Standard Users – UB Devices
UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference
SCKIPT User Behaviour Matrix (Standard Users) | ||||
|---|---|---|---|---|
Source (UB) | Case Scenario (C) | Known Interactions (K) | Protection (P) | Threats (T) |
UB2. Devices | UB2.C1 – Use external Devices | UB2.C1.K1 – Connect PnP devices | UB2.C1.K1.P1 – Deny PnP devices by policy | UB2.C1.K1.T1 – Use non-updated PnP devices UB2.C1.K1.T2- PnP devices on critical servers UB2.C1.K1.T3 – PnP devices from Unknown PnP vendors |
UB2.C2 – Use external connections | UB2.C2.K1 – Use open WIFI’s UB2.C2.K2 – Use unknown ISP’s UB2.C2.K3 – DHCP IP assignment | UB2.C2.(K1-K2-K3) – VPN – Restrict Allowed connections depending on the network/DNS/DHCP configured – Filter network traffic -Revoke Tokens and password reset after risky or unknown connections | UB2.C2.K3.T1 – Use external or non-trusted DHCP servers UB2.C2.K3.T2- Unknown DHCP servers added into device register keys | |
UB2.C3 – Install Software | UB2.C3.K1 – Have non-updated software | UB2.C3.K1.P1 – Configure Auto-Patch options | UB2.C3.K1.T1 Software with possible exploits and vulnerabilities | |
UB2.C4 – Establish Remote connections | UB2.C4.P1 – Monitor/Deny or Restrict Remote (RDP/SSH) connections internally | UB2.C4.T1 Non-allowed remote connections | ||
UB2.C5 -Manage device services | UB2.C5.K1 – Disable or stop services | UB2.C5.K1.P1 – Configure policies and permissions to not allow modify device service status | UB2.C5.K1.T1 Stop or disable services related to antivirus ,antimalware, firewall or other threat monitoring software | |
UB2.C6 -Connect devices to charge stations via USB | UB2.C6.P1 – Add USB condom, Use AC power outlets or External batteries | UB2.C6.T1 Install Malware and/or steal device data via USB using Juice Jacking technique | ||
UB2.C7 -Manage Device Logs | UB2.C7.K1 -Clean/Remove Device Logs | UB2.C7.K1.P1 – Restrict access to Device Logs – Audit access to Device Logs – Backup Device Logs | UB2.C7.K1.T1 – Lost of non-reputation evidence – Lack of visibility over malicious activities – Regulatory Non-Compliance | |