>_AYSOLI SECURITY HUB
THREAT AREA

Employee Offboarding

When employees leave the organization, all physical and digital access must be revoked in a timely manner. A flawed offboarding process leaves dangerous backdoors that are often discovered by attackers months later.

Your Strategy

Rely on HR-driven automation. As soon as an exit date is stored in the HR system (e.g., Workday, Personio), the deactivation of the identity provider (IdP) must be triggered automatically.

Best Practices

  • Completeness: Think of non-integrated systems (e.g., local hardware firewalls, physical keys).
  • Certificates: Revoke all user-bound certificates (S/MIME, VPN) immediately.
  • Hardware Audit: Use asset tagging to ensure that all laptops and mobile devices have been physically returned.

STRIDE-LM Design Risks

SpoofingS-GOV-01

Orphaned High-Privilege Accounts

Orphaned admin accounts from former employees.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Automated Offboarding WorkflowBaseline ProtectionMedium
CIS: 6.7NIST: PR.AC-2
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Automated Offboarding WorkflowBaseline ProtectionMedium
CIS: 6.7NIST: PR.AC-2
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Automated Offboarding WorkflowBaseline ProtectionMedium
CIS: 6.7NIST: PR.AC-2
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Unified Audit Log (UAL)Baseline ProtectionLow
CIS: 8.2NIST: PR.PT-1
Command & Control
T1071-001

Application Layer Protocol

ATT&CK

Misuse of legitimate web protocols (HTTP/S) for C2 communication.

Mitigated by
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Privacy by Design GuardrailsGrundschutzMittel
CIS: 17.3NIST: ID.AM-7
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Egress Filtering (SSRF Protection)Extended ProtectionMedium
CIS: 12.2OWASP: A10:2021
Impact
T1531

Account Access Removal

ATT&CK

Removing access for legitimate users.

Mitigated by
Automated Offboarding WorkflowBaseline ProtectionMedium
CIS: 6.7NIST: PR.AC-2
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
T1485

Data Destruction

ATT&CK

Irretrievable deletion of company data.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation