INDICATORS OF InTENT
Real-time user activity is compared against historical individual and peer group baselines, automatically mapping behaviors to Dtex’s proprietary Insider Threat Kill Chain, where “Indicators of Intent” are used to differentiate malicious intentions from benign.
When preparing for data theft, a malicious insider typically begins with research. This is where they locate the data that they would like to steal, test security controls, or, in the case of compromised credentials, where the insider will test the limits of the stolen credentials’ privilege.
- Suspicious research or innocuous file exfil
- Unusual network enumeration
- Anomalous file or device access
Any attempts to bypass existing security controls provide an important indication that subsequent actions were intentional. Many organizations place too much reliance on the ‘locks on their doors’, however an insider typically has sufficient domain knowledge to know which doors are unlocked or simply has access to the key.
- Tampering with security controls
- Suspicious off-network activity
- Unusual privilege escalation
Whether it’s ‘low or slow’ or a ‘smash & grab’, most data exfiltration involves an aggregation step. Data is commonly aggregated on a local workstation or a server with internet access. Data compression is often leveraged for larger transfers.
- Anomalous clipboard activity
- Sensitive data archival
- Anomalous drive mapping or symbolic link creation
The act of ‘covering one’s tracks’ is ultimately the strongest indicator of intent. While there’s countless ways to get data out, there is a finite number of ways concealing malicious activity.
- Suspicious file renaming
- Steganography & encryption
- Anonymous web browsing & disk erasing utilities
Many organizations make the mistake of disproportionately investing in legacy endpoint DLP and UAM tools which attempt to detect and prevent exfiltration routes. However, while rigid rules may stop malware detonation, they almost never stop an insider with malicious intention. InTERCEPT analyzes all activity from the point closest to the user, proving visibility into exfiltration routes that most other tools miss.
- Unencrypted USB drives
- Saving data to personal webmail drafts
- Airdrop or Bluetooth transfers
Behavior rules and anomaly detection to catch known and unknown threats
Empower the Analyst
Cut to the chase, focus analysts on real risks
Alert stacking and risk scoring for true-positive alerts
GDPR Compliance & Employee Privacy
Security doesn’t need to come at the cost of privacy. InTERCEPT puts privacy first, offering patented pseudonymisation that tokenizes all PII to remove analyst bias and ensure that the data captured is proportionate to the risk.
Automated Insider Risk Reporting
Fully automated CISO Scorecard reports for organizational benchmarking.
Canned Forensic Investigation Reports
Automatically export canned evidence packets for a single user or an entire organizational unit
See how Williams F1 Protects Their Most Valuable IP
Williams Formula 1 is one of the top racing teams in the world, and their engineering division handles priceless intellectual property every day. In a highly competitive industry where fractions of a second can make or break success, see how Williams F1 trusts Dtex to protect their data and enable innovation.