Motivations– Fantastic Insiders and How to Find Them
Welcome back to Fun with Insider Threat. Continuing with our look into Insider Threat, let's venture into the world of Flight Risk. Unlike other types of Insider Threat, Flight Risk candidates rarely have ill will towards the company they are leaving. Most often, the motives are to retrieve all data they worked on or believe to be beneficial at their next job. All companies, to varying degrees, claim that any work product produced on company assets or during work hours are sole property of the employer, but when leaving work the average employee does not consider this. This seems to be especially prevalent in creative roles such as a graphic designer, for example, is judged based on the quality of their portfolio, and extracting examples of their art is pivotal to finding a new job or iterating on current work product.
Flight Risk candidates also are generally less technical than malicious insiders as they just want their work product out of the environment and accessible after they leave the job. This makes them very noisy exfiltrators, often repeatedly getting blocked and attempting to modify methods and variables to avoid the filters. This can manifest in a single email with multiple large attachments being sent home, incrementally getting sneakier by changing the destination, subject line, file names, file size, or format when using email. Often, there will be a change in medium from email, for example, which is usually the first method as it is readily available, to USB storage device writes, to website or online mail uploads, and will end with printing documents, which will not be blocked. This pattern changes in complexity and volume but generally will either result in physical security breaches such as printing, copying work onto paper or taking pictures with a cell phone. Occasionally this can escalate to Control Avoidance, which we will cover after the break.
Motivations– Fantastic Insiders and How to Find Them
Many companies either do not focus on Flight Risk as a separate population from general DLP or hope that their blocking policies are sufficient. Both of these practices are bad, and they should feel bad. Flight Risk employees are not guaranteed to leave, or break policy. A functioning program will allow security analysts to confirm the accuracy of the alerts and kick off multiple work streams. Enhanced monitoring including the use of periodic screenshot captures, as provided by companies such as SpectreSoft, can enable an analyst the ability to monitor all computer usage and identify anomalous behavior near real time. In addition, the management chain can be contacted to engage the employee for personnel retaining talent procedures such as discussing why they are considering leaving and potential mitigation strategies. This is especially important with highly functioning personnel or hard to replace roles as the cost of hiring, especially in a specialized workforce, is usually more expensive than retention.
Detection Logic and Use Cases to Identify Flight Risk – An Insider’s Guide to the Galaxy
Job Searching: Do not go gentle into that good night.
- Job searching via proxy is the most obvious and noisy detection method as most organizations have proxy categorization services such as Websense or BlueCoat, upon which alerts can be created when an employee has more than x page views, or y bytes out within a time frame to a job searching site. This will identify that an employee accessed the site but not give context into the nature of the traffic or why. Often when this is established the noisiest employees are recruiters or managers actively hiring. These people can be excluded by joining Active Directory data with proxy logs and identifying recruiters by line of business, job title or management chain. Furthermore, for employees not expected to frequent job searching sites, additional context can be gained by looking for the terms “upload” or “apply” in the full URL path within the Job Searching domain category.
- In companies where yearly compensation is heavily comprised of bonuses or profit sharing, it is correct to suspect a large portion of attrition will occur immediately following bonus season. This also applies for contractors and consultants just before the conclusion of their contract. Often the security department will not know the duration of contracts within the environment, so a good policy will look more stringently within 2 weeks of every 6 month increment after the official start date if Active Directory stores the data. During these time periods one would expect a larger amount of Flight Risk candidates to appear on the radar, and the confidence of a legitimate departure will increase.
- It is possible that employees have their life together enough so that they constantly update their resume as their career changes and skill sets grow, but most people don’t. The strongest indicator for Flight Risk is an employee sending a resume with their name in the title to a personal email address or outside the company. This can be identified by looking for the employees last name in the email attachment along with the terms “resume” or “CV” and a .pdf or .doc(x) file extension. A vast majority of resume filenames follow some variant of this pattern and the false positive rate is negligible.
- There are many HR lists, few are good to be on. That being said, if you know someone in HR or have a strong relationship between teams they may be able to provide lists of people who will soon find themselves not at the company. This can come in the form of being fired, laid off, or have just submitted a 2 week notice. Employees who are being fired are usually unaware of their upcoming opportunity to catch up on hobbies and television shows, thus it is unlikely they have already sent out company data. These employees should be monitored for behavior pattern changes which indicate they have caught wind of the axe swiftly approaching their head and/or neck. Blocking policies can also be tailored to these populations to block all outgoing email traffic to identified personal addresses (covered later) or enhanced monitoring of network and endpoint behaviors. Personnel who are to be laid off will often know that either they are on a list due to their department being made redundant or will see other rounds of layoffs and thus nervous. These people should also be reviewed for the previous couple weeks once they appear on the list as rumors will spread around an office and fear of the dark is palpable in a workforce that knows of upcoming layoffs. Two week notice employees should undergo both retrospective review of traffic and enhanced monitoring until their end date.
- If all other indicators do not pan out, this is often the last email employees send before closing the laptop and going to the bar. If these messages are found a retrospective search should be conducted to identify any data they have already sent out. This message can be difficult to find as the recipients will all be internal addresses, and people attempt to be humorous with their final salutation with little clear speech patterns between messages. If full email body capture is available, most include continued promises to keep in touch and contact information such as a phone number and personal email addresses.