GUEST BLOG BY CORPORATE MEMBERS ZONEFOX
One of the greatest threats to businesses these days is the insider threat. Maybe it’s a case of a successful phishing attempt on an unwitting employee, a disgruntled colleague who is looking for a new job and extracting data to use as leverage to gain employment elsewhere, or plain ol’ corporate espionage. As we work diligently toward better solutions to prevent and detect the insider threat, it is also pertinent that we understand how best to handle these incidents as they arise. As such, we have devised a guide to assist in dealing with insider threats after they are detected.
Preparation is key
In reality, responding to an insider threat breach happens before the breach even starts. If you do not have appropriate policies, standards, and relationships in place, your efforts to thwart the insider threat will be much less effective. Create policies to help identify insider threats, standards to classify, and a relationship with your human resources team to compile pre-determined consequences and actions to be taken when an insider threat is identified. Ensure that employees are aware of – and in agreement with – the policies and standards, and have them sign off annually. This preparation is crucial when it comes to performing triage activities; classification and prioritization.
Proper classification is essential
Assuming that you have the aforementioned policies, standards and relationships in place, you should be able to triage insider threat incidents efficiently. Sub 15-minute response times are optimal for initial triage, in order to ensure that the threat is contained quickly, and that next steps can be taken as near to immediately as possible. The first step in the triage process is classification. Classify the incident by the type of activity taking place. Is the malicious insider copying externally, or are they intending to delete data? Was a piece of malicious code accidentally downloaded, or did a user install a keylogger to pilfer passwords? The classification should indicate malicious intent or accidental harm, as well as the scope; just how big is this breach?
Prioritisation sets the stage
Use a priority-based system to determine the urgency and required response for each incident. An industry standard system ranges from priority 1 (P1) as the highest priority, to priority 4 (P4) as the lowest. Here is an example that you might choose to use for prioritisation:
- P1 Incident: Investigation is required right now, containment is top priority. This threat has a large scope, targets critical assets, or it is currently active. This priority level is generally reserved for intentional, malicious insider threats such as disgruntled employees or corporate spies who are stealing or deleting loads of data.
- P2 Incident: Investigation is required immediately, threat level is unknown. Scope and intent are currently unknown.
- P3 Incident: Investigation is required, but the scope is very limited or the threat inactive, lowering the urgency. Threats in this priority range are generally well-intentioned insiders who fell victim to a phishing scam.
- P4 Incident: No further investigation required; the threat is mitigated or false positive.
Note that priority levels may change as investigations progress!
Engage response team
Based on the prioritisation scheme above, you will have to act accordingly. Here are some examples for deploying your incident response team based on the priority level of the threat.
- P1: Both cybersecurity and HR team members must be deployed to address the threat. Management should also be kept abreast of goings on.
- P2: Cybersecurity, management, and HR team members to determine next steps based on information about the employee – provided by their manager and the HR team.
- P3: Assign specific investigators to keep management and HR in the loop.
- P4: Cybersecurity team to monitor for reoccurrence, or tune sensors to prevent alerting – if this alert was a false positive.
Note that throughout the response effort, you should be continuously monitoring the suspected threat actor’s activities, preferably using an endpoint monitoring tool.
Roles and responsibilities
Your insider threat response team is made up of folks from disparate teams in the organization, and as such roles and responsibilities need to be defined to get the most out of the team. Here are the key players:
Cybersecurity – Your cybersecurity team will provide the cybersecurity incident manager, various analysts, and engineers where containment is required. The cybersecurity team will remain largely in the shadows, providing evidence and information where necessary without being part of the interview process.
Human Resources – The HR team will be able to provide recon about the potential threat actor. Performance information, complaints, and other reports will come in handy when understanding intent. HR will also need to be present during any interview processes, and they will need to be the ones to hand out any consequences.
Management – The threat actor’s manager may be able to shed some light on the situation, as they should have consistent interaction with the actor. This individual should also be present for any interviews and disciplinary hearings.
Throughout the investigation process, it is imperative that communications remain confidential. Do not include more individuals than are necessary; try to keep the circle as close as possible and ensure that everyone agrees to adhere to a strict confidentiality agreement.
While technological controls such as ZoneFox’s next-generation endpoint solution are imperative when investigating an insider threat actor, there is much more than just cybersecurity-based information that can be gathered. Besides forensic information regarding the user’s behaviour on your network, you can find other precursors to an attack. Whether an employee pushes for a raise, starts coming into the office at odd hours, or starts moving funds out of their employee savings plan prior to facilitating an insider threat breach are great indicators of intent. Collecting this type of information from the finance, HR, and physical security teams can come in handy. Keep in mind that this information should be aggregated and kept secure – preferably by the HR team – and distributed only on a need-to-know basis.
After ample information from multiple sources has been gathered, it is time to interview (interrogate is a strong word) the suspected threat actor to determine appropriate next steps. Before you go into the interview, prepare a set of questions that clearly lay out any accusations, the associated consequences, and any action plans that will be set up for the employee. Ensure that the employee understands the accusations, as well as the consequences of their actions. Position the interview so that the employee can take responsibility for their actions, or deny the accusations.
At this point you should have compiled ample evidence, so should the employee deny the accusations, the aforementioned action plan will be put into effect, and the employee will be placed under strict watch. Should the employee take responsibility for their actions, they have the choice then to agree to more amenable circumstances, such as periodic check-ins to avoid relapse. Ultimately, you need to work with the employee, threat actor or not, to get the best outcomes for your organisation. Sometimes this means losing a highly talented employee.
The various outcomes that you may experience from these interviews can be (but are not limited to):
- Employee takes full responsibility, agrees to adhere to an action plan and be subject to periodic check-ins (best result)
- Employee denies all accusations regardless of evidence proving their guilt. If the threat was P3 or lower, the employee must adhere to an action plan and will be constantly monitored. Any new nefarious activities spotted will result in immediate dismissal. Use tools such as ZoneFox for granular monitoring of their activities within your environment. If the employee was part of a higher priority threat, it might be a good idea to fire them on the spot.
- Employee provides proof that they either intended no harm, or inflicted no harm onto the organization. The employee may be exonerated, but an action plan will still be necessary to help them improve their security awareness and monitor their activities.
As the insider threat becomes more prevalent in our day-to-day lives, we need to ensure that we are preparing to our best abilities to handle these events. Understanding how you can best respond to insider threat breaches is step one in the long road to better insider threat protection.
Identify the hurdles and challenges on your journey to mitigating Insider Threat before they become major security incidents, understand how ZoneFox supports this process in our product Datasheet.