The Anatomy of an Insider Threat Investigation

v proofpoint.com

The Anatomy of an Insider Threat InvestigationAd-Hoc Investigations vs. Proofpoint Insider Threat Management

Conclusion and Recommendations

Ad-Hoc Investigations Waste

Valuable Time

Ad-Hoc Insider Threat Investigations

Insider Threat Investigations with

Proofpoint

Gathering Intelligence

Diving Into Alerts

Gathering Context

Confi rming and Sharing EvidenceIntroduction

THE ANATOMY OF AN INSIDER THREAT INVESTIGATION | E-BOOK

GETTING PRACTICAL: INSIDER THREAT INVESTIGATIONSFor decades, perimeter-based security strategies have been the starting point for most cybersecurity programs. But in today’s cloud-based, mobile and remote work setting, that perimeter has all but dissolved. Modern organizations need a new approach. Legacy security tools just aren’t equipped to investigate incidents caused by trusted insiders who are malicious, negligent or compromised. The result is leaked and stolen data, brand damage and more.

This guide covers:

• What the insider threat investigation process looks like when the process is ad-hoc and manual.

• What a proactive or reactive alert-based investigation looks like with the Proofpoint Insider Threat Management (ITM) platform.

This visual guide is a step-by-step look at how an insider threat investigation works—both with and without a dedicated insider threat management (ITM) platform.



Valuable Time


Proofpoint


Diving Into Alerts

Gathering Context




Ad-Hoc Insider Threat InvestigationsA Step-by-Step Look

Step 1: Kicking off an Ad-Hoc Investigation

Without an Insider Threat Management (ITM) platform and a dedicated program in place, investigations can be piecemeal, messy and ineffi cient.

First, an alert comes in. It can come from one of two places:

1. Inside the organization

This is the best-case scenario. If an internal alert goes off, it usually comes from a system such as a SIEM platform. SIEMs consist of monitoring logs and the security tools that feed into them, such as endpoint data loss prevention (DLP) or endpoint detection and response (EDR) tools.

2. Outside the organization

This is the worst-case scenario. A customer, regulator or someone else on the outside sees something out of the ordinary and notifi es the company of a potential security breach.

No matter where it comes from, the alert kicks off the investigation.



Valuable Time


Proofpoint


Diving Into Alerts

Gathering Context




Step 2: Gathering IntelThe next step is to gather more intel. While the alert will usually let you know “what” has happened, it won’t tell you the whole story.

You need to dig around to fi gure out:

• Where did this happen? (In a web app? On the desktop?)

• What systems are affected?

• When did the potential incident take place?

• What other suspicious user activity has taken place within the time frame of the incident? (Important context that will determine the course of action)

As you can imagine—or may know from going through this process yourself—handling an alert in this manner can be very time-consuming. It requires the security team to go through many different tools, often searching through massive amounts of logs under signifi cant time pressure, such as these Windows activity and system logs. This alert may be one of hundreds coming in every day, which can make it challenging to identify which ones represent real problems.

$11.45M77 Days

It requires the security team to go through many different tools, often searching through massive amounts of logs under signifi cant time pressure, such as these Windows activity and system logs.

Source: Ponemon Institute 2020 Cost of Insider Threats Report

The average cost of an insider threat incident in 2020

The average time it takes to contain an insider threat



Valuable Time


Proofpoint


Diving Into Alerts

Gathering Context




Step 3: Determining User ActionsOnce you pull up the appropriate logs, you must determine what the user was up to. Knowing the history around the user’s actions can help you understand what they did and why.

Is it a disgruntled former employee attempting to exfi ltrate data?(Malicious Insider)

A user who’s been the victim of a phishing scam? (Compromised Insider)

Or someone who simply slipped up and did something out of policy?(Accidental/Negligent Insider)

Context is crucial, and it can be very diffi cult to build on an ad-hoc basis.

Pictured here are typical log fi les and security solutions used to investigate insider threats.



Valuable Time


Proofpoint


Diving Into Alerts

Gathering Context




Step 4: Building EvidenceFinally, when it is clear what happened, you need to build a case—and that takes evidence. You can’t simply go to leadership (or the authorities, if it is a legal issue) and accuse a user of doing something wrong. You need proof.

Evidence can be especially hard to provide when you have only logs to work with. If your organization needs to move forward with legal action, you must know what type of digital forensic evidence is admissible to law enforcement. If you suspect a crime has occurred, seek help from outside legal experts early in the process.




Proofpoint


Diving Into Alerts

Gathering Context



Valuable Time


Ad-Hoc Investigations Waste Valuable Time Investigating insider threats on an ad-hoc basis simply doesn’t work for the modern enterprise.

Ineffi cient Time-consuming Lacking in context

Ad-Hoc Investigations Are

Not suited for in-depth investigations

High-risk

Ineffective investigation tools can slow down the entire process. In the meantime, the threat may continue to evolve and put the business at great risk of reputational damage or cost. According to The Ponemon Institute, the average annual cost of insider threats is $11.45 million, depending on the size of the organization, the extent of the damage and degree of mitigation required.

