ThreatFix
  • Home
  • Tools
  • Home
  • Tools

Fun with Insider Threat: Flight Risk

3/18/2016

1 Comment

 

Motivations– Fantastic Insiders and How to Find Them

Welcome back to Fun with Insider Threat. Continuing with our look into Insider Threat, let's venture into the world of Flight Risk. Unlike other types of Insider Threat, Flight Risk candidates rarely have ill will towards the company they are leaving.  Most often, the motives are to retrieve all data they worked on or believe to be beneficial at their next job.  All companies, to varying degrees, claim that any work product produced on company assets or during work hours are sole property of the employer, but when leaving work the average employee does not consider this.  This seems to be especially prevalent in creative roles such as a graphic designer, for example, is judged based on the quality of their portfolio, and extracting examples of their art is pivotal to finding a new job or iterating on current work product.  
Picture
Flight Risk candidates also are generally less technical than malicious insiders as they just want their work product out of the environment and accessible after they leave the job.  This makes them very noisy exfiltrators, often repeatedly getting blocked and attempting to modify methods and variables to avoid the filters.  This can manifest in a single email with multiple large attachments being sent home, incrementally getting sneakier by changing the destination, subject line, file names, file size, or format when using email.  Often, there will be a change in medium from email, for example, which is usually the first method as it is readily available, to USB storage device writes, to website or online mail uploads, and will end with printing documents, which will not be blocked.  This pattern changes in complexity and volume but generally will either result in physical security breaches such as printing, copying work onto paper or taking pictures with a cell phone.  Occasionally this can escalate to Control Avoidance, which we will cover after the break.

Read More
1 Comment

Fun With Insider Threat: We Backtracked the Call.  It’s Coming from Inside the House.

3/10/2016

0 Comments

 

​Who is an Insider: Clear and Present Dangers

​Welcome to Fun with Insider Threat, the goal of these articles are to give a periodic view into my opinions/experience on the world of Insider Threat detection.  This is the introductory segment which gives an outline of what Insider Threat is, common behavior tropes, and a glimpse into the detection methods.  
​​Insider threats can be defined as any agent within the environment employed or under contract with a company ex-filtrating, tampering, or destroying assets and/or data.  A vast majority of cyber security and audit products and techniques focus on keeping outside and unauthorized sources from accessing internal resources, but much less effort is dedicated to identity behavior patterns, motives, opportunities, and techniques through which a trusted employee might utilize to commit the same catastrophic actions. There are three traditional ways to leave a company: quit, get fired, or die.  We are going to focus on the first way, as it is the most common, unless you are the Pope, or a politician.  Summarized below are the major sources and motivations of insiders, in my experience.
Picture

Read More
0 Comments

    Posts

    October 2018
    March 2016
    February 2016
    January 2016
    December 2015
    October 2015
    June 2015
    April 2015


    Picture
    Picture
    Picture

Powered by Create your own unique website with customizable templates.