In the previous postings on the Insider Threat Kill Chain we covered how malicious insiders (whether persistent insider threats or flight risks) conduct reconnaissance to learn how to use hacking tools and methods or locate sensitive data and test defensive measures through circumvention. If the threat has not been stopped through either of these steps, the insider’s next action is aggregation; assembling and preparing the data for exfiltration.
As with other insider threat events, aggregation can include actions that may be legitimate business activities. For example, renaming and saving a file happens every day, and taking screenshots can be helpful to capture certain information. Likewise, compressing a file – by itself – is not an unusual or malicious action.
To block insider attacks in the aggregation phase of the kill chain one must (once again) consider the context of the actions. Taking screenshots of a website or user interface can be useful when building a presentation but would be of questionable legitimate use if the screenshots were of design documents, financial statements, or HR data. Similarly, if an employee who rarely used compression utilities in the past suddenly began compressing large numbers of files it would raise cautionary flags.
Other activities require little context. If an employee downloads an organization’s entire customer list or copies the entire source code repository, it would warrant an immediate investigation.
With much of an organization’s focus on electronic forms of sensitive information, one must also remember that physical forms of sensitive data have value as well. Aggregation can be accomplished by printing any of the information mentioned above.
Insider attacks can be blocked effectively at any point in the kill chain, including during the aggregation phase. The goal of any workforce cyber intelligence program is to enable unfettered access to the information employees need for legitimate business purposes while safeguarding sensitive data from theft. Inferring intent based on past activities and an individual’s role in the organization can stop insider attacks without communicating distrust to employees.