We previously discussed the dramatic increase in obfuscation activities found in the DTEX 2020 Insider Threat Behavior Report. More than half of the organizations interviewed saw obfuscation activities – a 450% increase over 2019. These activities included using incognito modes in browsers and bypassing the corporate VPN.
Obfuscation is one step in the Insider Threat Kill Chain, and one of the most common reasons an employee attempts to hide his activity is when they are planning to leave the organization. They might be searching on job boards or researching competitor websites. More worrisome, they may be looking for internal documents they can bring to a new employer.
When we looked at activities that could indicate an employee was gathering sensitive data our concerns were validated. In 2020, 72% of the organizations we spoke with detected suspicious activity in the “reconnaissance” and “aggregation” steps of the kill chain. This represents a 230% increase over the same period in 2019. The study includes three examples of employees preparing to take sensitive information, including:
- An employee who gathered design documents, source code, and AWS credentials in “personal music” folders that were copied to the corporate OneDrive’s sync folder.
- An employee used a screen capture tool from a public URL to copy sensitive information from a presentation. This was correlated with high volumes of data transfers to identify sensitive data the employee stole from a previous employer.
- An employee gave notice then downloaded large amounts of data to a non-corporate USB drive.
It is important to remember that aggregation activities are not limited to electronic forms of the data. Printing sensitive information and walking out with the paper can be just as damaging.
The good news is that these thefts can be stopped at any point in the kill chain. In the case of the 2020 Insider Threat Behavior Report, more than half of the organizations detecting suspicious activity were also DTEX InTERCEPT customers, and were able to identify these activities and block data exfiltration.
Learn more about the report here: https://www2.dtexsystems.com/Insider-Threat-2020-Blog