If you’ve detected an Insider Threat within your business what do you need to do?
An Insider Threat is a threat to the security of the business from someone within the organisation – this can be malicious or completely unintentional. But the result is the same – there is a threat, and it needs to be dealt with.
Jamie Graves, IS CEO of cyber security company, ZoneFox, and he advises taking the following steps if you discover an Insider Threat:
1) Partner up with your HR department
Ideally, obtain HR buy-in on processes around dealing with the insider threat before it rears its ugly head, but even if it’s too late for that, it’s still important to work WITH the HR team.
2) Back up your actions with documentation
Ensure that there are ample security policies and/or employee agreements that back up any actions that may have to take place due to Insider Threat activity. For example, acceptable use policies, information security policies, and privacy policies.
3) Classification is key
Once an incident is declared, triage must take place very quickly. Understand – as much as possible – whether suspicious activity is intentional or not. A user attempting to pilfer out data intentionally should be handled differently than a user who downloads malware accidentally. The classification step revolves around the “how” and the “why”.
4) Prioritize incidents accordingly
In order to develop timelines for dealing with an Insider Threat, you need to prioritize your incidents. Based on the value of the compromised information assets, the privilege level of the user, and the action being taken, you can build a priority matrix.
- P1: Further investigation required right now, all hands on deck, containment is top priority
- P2: Further investigation required, all hands on deck right now to determine further actions
- P3: Further investigation required, all hands on deck not required
- P4: No further investigation required, threat mitigated or nil
5) Decide on a mitigation plan
Devise a plan based on priority level, established processes, and HR agreements. This may include disciplinary measures, and items needed for investigation, such as network activity logs or a user interview.
6) Act when the time is right
With your plan in place, it is time to act. This may include reduced or removed user privileges on high value assets, confiscation of company assets in the user’s possession, and/or interview with HR and cybersecurity teams. Ensure that all parties involved are sending the same message. No good cop/bad cop here!
7) Gather more data
Once you have acted to contain the threat, it is imperative to understand when the activity may have started, if there is more than one party involved, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional). Data is your friend here, and hunting for any and all activities pertaining to this threat in your environment is paramount to getting to the bottom of things. But remember to be discrete.
8) Again, work with HR!
If you have your ducks in a row – the threat is neutralized, and you have next steps in place – this is the time to work with HR to have them deliver any bad news.
Remember, leverage your HR team, keep your policies up to date. Develop an incident response plan complete with containment and eradication measures. Remember; data is your friend, so have a robust user behaviour analytics engine running behind an endpoint monitoring solution.
With all of the above tools and advice close at hand, hopefully you can sleep better knowing that there is a way to help contain and eradicate the insider threat.