INT2023 Release

README.md

@@ -0,0 +1,31 @@
+# Welcome to the OWASP Top 10 Insider Threats - 2023
+
+<img src="./assets/images/logo.png" alt="drawing" width="200" style="display: block;margin-left: auto;margin-right: auto;"/>
+
+The OWASP Top 10 Insider Threats shall provide information about the top Insider Threats, Risks and Vulnerabilities. 
+
+- [**INT01:2023 – Outdated Software**](./docs/2023/INT01_2023-Outdated_Software.md)
+- [**INT02:2023 – Insufficient Threat Detection**](./docs/2023/INT02_2023-Insufficient_Threat_Detection.md)
+- [**INT03:2023 – Insecure Configurations**](./docs/2023/INT03_2023-Insecure_Configurations.md)
+- [**INT04:2023 – Insecure Resource and User Management**](./docs/2023/INT04_2023-Insecure_Resource_and_User_Management.md)
+- [**INT05:2023 – Insecure Use of Cryptography**](./docs/2023/INT05_2023-Insecure_Use_of_Cryptography.md)
+- [**INT06:2023 – Insecure Network Access Management**](./docs/2023/INT06_2023-Insecure_Network_Access_Management.md)
+- [**INT07:2023 – Insecure Passwords and Default Credentials**](./docs/2023/INT07_2023-Insecure_Passwords_and_Default_Credentials.md)
+- [**INT08:2023 – Information Leakage**](./docs/2023/INT08_2023-Information_Leakage.md)
+- [**INT09:2023 – Insecure Access to Ressources and Management Components**](./docs/2023/INT09_2023-Insecure_Access_to_Resources_and_Management_Components.md)
+- [**INT10:2023 – Insufficient Asset Management and Documentation**](./docs/2023/INT10_2023-Insufficient_Asset_Management_and_Documentation.md)
+
+## Motivation - Why is the OWASP Top 10 Insider Threats important?
+This OWASP Project aims to raise awareness and provide quality information regarding Insider Threats, Risks and Vulnerabilities.
+Insider Threats play an essential role in information security.
+After initial access, these vulnerabilities are the leading cause of compromising whole companies and organizations. Even though these Threats play an important role in the cyber kill chain, they are often overlooked by companies and organizations because the attack vectors originate from the inside and not outside.
+Companies and organizations have to keep in mind that a defense line only to the outside isn't enough. If an attacker is able to get through this line of defense or around, e.g. via Phishing, and gets an initial pivot point, internal defense mechanisms are mandatory. Especially Threat Detection and Monitoring are needed to identify internal attacks and threat actors.
+These are the reasons why this project came to life. We want to provide useful and quality information and raise awareness about these threats in general to improve the internal security of companies and organizations worldwide.
+
+## Open Call for Data, Next Version and Contribution
+To further improve the quality and significance of the OWASP Top 10 Insider Threats, we kindly invite you to join our Open Call for Data for 2024.
+There, you can donate data, anonymously or publicly, to the Project. In the course of 2024, we will collect all the data and then process it for 2025.
+This way, we plan to publish the OWASP Top 10 Insider Threats - Version 2025 using an even more extensive dataset and further improve the quality and significance.
+Contributors and donors will be listed as sponsors, if they wish so, on the related project pages.
+We also plan on doing CVE and CWE research for vulnerabilities regarding insider threats.
+For more information and how to contribute, please follow this [link](./docs/2023/INT_2023-Open_Call_for_Data.md).

docs/2023/0x00-notice.md

@@ -0,0 +1,25 @@
+# Release
+
+Released 13th November 2023
+
+Version v1.0 (13.11.2023)
+
+## Lead Authors and Project Leaders
+
+- [Nick Lorenz](mailto:[email protected]) (Profile and Links: [@Sharkeonix](http://sharkeonix.com), LinkedIn: [@NickLorenz](https://www.linkedin.com/in/nicklorenz))
+- [Tim Barsch](mailto:[email protected]) (GitHub: [:Domai](https://github.com/domai-tb), LinkedIn: [@TimBarsch](https://www.linkedin.com/in/domai-tb))
+
+## Contributors
+
+- Tobias Neugebauer (LinkedIn: [@TobiasNeugebauer](https://www.linkedin.com/in/tobiasneugebauer))
+
+## How you can help
+
+For Version 2025 we are making an Open Call for Data. We would be happy if you want to contribute.
+For more information, please visit [this site](./INT_2023-Open_Call_for_Data.md).
+
+## Log issues and pull requests
+
+Please log any corrections or issues:
+
+- [https://github.com/OWASP/www-project-top-10-insider-threats/issues](https://github.com/OWASP/www-project-top-10-insider-threats/issues)

