16 Feb So You’ve Identified An Insider Threat – Now What?
Although the insider threat is just a part of security life these days, there aren’t many “how-to” guides on handling these threats once they’ve been identified. As well as helping you monitor for and detect insider threats, we’ve laid out some guidelines on how to treat insider threats, as well as handle them with a little help from your friends in HR. Read on for a timely reference to help you handle insider threat incidents appropriately as they rear their heads.
Partner up with your HR department
First off, it’s best to obtain HR buy-in on processes around dealing with the insider threat before it rears its ugly head. Once you’ve detected potential insider threat activity, it’s best to have a pre-approved process to start gathering data on a user’s activities to help confirm whether or not an incident has or is taking place.
Back up your actions with documentation
Ensure that there are ample security policies and/or employee agreements that back up any actions that may take place due to insider threat activity. For example, acceptable use policies, information security policies, and privacy policies – and any exceptions – must be tracked, and employees should sign a form stating that they understand and agree to adhere to the policies.
Classification is key
Once an incident stemming from an insider threat is declared, triage must take place very quickly. Understand – as much as possible – whether suspicious activity is intentional or not. A user attempting to pilfer out data intentionally should be handled differently than a user who downloads malware accidentally. The same goes for a user who is exfiltrating data versus a user who is deleting data. To sum it up, the classification piece revolves around the “how” and the “why”.
Prioritize incidents accordingly
You need to have hard and fast rules that outline timelines for dealing with an insider threat. In order to develop these timelines, you must first prioritize your incidents. Depending on the value of the compromised information assets, the privilege level of the user, and the action being taken, you can build out a priority matrix that provides an index from priority 1 (P1) as the highest priority, to P3, or even P4 on the low end. Here are some guidelines for each priority level.
- P1: Further investigation required right now, all hands on deck, containment is top priority
- P2: Further investigation required, all hands on deck right now to determine further actions
- P3: Further investigation required, all hands on deck not required
- P4: No further investigation required, threat mitigated or nil
Decide on a mitigation plan
Once you have categorized and prioritized your incident, you should then devise a plan based on priority level, established processes, and HR agreements. Disciplinary measures, such as seizure of all of the user’s company assets, suspension of employment, or dismissal may be discussed. Further measures for investigation, such as network activity logs or user interview may be required as well. This plan should be in place, with approval from the appropriate stakeholders before acting.
Act when the time is right
With your plan in place, it is time to act. Leveraging your partnership with HR as well as your policies and incident classification taxonomy, you should be able to carry out your plan with few hiccups. Action, in this case, may include reduced or removed user privileges on high value assets, confiscation of company assets in the user’s possession, and/or interview with HR and cybersecurity teams. Be ready to cite policy or standards, and ensure that all parties involved are sending the same message. No good cop/bad cop here.
Gather more data
Once you have acted to contain the threat, it is imperative to understand when the activity may have started, if there are more than one party involved within the scope of the insider threat, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional). Seeing a change in user behaviour over time? Note it! Data is your friend here, and hunting for any and all activities pertaining to this threat in your environment is paramount to getting to the bottom of things. Just remember to be discrete; using brute force to get information on a sensitive matter such as insider threat just might end up tipping off the culprit!
Again, work with HR
At this point, there should be sufficient evidence to explain the actions of an identified insider threat. If you have your ducks in a row – the threat is neutralized, and you have next steps in place – this is the time to work with HR to have them deliver any bad news. The cybersecurity team should not be delivering termination notices, even if it might seem fun to deliver the justice up front. Provide any and all evidence that highlights risky business, and help HR do their job: handling the human resources.
We – as in the security community – spend a lot of time talking about insider threats, generally how to detect them. There aren’t many folks around who provide insight into the “now what?” after an insider threat has been detected. Remember, you can’t always go it alone when working to defend your network.
To recap …
- Leverage your HR team
- Keep your policies up to date and have your employees re-reading them and agreeing to them on at least an annual basis.
- Keep an incident response plan around and ensure that there is an insider threat element taken into account, complete with containment and eradication measures.
And remember, data is your friend in most cases, so it doesn’t hurt to have a robust UBA engine running behind an endpoint detection and response solution. With all of the above tools and advice close at hand, we’re hoping that you can sleep better knowing that there is a way to help contain and eradicate the insider threat … at least for now …