DTEX i³ Issues New Threat Advisory for Disrupting Foreign Interference

The DTEX Insider Intelligence and Investigations (i³) team has released a new threat advisory to help organizations detect, deter, and disrupt insider threat cases involving foreign interference.

The advisory includes important Potential Risk Indicators (PRIs) and behavioral insights that organizations can leverage to proactively intercept malicious insiders intending to conduct IP theft.

Finding the needle in the haystack

Foreign interference has become a significant concern for organizations that manage sensitive data, especially with high-profile incidents involving theft of trade secrets and espionage.

Intercepting cases is rarely straightforward, and detection can be challenging.

As the advisory notes, “A compromised insider colluding with an external adversary could easily go unnoticed by virtue of their authorized access and actions, particularly if those actions are considered to be “normal” by the organization.”

This is where behavioral insights, under a rounded Insider Risk Management (IRM) program, can shine, providing the early warning signals of concerning user behavior with enough time on side to intervene before significant harm occurs.

Lessons from a real-world investigation

This advisory follows an investigation where DTEX i³ successfully intercepted a malicious insider who was seeking to steal company secrets and take them to another organization in their origin country.

The customer – a large technology company, with an advanced security program – requested an i³ investigation into a user suspected of data exfiltration. The company’s legal department conducted a thorough review, focusing on potential exfiltration and travel plans to China, due to concerns about foreign interference. Initial analysis suggested the user might have exfiltrated data via their browser, using personal email and deleting files. These activities, when viewed through the Insider Threat Kill Chain, indicated potential malicious intent and evasion efforts.

The DTEX i³ investigator identified several red flags, including data aggregation before exfiltration. The user had copied 3.9GB of sensitive data and uploaded it to a personal OneDrive account using Google Chrome. Evidence from OneDrive logs and a disk image confirmed these actions. Additional behaviors, such as job hunting, indicated a higher risk of insider threat. Over 600 unique files, related to suppliers, shortage, and backlog reports, were exfiltrated, aligning with the user’s job search activities.

The DTEX InTERCEPT audit trail and digital forensic evidence revealed that the exfiltrated documents were confidential and pertinent to the positions the user was researching. The user had employed forensic countermeasures, such as using a non-corporate OneDrive and deleting aggregated files, to hide their activities. These behaviors are typical of risky insiders during threat events.

After completing the log analysis and gathering evidence, the company’s IRM team handed the investigation over to the legal department. The evidence included the DTEX InTERCEPT audit trail, digital forensic evidence from the disk image, and cloud-based logs.

Integrating defense in depth in your IRM program

The latest Threat Advisory provides important insights for applying defense in depth under a rounded IRM program backed by cross-cutting collaboration.

In the investigation above, integration of tagged end-user activities and alert generation facilitated seamless cross-departmental cooperation, enabling timely detection of data exfiltration and legal repercussions for the insider.

For mitigations and detections that you can apply in your own environment, read the complete Threat Advisory.