How to establish insider threat programmes and conduct investigations
By Josh Lefkowitz – CEO at FlashPoint,
Insider threat remains high on the list of issues keeping CISOs awake at night, and for good reason. Unlike external actors, insiders are already within the network perimeter, often with privileged access to the company’s critical data, systems, and applications. They are a trusted part of the company ecosystem, and their actions are therefore typically more difficult to detect and contain. A malicious insider breach is also one of the most financially ruinous types of data breaches. According to research from the Ponemon Institute, the average annualised cost of criminal insider threat to an organisation was £2.3million in 2018.
The motivations of a malicious insider are similar to those of external threat actors – with financial gain generally top of the list. However, detecting, investigating, and mitigating an insider threat is very different from responding to outside attacks. Company employees have privileged network access rights, but they have employment rights too. These must be rigorously respected during the monitoring and investigation of potential incidents, which means devising and operating an insider threat programme (ITP) must be more nuanced than defending against external attackers. Investigations must be conducted using methods that could stand up in a court of law or employment tribunal if needed.
Given this complex environment, following are recommended best practices when building an ITP and conducting investigations.
A robust ITP governance framework
A successful ITP must be based on a robust governance framework that includes a defined scope, objectives, and roadmap agreed upon by the stakeholders in the organisation. These stakeholders include a broader group than for external threats because, while the IT security team may be at the vanguard of identifying and analysing insider threats, HR teams and legal departments should play central roles in the programme as well.
Depending on the scope of an investigation other departments, such as finance and compliance, also may be involved. Good visibility and an understanding of the ITP and its objectives should extend to all the different stakeholders, including a sponsor at the board level given the level of risk associated with insider threat.
A robust ITP framework specifies the process through which investigations must take place and ensures that they are repeatable and consistent forensic evidence is preserved in case it is needed in the event of legal action. A sound governance framework ensures employee rights – both those of the suspect and those carrying out investigations – are protected. It also helps businesses plan and prioritise the programme effectively.
A multi-phase investigation process
Investigating incidents where there is suspicion of insider involvement must focus on uncovering evidence of data exfiltration, documenting it, and linking it to a specific individual. During this multi-phase process it is important that analysts don’t just think in terms of a single security incident but look for a wider pattern of activity. The goal is to create a timeline of user events comprising an evidence chain of rogue insider activity.
Take as an example, a user behaviour analytics (UBA) alert triggered by an outgoing email. The first phase is observation to confirm whether there is cause for concern: Does the email have security classification markings? Does it contain personal identifiable information (PII)? Does the file size match the suggested content? Is the content sensitive and does it relate to the person’s position in the company? Is there any hidden information contained within the email?
If the answers to these questions confirm that the communication is suspect, the second phase examines technical and non-technical indicators by expanding analysis to include wider data sources that provide greater context around the individual’s actions. These could include indicators from additional logs and analysis of activity patterns to help answer questions, such as: Has the individual suddenly started accessing the network at unusual times or accessing different network areas than they normally do? Is there evidence that the individual may be planning to leave the organisation?
Should this analysis indicate a potential threat, the third phase – a formal investigation – is opened. This incorporates forensic analysis of all the logged data around the individual’s activity on the network. External data sources should be brought to bear at this stage, including a review of the individual’s presence on social media, any court records and other relevant open source data.
Internal data such as HR and travel records and expense reports should be scrutinised to identify anomalies. Once all the data has been collected, recorded, and analysed, interviews should take place with the employee and their co-workers and physical inspections of their workspace made. If the threat has been accurately identified, following this process should ensure that the forensic evidence is sufficiently robust and documented to support any actions the company decides to take as a result.
Unlimited access to effective tools and tactics
Gathering all the evidence described above relies on ITP teams being able to harvest data using multiple tools and tactics, as well as having the expertise and analytical capability to draw conclusions from relevant evidence.
Analysts need access to the widest possible range of internal datasets – everything from VPN logs, proxy servers, email systems, and physical badge data, so they can identify relevant events and actions to build a complete picture of the user within the organisation. UBA tools use data science techniques to detect out-of-character activities by employees that warrant further investigation. UBA is not a silver bullet, however. It can signpost an investigation and provide initial evidence, but the investigative function of the ITP must correlate and contextualise multiple sources of data to develop a story about what has occurred.
External data sources offer crucial contextual evidence. For example, teams might uncover connections to the deep and dark web indicating the insider is working with an outside accomplice or bidding to sell stolen data. Looking at it from the other direction, companies subscribing to a business risk intelligence service can take advantage of analyst expertise to investigate mentions of the business in dark web communities and trace them to see whether they originate from an insider.
Ultimately, threats that originate from an insider require a different approach and dynamic set of investigative skills. These must combine external sources of information with analysis of technical data associated with user behaviour and the warning signs exhibited by a potential insider threat. All ITP activity must take place within the guidelines of a robust, transparent governance framework that is supported by company stakeholders from the board down. Organisations that consider the nuances of an insider threat program and follow a framework that includes the dynamics unique to malicious or rogue insiders will be better prepared to manage the risk.