docs/2023/INT00-about-owasp.md

@@ -0,0 +1,38 @@
+# About OWASP
+
+The Open Worldwide Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
+
+At OWASP, you'll find free and open:
+
+- Application security tools and standards
+- Cutting-edge research
+- Standard security controls and libraries
+- Complete books on application security testing, secure code development, and secure code review
+- Presentations and [videos](https://www.youtube.com/user/OWASPGLOBAL)
+- [Cheat sheets](https://cheatsheetseries.owasp.org/) on many common topics
+- [Chapters meetings](https://owasp.org/chapters/)
+- [Events, training, and conferences](https://owasp.org/events/).
+- [Google Groups](TBA)
+
+Learn more at: [https://www.owasp.org](https://www.owasp.org).
+
+All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security.
+
+We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security require improvements in these areas.
+
+OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, and cost-effective information about application security.
+
+OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. OWASP produces many materials in a collaborative, transparent, 
+and open way.
+
+The OWASP Foundation is the non-profit entity that ensures the project's long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP board, chapter leaders, project 
+leaders, and project members. We support innovative security research with grants and infrastructure.
+
+Come join us!
+
+## Copyright and License
+
+![license](assets/license.png)
+
+Copyright © 2003-2023 The OWASP™ Foundation. This document is released under the Creative Commons Attribution Share-Alike 4.0 license. For any reuse or distribution, you must make it clear to 
+others the license terms of this work.

docs/2023/INT00_2023_Introduction.md

@@ -0,0 +1,22 @@
+# Introduction
+
+## Welcome to the OWASP Top 10 Insider Threats - 2023
+
+![OWASP Top 10 Insider Threats Logo](./../../assets/images/logo.png){:class="img-responsive"}
+
+The OWASP Top 10 Insider Threats shall provide information about the top Insider Threats, Risks and Vulnerabilities. 
+
+## Motivation - Why is the OWASP Top 10 Insider Threats important?
+This OWASP Project aims to raise awareness and provide quality information regarding Insider Threats, Risks and Vulnerabilities.
+Insider Threats play an essential role in information security.
+After initial access, these vulnerabilities are the leading cause of compromising whole companies and organizations. Even though these Threats play an important role in the cyber kill chain, they are often overlooked by companies and organizations because the attack vectors originate from the inside and not outside.
+Companies and organizations have to keep in mind that a defense line only to the outside isn't enough. If an attacker is able to get through this line of defense or around, e.g. via Phishing, and gets an initial pivot point, internal defense mechanisms are mandatory. Especially Threat Detection and Monitoring are needed to identify internal attacks and threat actors.
+These are the reasons why this project came to life. We want to provide useful and quality information and raise awareness about these threats in general to improve the internal security of companies and organizations worldwide.
+
+## Open Call for Data, Next Version and Contribution
+To further improve the quality and significance of the OWASP Top 10 Insider Threats, we kindly invite you to join our Open Call for Data for 2024.
+There, you can donate data, anonymously or publicly, to the Project. In the course of 2024, we will collect all the data and then process it for 2025.
+This way, we plan to publish the OWASP Top 10 Insider Threats - Version 2025 using an even more extensive dataset and further improve the quality and significance.
+Contributors and donors will be listed as sponsors, if they wish so, on the related project pages.
+We also plan on doing CVE and CWE research for vulnerabilities regarding insider threats.
+For more information and how to contribute, please follow this [link](./INT_2023-Open_Call_for_Data.md).

