As a company that’s been fighting the insider threat for more than 15 years, we’ve been in the game long enough to identify distinctive trends in insider behavior. These are independent of company size or industry, and, in general, are surprisingly consistent. One of the most helpful patterns we’ve discovered is the insider threat kill chain: the steps that insiders, or external infiltrators, take when they steal data.
Here’s how it goes:
Step 1: Reconnaissance
As they’re planning an insider attack, users start by seeking out files and data to steal. The key to catching a user in this stage is to keep an eye on users who access unusual locations or run unusual applications. This way, you can get an early indication that a user may be preparing for an attack.
High risk user activity includes:
Accessing a new or unusual location in a document repositoryAn usual increase in error or access denied messagesFailed attempts to mount USB devices and access external websitesUnusually rapid rate of opening files in a short period of timeNetwork scanning and use of network toolsRunning applications that they’ve never run before — especially hacking applications
Step 2. Circumvention
Next, users research options for getting data out of an organization. Sometimes this can happen through straightforward means, like file-sharing websites. Other times, IT savvy users can use more technical methods like proxy servers and VPN connections.
A few examples include:
Use of tools like ToR (The Onion Router), VPN and proxy servers to engage in untrackable internet activityFile transfers through instant messaging, to evade DLP restrictionsUse of hacking toolsSharing information online, whether it be through copy/paste sites like PasteBin, communities like Reddit, or social networks like Facebook or LinkedInDisabling or bypassing security software, or researching how to do so
Step 3: Aggregation
When they’re ready to act, users aggregate the data they’re preparing to steal. This means that you’ll need to keep an eye out for various forms of unusual file activity, from copying, to movement, to deletion.
Some examples include:
Unusual amounts of file copies, movements, and deletionsUnusual amounts of file activity in high-risk locations and sensitive file typesUnusual creation of files that are all exactly the same sizeSaving files to an usual location on a user’s endpoint
Step 4: Obfuscation
Users almost always attempt to cover their tracks before stealing data. Their methods can range from the simple, like renaming files, to the complex, like disabling security tools altogether. In order to catch the culprit at this stage, you need to have a detailed view of everything happening within your organization.
You might see:
Unusual rates and sizes of file compressionClearing cookies and event viewer logs, or unusual use of browser stealth settings like Chrome’s Incognito modeHiding sensitive information in image, video, or other misleading file typesUnusual rates of file renaming, especially to a different file type
Step 5: Exfiltration
This is the actual theft of sensitive data and information. Hopefully, you caught the rogue insider long before they get to this point. You should have already seen the signs from their previous actions, and if you didn’t, then chances are your internal visibility is sorely lacking and you probably won’t catch them here until it’s too late.
This is the stage where the user actually takes the data out of the organization. This means that the important thing to look for isn’t just the size and volume of file transfers, but their destination. You should be looking for large numbers of files that are being moved to an external drive or uploaded to an outside network.
Early Alert is Critical
These steps aren’t exact, and you may see variations. But in general, this is the pattern that most insider attacks loosely follow. Once you know this general flow of activities, you’ll know what to look for in order to stop these insiders early. Ideally, you should be stopping potential breaches as early as the reconnaissance stage. Attempting to block every possible route data can take out of the organization is a fool’s errand. With knowledge of user behavior and proper internal visibility, however, you’ll have a much higher success rate.