Splunk & DTEX Partner to Deliver Noise-free Human Telemetry to the SOC. READ THE NEWS HERE.

WORKFORCE CYBER
INTELLIGENCE

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

Stories from the Field – Unusual Insider Activity: Not Always Malicious

Working with DTEX customers is incredibly rewarding – I’ve helped security teams identify and thwart numerous malicious insiders and prevent negligent behavior from leading to data leaks or other negative outputs.

A recent investigation I was a part of for one of our customers in the banking industry was particularly interesting, as it proved that while not all abnormal behavior is malicious, the visibility to identify it is pivotal from a security perspective.

Here’s What Happened

Within a customer environment, we saw a particular user performing a sequence of unusual activities – so unusual that our platform deemed the string of events to be a high priority for investigation.

In this case, we could see the person initially downloading content from a corporate repository, followed by them aggregating this content to a directory — this is what we would call staging or prepping of content for exfiltration. The user had then compressed the contents after failing to send an email out originally with the attached files, as it was blocked by the organization’s DLP solution.

From there, they began researching, downloading and utilizing a steganography tool to bypass the controls in place. Steganography is rarely seen as compared to other behaviors, which makes it a critical focal point for high risk.

In addition, it is important to note that these behaviors were not common for the individual or other team members. Plus, they were a contractor, which further heightens initial concerns as contractors generally don’t have strong bonds with an organization. In many cases, they are hired for a single project or short period, and generally have less regard for corporate policies.

Why it Matters

After review and escalation, it was found these actions did not have malicious intent. In fact, the individual was just trying to get their job done effectively. However, this instance does demonstrate that no matter how locked down an organization may be, where there is a will there is most definitely a way.

What is also important is the follow-through on this negligent behavior, which could otherwise leave the organization vulnerable to various areas of risk. Thankfully, we caught this in real-time and were able to notify the organization, which then swiftly addressed it with the contractor.

In some instances, when certain behaviors are occurring widely across the employee population, this is telling the business and IT teams that corporate policy should be revisited. In this example, it was not the case, but this level of visibility helped us to identify abnormal behavior and rule out any wrongdoing by the individual.