docs/2023/INT01_2023-Outdated_Software.md

@@ -0,0 +1,36 @@
+# INT01:2023 – Outdated Software
+
+## Description
+It is important to keep software updated.
+Often, updates include security-relevant patches, meaning if a software isn't up-to-date, it may contain vulnerabilities in its current version state.
+These vulnerabilities are often publicly known and can be found easily by security scanners.
+Unfortunately, many companies and end users fail to keep all their software components up-to-date.
+Due to the lack of updates and update management, many software components and underlying systems become vulnerable over time, with increasing criticality as time passes by.
+
+## Risk
+Outdated software can lead to a variety of different vulnerabilities, ranging from vulnerabilities with a low criticality to vulnerabilities causing compromization of the entire system.
+The severity and amount of these vulnerabilities in an outdated software system depends on the individual case.
+Usually, they rise with time as more and more vulnerabilities are found.
+
+## Rectification
+It is recommended to keep all software components, including libraries and similar, on an up-to-date, stable and supported version.
+Every software and its components should be regularly checked for updates and new patches.
+It is recommended to implement an update management process to ensure no components are missed, and the checks are in time.
+It makes sense to regularly check vendor sites and information security hubs for news about zero-day exploits for related software.
+In this case, there might be no updates to these kinds of vulnerabilities, but the company or individual can take precautions to reduce the impact or the probability of these vulnerabilities.
+
+## Example Attack Scenarios
+**Scenario #1: Outdated Web Server**
+A company hosts an internal website to provide information to its employees.
+The company doesn't have an update management process and doesn't regularly check and update its software components.
+The web server used for this website runs on an outdated version with known vulnerabilities. One of these vulnerabilities is a Remote Code Execution - RCE.
+An attacker who gained access to an employee's computer enumerates the version of the internal web server and quickly finds a related Common Vulnerabilities and Exposures - CVE for the current web server version regarding a 
+Remote Code Execution.
+The attacker manages to find a related exploit and gains access to the underlying server.
+
+**Scenario #2: Deprecated Old Server**
+A company has an update management process to keep all its software components up-to-date.
+The update management process failed to inventory an old internal server with confidential construction plans.
+An attacker who gained access to the internal company's network finds this server and enumerates its OS version.
+The attacker finds out the vendor no longer supports the used version and is prone to several vulnerabilities, including critical ones.
+The attacker uses a publicly available exploit to access the server and exfiltrates the confidential construction plans, selling them to company competitors afterward.

docs/2023/INT02_2023-Insufficient_Threat_Detection.md

@@ -0,0 +1,45 @@
+# INT02:2023 – Insufficient Threat Detection
+
+## Description
+Threat Detection plays a vital role in cyber defense.
+In most Cyberattacks, especially internal ones, the first detection of threat actors is too late.
+Most Cyberattacks get detected once the threat actors perform malicious actions that impact and disturb internal processes or interfere with employee's work.
+For example, when ransomware starts to encrypt data on an employee's computer or an important server.
+Unfortunately, a detection of a cyberattack in this state is too late.
+Qualitative threat detection is needed to detect threat actors and malicious activities before they can cause severe damage.
+Ideally, threat actors should be detected in the initial access phase or, at the latest, in the command and conquer phase.
+
+## Risk
+If threat actors aren't detected early on in a cyberattack chances are high that the target is powerless and doesn't get the opportunity to take further defense actions.
+Threat actors are normally weeks and month in an internal network before they perform conspicuous actions.
+Insufficient threat detection is one of the main reasons sophisticated cyberattacks are successful that often.
+Without proper detection and monitoring mechanisms in place the target won't be able to see threat actors get access to their internal network and move laterally through it.
+
+## Rectification
+Implementing processes and mechanisms on different levels and points of the internal infrastructure is recommended to build a qualitative and powerful threat detection system.
+Security Incident and Event Management - SIEM Systems, Firewalls, Endpoint Detection and Response - EDR Applications and other mechanisms and software that supervise activities, build 
+the foundation of a threat detection system.
+It is crucial to implement these sensors and systems on as many levels and points of the infrastructure as possible, like computers, servers, or the network on 
+different ISO/OSI-Layers.
+This way, the chances of early detection of cyberattacks and their threat actor are high. The target can take further actions and can defend the internal infrastructure before 
+devastating attacks can be performed.
+
+## Example Attack Scenarios
+**Scenario #1: Insufficient Network Detection**
+A company has an internal infrastructure, including endpoint systems, like employee computers, and servers for internal applications.
+The internal servers hold mandatory data for the company's business processes. An End Point Detection and Response Software on every employee's device is implemented.
+An employee accidentally downloads and executes malware without realizing it is malicious software.
+An Advanced Persistent Threat - APT, a sophisticated and highly professionalized cybercriminal group, wrote the malware and the EDR fails to detect the malware.
+The malware is able to compromise one of the internal servers from the compromised employee's computer. The malware moves laterally through the network and compromises all the 
+internal servers. These actions aren't detected because no qualitative threat detection system exists for the network.
+After compromization, the malware encrypts all data on the servers, the company loses access to its data and, therefore, can't keep its business processes running.
+This could have been prevented if the company had implemented a redundant and complete threat detection and monitoring system and not only an EDR system.
+
+**Scenario #2: Insufficient Anomaly Detection**
+A company hosts internal services for employees to share critical data and files. It also provides the employees with laptops and configured Virtual Private Network - VPN software so that they 
+can work from home.
+An employee's laptop gets stolen on a train ride by a cybercriminal who manages to get access to the laptop and the employee's account.
+The cybercriminal finds the internal shares and downloads the files from all shares. 
+The company fails to detect this data exfiltration because it doesn't have an anomaly detection. It would have noticed the large transfer of data or the access to shares the employee 
+typically doesn't access.
+The cybercriminal later sells the exfiltrated data and files to concurrent companies.

