed software
UB5.C1.K2.T1 DLL Hijacking
UB5.C2.T1 Malicious plugins or add-ons added into browsers
UB5.C2.T2 Plugins and add-ons added into software programs establishing connections or exchanging data to non-allowed countries
UB5.C3.K1.T1 Users could add exceptions in antivirus, anitmalware or other threat monitoring tools which would let the excluded folders or files vulnerable.
UB6. Auth.
UB6.C1 Passwords
UB6.C2 Account Names (UPNs)
UB6.C3 Generate tokens
UB6.C4 SMS
UB6.C5 Authentication apps
UB6.C1.K1 Weak/Guessable Passwords
UB6.C2.K1 Users share it name and surname on social networks
UB6.C4.K1 Users authenticate with SMS
UB6.C1.K1.P1 Configure Password policies to require strong passwords.
UB6.C1.K1.P2 Create a block list of known words that can potentially be used as passwords by the users and are easy for attackers to guess
UB6.C2.K1.P1 Configure different domains or use different username patterns to create email addresses and UPNs that cannot be identified with user identity
UB6.C3.P1 Use tokens with short lifespans or implement token rotation strategies.
UB6.C3.P2 Implement a process to detect and revoke compromised tokens as soon as possible.
UB6.C3.P3 To store tokens use secure storage solutions, such as environment variables, key management service or secure vaults
UB6.C4.K1.P1 Avoid using SMS as the primary form of 2FA.
UB6.C1.K1.T1 Password discovered
UB6.C2.K1.T1 Malicious actors can easily discover users’ email addresses and UPNs for phishing, spamming and other threats using engineering.
UB6.C3.T1 Long-lived tokens that are not rotated regularly increase the risk of misuse if they are compromised.
UB6.C3.T2 If a token is compromised and not immediately revoked, unauthorized access can continue
UB6.C3.T3 Storing tokens in plain text can expose them to unauthorized access.
UB6.C4.K1.T1 Cybercriminals can send fake verification codes or request real codes sent by legitimate services.
UB7. Content
UB7.C1 Copy
UB7.C1.K1 Copy data in external sources or drives
UB7.C1.K1.P1 – DLP/DRM
UB7.C1.K1.P2– Block/Monitor external sources and drives
UB7.C1.K1.T1 Data leakage