As noted earlier, the DTEX 2020 Insider Threat Behavior Report surveyed hundreds of customers and Global 5000 organizations to learn what type of risky, suspicious, and malicious activity is occurring across their enterprises.  One of the statistics that jumped out at us was a 450% increase in the number of companies observing obfuscation behavior in their employees.  The top violation was employees bypassing corporate VPNs to hide their online activities.

What is driving this?  First, we know that Covid-19 has forced work from home policies for most companies.  Perhaps some employees are using their work devices for personal projects and others may be bypassing the VPN to avoid detection of violations of appropriate use policies; some of which could result in accidental loss of sensitive information.

We also know that some are hiding intentionally malicious activities.  The report provides three examples:

• An employee using incognito windows to browse a job site is categorized as a flight risk.  When he later copied sensitive data to a personal USB device the company was able to step in to prevent the loss of IP.
• An employee working from home disabled the corporate VPN on his device and subsequently installed the TOR browser to hide his activities from the organization and law enforcement.  Escalation efforts found that the employee was ordering opioids and other illegal items from dark sites.
• A government employee accessed payroll data, obfuscated the data, and emailed it to his personal email account.

Obfuscation is the penultimate step in the Insider Threat Kill Chain.  It can include renaming files, changing file extensions, and even the use of steganography (and there are few innocent explanations when one downloads a sensitive database file and hides it in an image file).  Detecting obfuscation activities is critical to stopping insider threats and important to prove criminal intent.

Learn more about the report here: https://www2.dtexsystems.com/Insider-Threat-2020-Blog