When sports started being televised 50+ years ago, it brought a new level of visibility to teams and games. You no longer needed to be in or from the town or city, or correlate multiple sources of information from newspapers and radio broadcasts just to find out what happened. Then, with the advent of video replay and the opportunity to challenge the play, came the visibility to correct mistakes in near real-time as they happened; most importantly, the mistakes made by both player and official. Those mistakes could now be peer reviewed, discussed, decided, and communicated to the necessary stakeholders. Something that historically was resigned to arguing over a beer after the game.
The difference between these changes and Insider Threat Detection is simply, who are the stakeholders that are depending on the “mistake”? A missed touchdown or wayward pass goes to the masses, and an employee breaking the rules requires a few Executive Group Reviews, but an employee engaging in illegal activity on their corporate device—not so much.
Users have routines, routines that rarely change, particularly once you have spotted them. When that routine consists of connecting to a home wifi, then plugging in a device that shouldn’t be connected and organizing anomalous volumes of files on the device, then carefully not copying anything to the corporate device and then going back to work for a few hours in the same three time periods a day, whilst working from home….well this is a routine. This was a real scenario. And, in this scenario, the DTEX i3 Team noticed something even more suspicious about the file names as well as the volume of files being accessed leveraging known–illegal, Child Sexual Abuse Material (CSAM)–material databases. The team was able to identify this for what it was and that it required quick escalation, without having to view specific data, images, or videos.
The organization in question was able to understand their limitations in this space and recognize that the most appropriate course of action was to contact law enforcement, provide them the information from DTEX, and connect the two parties for expertise.
The DTEX i3 Team was quick to provide a detailed report that included all suspicious files names, devices involved and how to identify them from a hardware as well as software point of view, and an overview of how the user behaved with the data to arouse suspicion. All with a level of assurance that prompted a reply from law enforcement that this was one of the best reports they had ever received. A warrant was swiftly granted, enabling execution of the next steps.
Timing is particularly sensitive in these cases, as in athletic competition, and by profiling the user’s behavior, utilizing metadata, the team was able to communicate directly with law enforcement to ensure a successful arrest by correlating the local IP addresses and wifi SSO, and the user’s change in behavior the day before. An attempt to arrest the individual on the first day of concern, would have resulted in a tip off, but by being able to hold off and confirm that the user was completing their usual activities, whilst connected to their home router and IP, law enforcement was able to complete the arrest and obtain all the devices that DTEX had identified as holding or processing CSAM.
Unfortunately, this is just one example of the world according to corporate IT, but it utilizes the same processes and information. This example demonstrates that behaviors most commonly associated with insider threat data exfiltration also have overlap with other nefarious activity. A user stealing information rarely “only” breaks the data-related rules, there are other indicators that provide the breadcrumbs and earlier indicators of intent. Everyone is keenly aware of the lack of resources in the security space, hence the reason behavioral visibility, establishing baselines, and detecting deviations is more important than ever—you can’t stop the player you can’t see.
Learn more about the DTEX Insider Intelligence and Investigations (i3) Team and how we can assist in your insider risk management strategy.