As a Counter-Insider Threat Analyst here at DTEX Systems, I spend my days helping customers build, tune, and grow their Insider Threat programs. After hundreds of conversations, it’s clear that the same 10 building blocks hold true when building a program that works, scales and stops real threats before data loss and IP exfiltration occurs. I hope you find the list below helpful!
Insider Threat Program Best Practices
- Get the Right Data – It’s not enough to have a lot of data, you need data specifically tailored to detecting insider threats. For example, you need to know if there is an unusually high rate of files being copied or moved on user machines or servers, if sensitive data is being printed, if files are being renamed, or if sensitive data is being copied or pasted to an external website. Likewise, you need to be aware of attempts to disable or tamper with VPNs or DLP tools, if there are unauthorized use of shared or admin accounts, or if machines are running applications in unusual locations. None of these are detected by network-based tools or log files.
- Detect All Types of Threats – We consistently see certain types of insider threats slip through the cracks. Some of the most common that go undetected include credential misuse due to the fact that customers’ existing tools cannot detect suspicious activity from admin/privileged users. Likewise, most organizations cannot detect data exfiltration from a user who has covered their tracks.
- Don’t Forget Intent – It’s never enough to know that a threat exists. A proper and accurate response hinges on how much you know about the context of a threat. Let’s look at two examples to compare context and how while they both suggest potential data loss, context reveals behavioral activity at different stages of the Insider Threat Kill Chain with different remediation needs.
- A login from a totally new location or an account logged into multiple sessions at once. Intent suggests possible credential theft.
- A user downloading and renaming an unusually large number of files using Incognito Mode. Intent suggests a data thief trying to cover their tracks.
This is why you need full context around detection findings, to ensure the proper response to real threats. The recipe for context is simple: data related to user activities + the sequence of user activities + are those activities abnormal for that user?
- Build a Forensic Trail – The cold hard truth is your organization will probably have a security incident stemming from an insider at some point. When it happens, you need to know how. This means being able to answer important questions like:
- What files went missing?
- Which endpoints were infected by this malicious application?
- How did the attacker move laterally?
- How long has this attack been in progress?
- Which users were involved in the event?
- Catch Early Signs – Would-be data thieves almost always follow certain patterns of behavior. Catch these, and you can stop theft before it happens. At DTEX, we refer to this pattern as the Insider Threat Kill Chain. The Kill Chain goes like this:
- Reconnaissance – Investigation before data theft
- Circumvention – Disabling or avoiding security measures
- Aggregation – Collecting all of the data to be stolen in one place
- Obfuscation – The culprit covers their tracks to avoid detection
- Exfiltration – The actual moment of data theft, when the data leaves the organization
In my next blog, I’ll dive into the details of best practices 6 through 10 which include:
- Don’t Sacrifice Privacy
- Watch Policy Violations
- See Off-Network
- Maximize Your Resources
- Balance Visibility & Performance
If you’d like to go deeper on this topic, be sure to check out our eBook: 10 Tips to Strengthen Your Insider Threat Program. You can download it here. If you have any feedback you’d like to share, please connect with me on LinkedIn and share your thoughts!