docs/2023/INT03_2023-Insecure_Configurations.md

@@ -0,0 +1,21 @@
+# INT03:2023 – Insecure Configurations
+
+## Description
+Insecure configurations represent a critical vulnerability category. These vulnerabilities arise when hardware, software, or network components are not properly set up or configured, exposing them to potential cyber threats. Understanding and addressing insecure configurations is essential to fortify an organization's defenses against cyberattacks. Addressing these vulnerabilities requires a proactive approach involving regular auditing, robust configuration management, and adherence to security best practices throughout an organization. 
+
+## Risk
+The risk of insecure configurations in IT systems cannot be emphasized enough. Insecure configurations create openings for exploits, potential data breaches and lateral movement. These vulnerabilities often serve as low-hanging fruit for attackers, offering a relatively easy path into an organization's network. To mitigate this risk, organizations must prioritize proper configuration management, regular security audits, and the enforcement of security best practices to reduce their attack surface and bolster their cyber defenses.
+
+## Rectification
+Regular security audits and proper configuration management are key factors for addressing this vulnerability category. Countermeasures could be, but are not limited to:
+
+1. Regular Auditing and Scanning: Conduct regular security audits and vulnerability assessments to identify insecure configurations. Automated scanning tools can help detect and remediate these issues proactively.
+2. Vendor Security Advisory: Most vendors give security-related advise to configure the software (more) secure or providing hardening guides. 
+3. Education and Training: Provide cybersecurity training and awareness programs for employees to reduce the likelihood of insecure configurations. Insecure configurations are primarily a result of not implementing best-practice strategies.
+
+## Example Attack Scenarios
+**Scenario #1: Missing Security Headers**
+A company uses an internal web application hosting sensitive client data. However, the web application lacks essential security headers such as Content Security Policy (CSP) and X-Content-Type-Options. An insider, a disgruntled employee with basic technical knowledge, discovers this oversight. They craft a Cross-Site Scripting (XSS) attack, exploiting the missing headers to inject malicious scripts into the web application. Once executed, the script exfiltrates sensitive client data to an external server controlled by the insider. The absence of security headers made the application more susceptible to such client-side attacks, enabling the insider to compromise client data.
+
+**Scenario #2: No or Insufficient Network Separation**
+A healthcare provider relies on a single network for administrative operations and patient data management. There isn’t any network segmentation between these two operational areas. An insider, a system administrator upset over workplace issues, decides to exploit this lack of network separation. Using their elevated access privileges, they can easily traverse from the administrative segment of the network to the patient data management segment. They then maliciously alter patient records, causing significant data integrity issues and potentially endangering patient care.