Visibility & Context Are Key To Prevention
The reason DLP and SIEM solutions aren't effective in preventing Insider Threats is because they don’t take history, trends, and context into account. This leaves the question of ‘Why’ unanswered. However, "Why" is often the most important factor in any Insider Threat investigation
DTEX has simplified this by incorporating contextual information of the events leading up to, and following, an Insider Threat event. DTEX tracks each of your employees’ normal behavior and crafts finely tuned alerts based on unusual activity changes to create intelligent insider threat detection that picks up on only the activity that really matters. An analyst can then use these contextual cues to easily investigate, acknowledge or ignore alerts generated by the system.
The Insider Threat Kill Chain and INDICATORS OF InTENT
The DTEX Insider Threat Kill Chain describes the pattern followed by malicious insiders and allows organizations to understand the entry-point and scope of an attack as well as the intent of the insider. The Insider Threat Kill Chain compares real-time user activity against historical individual and peer group baselines to highlight “Indicators of Intent” to differentiate malicious intentions from benign.
When preparing for data theft, a malicious insider typically begins with research. This is where they locate the data that they would like to steal, test security controls, or, in the case of compromised credentials, where the insider will test the limits of the stolen credentials’ privilege.
- Suspicious research or innocuous file exfil
- Unusual network enumeration
- Anomalous file or device access
Any attempts to bypass existing security controls provide an important indication that subsequent actions were intentional. Many organizations place too much reliance on the ‘locks on their doors’, however an insider typically has sufficient domain knowledge to know which doors are unlocked or simply has access to the key.
- Tampering with security controls
- Suspicious off-network activity
- Unusual privilege escalation
Whether it’s ‘low or slow’ or a ‘smash & grab’, most data exfiltration involves an aggregation step. Data is commonly aggregated on a local workstation or a server with internet access. Data compression is often leveraged for larger transfers.
- Anomalous clipboard activity
- Sensitive data archival
- Anomalous drive mapping or symbolic link creation
The act of ‘covering one’s tracks’ is ultimately the strongest indicator of intent. While there’s countless ways to get data out, there is a finite number of ways concealing malicious activity.
- Suspicious file renaming
- Steganography & encryption
- Anonymous web browsing & disk erasing utilities
Many organizations make the mistake of disproportionately investing in legacy endpoint DLP and UAM tools which attempt to detect and prevent exfiltration routes. However, while rigid rules may stop malware detonation, they almost never stop an insider with malicious intention. InTERCEPT analyzes all activity from the point closest to the user, proving visibility into exfiltration routes that most other tools miss.
- Unencrypted USB drives
- Saving data to personal webmail drafts
- Airdrop or Bluetooth transfers