Home

SCKIPT User Behaviour Matrix (Standard Users)
Source (UB)
Case Scenario (C)
Known Interactions (K)
Protection (P)
Threats (T)
UB1. Email
UB1.C1 – Send Emails
UB1.C1.K1 – Send attachments
UB1.C1.K1.P1
– Split information to not allow to identify sensitive / confidential data from one source
– Whitemark, obfuscate, replace sensitive / Confidential data
– DLP/DRM
– Deny screenshot software and/or monitor screenshot software extensions
– Deny sharing options or limit the sharing option to internal organisation or specific group controlled and audited
UB1.C1.K1.P2/UB1.C2.K1.P1
– BlockMonitor/Restrict attachment extensions
– BlockMonitor/Restrict file hashes
– BlockMonitor/Restrict file actions (execution, web redirection, OS modifications, and others)
UB1.C1.K1.T1 – Send personal or confidential Data
UB1.C1.K1.T2 – Share access to personal or confidential Data
UB1.C2 – Open Emails
UB1.C2.K1 – Open attachments
UB1.C2.K2 – Click on URL’s
UB1.C2.K2.P1
– Configure and monitor IP/Domains/URL IOC’s
– Monitor URL redirection
– Monitor sender domains and sender email addresses
UB1.C2.K1.T1
Open malicious or infected attachment files
UB1.C2.K2.T1
Click on URLs redirecting to malicious content
UB1.C3 -Enable Auto-Reply Messages
UB1.C3.P1 – Block/Monitor/Restrict Auto-Replies messages (ex. Internally)
UB1.C3.T1 – Send private data externally in the Auto-Reply messages
UB1.C4 – Email Sender Lists
UB1.C4.K1 – Add Domains or senders as trusted
UB1.C4.K1.P1 – Monitor/Restrict Domains/Email Address added into Sender Lists
UB1.C4.K1.T1 Add malicious domains or senders as trusted
UB1.C5 – Email Rules
UB1.C5.K1 – Auto-forwarding Rules
UB1.C5.K1.P1 – Block/Monitor/Restrict Auto-Forwarding Rules (ex. Internally)
UB1.C5.K1.T1 – Email Rules can forward sensitive data or/and trigger risky activities
UB1.C6 – Remove Emails
UB1.C6.P1 – Backups and archive
UB1.C6.P2 -Audit Mailbox actions  
UB1.C6.P3 – Preserved and store emails after being removed by the user (ex. In-Place Hold and Litigation Hold in Exchange Server)
UB1.C6.T1 – Lost of email non-reputation evidence
UB1.C7 – Delegate mailbox permissions
UB1.C7.P1 – Audit Mailboxes
UB1.C7.P2 -Block/Disable permission delegation feature or require on-demand approval
UB1.C7.T1 – Unauthorised user access to restricted or sensitive information over the delegated mailbox
UB1.C7.T2 -Lost of email non-reputation evidence