Investing in tools that are purpose-built for Insider Threat Management can help make your investigations more accurate, detailed and effi cient. People-centric security solutions can correlate user activity and data movement. By quickly provide the right context, they can help you keep your organization protected.



Valuable Time



Diving Into Alerts

Gathering Context



Proofpoint


Insider Threat Investigations with Proofpoint Proactive insider threat hunting and reactive incident investigation

The Anatomy of a Proofpoint ITM InvestigationInsider threat hunting means looking frequently at your riskiest users’ behavior. If you spot anomalous behavior during one of these routine checks, you can take a deeper look. And if you get an inbound alert from Proofpoint ITM, you can quickly drill down using steps 2-4 to determine the root cause.

Step 1: Gathering intelligence Explorations promote scheduled threat hunting

Step 2: Diving into alertsWithin the Proofpoint alerts screen or integrated into your ticket management system (e.g. ServiceNow, JIRA or Slack)

Step 3: Gathering contextWithin a timeline view of events in the alerts screen and an invidual user’s activity screen

Step 4: Confirming and sharing evidenceThrough Proofpoint reports and metadata feeds into SIEMs (e.g. Splunk)



Valuable Time



Proofpoint

Diving Into Alerts

Gathering Context



Introduction Section 3:Insider Threat Investigations

with Proofpoint


Gathering intelligence

Explorations Screen

Proactive threat hunting begins by looking at the riskiest users on a regular basis. If the analyst sees some risky behavior, they will proceed to investigate the user behind it.

One such user is Carol Brown.

Large web fi le transfers, FTP server usage and moving fi les to unapproved USB devices are behaviors that bubbled to the top in this example.

We’ll examine the unapproved USB device usage of Carol Brown.



Valuable Time



Proofpoint


Gathering Context


Diving Into Alerts


Diving into alerts

Alerts Screen

Next, the analyst gets more context around the “who, what, where, when and why” on an alert. In a reactive scenario, the investigation starts here triggered by a tip off or incident.

In this example, you see multiple alerts of potentially risky behavior for user, Carol Brown. For each alert, you will want to understand why that alert was triggered.

These alerts are simply warning signs requiring further investigation through a user’s timeline of activity.

While triaging the unapproved USB device usage alert for Carol Brown, we see that Carol attempted to move the same sensitive fi le to a cloud sync folder as well. In both cases, Carol was blocked.

File activity details show that this fi le contained social security numbers (SSN) and was renamed to something innocuous.

Based on content scanning rules, we can determine the fi le contained SSNs.

This raises further suspicions.



Valuable Time



Proofpoint


Diving Into Alerts


Gathering Context


Gathering context

Timeline View

The timeline view correlates and sequences fi le, endpoint and application activity with the user in question. Once an analyst has this context, they will want to examine whether this information validates the user activity that led to the alerts (case closed). Or, on the other hand, does the information identify an actual insider threat?

If its an insider threat, you want to package up the evidence along with screenshots of user activity in an easy-to-understand format. Let’s see what that looks like.

In this timeline, Carol Brown downloaded the fi le from Sharepoint, renamed the fi le containing SSNs to Holiday_Pictures.jpeg and attempted to move the fi le to Google Drive’s cloud sync folder on the endpoint. Based on their data classifi cation of the fi le, this was deemed confi dential information. Luckily, she was blocked.



Valuable Time



Proofpoint


Diving Into Alerts

Gathering ContextIntroduction

Confi rming and Sharing Evidence


Confirming and sharing evidence

Proofpoint Reports

At the end of the evidence-gathering stage, the analyst can use Proofpoint ITM’s screen recording features to confi rm their suspicion. Visual activity replays can back up the metadata evidence gathered in the investigation process.

Once the evidence on Carol Brown is confi rmed, the analyst can export the screen recording and metadata as an easy-to-understand report. This can be shared with Legal, HR and other stakeholders on the incident response team for decision-making purposes.



Valuable Time



Proofpoint


Diving Into Alerts

Gathering Context



Conclusions and Recommendations

People-Centric SecurityProofpoint ITM is a people-centric security platform that makes it much easier to gather the necessary context around an insider threat incident— whether it is discovered reactively or proactively.

Having a purpose-built insider threat management solution reduces the mean time to detect (MTTD) and mean time to respond (MTTR) to insider threat incidents. This leads to a reduction in risk, severity, and number of incidents – and ultimately reduces the fi nancial and brand damage associated with insider-led breaches.

Want to see how Proofpoint could work for your organization? Request a demo today.

ABOUT PROOFPOINT

Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

©Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. Proofpoint.com

LEARN MOREFor more information, visit proofpoint.com.

0512-005-01-01 05/21

Date post:	02-Apr-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

The Anatomy of an Insider Threat Investigation

Documents