Skip to main content

 

Splunk Lantern

Selecting insider threat use cases for your organization

 

Determining which insider threats your organization is most vulnerable to is a lengthy but crucial step in conducting this insider threat workshop with your team. Before you begin, make sure that you have a solid understanding of the workflows and teams in your security operations center. Select the appropriate stakeholders from those teams who can speak to short term and long term monitoring goals, pain points, and critical assets and users.

With the right people in the room, you can use the following frameworks to guide conversations to select the insider threat use cases that matter most to your organization. You do not have to use all of them. Review this article and determine which of the following will be most beneficial to your team.

Also remember that you don't have to work on all your identified threats all at once. You can sort insider threats into priority order and go through the remaining steps in this workshop multiple times as needed.

This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.

Insider threat monitoring generalization chart

Generally speaking, insider threat activity can be viewed as falling into five major areas - access, network, communications, collection and exfiltration. There are also a number of sensitive information types to label for monitoring purposes and contextual risk factors that are important to account for. The chart below summarizes these areas of concern.

Insider Threat Monitoring Artifact Detail/Example
Threat Category - Access
  • Failed log-in attempts
  • Unusual or anomalous working hours
  • Deviation from access level, access requests to new resources (physical or virtual)
  • Failed physical access attempts (especially to sensitive areas)
  • Misappropriations in activity around finances (Concur, etc)
Threat Category - Network
  • Deviations from baseline upload/download per port week over week
  • Network activity outside employee’s normal scope of work
  • Unusual VPN activity
  • Malware alerts
  • Attempts to access restricted sites
  • Regular activity to job sites (LinkedIn, Glassdoor, etc.)
  • Usage of suspicious services (non-corporate VPN, TOR, etc.)
  • Unauthorized execution of offensive tools / malware
  • Installation of new software
  • Attempts to modify/erase logs
  • Attempts to bypass security controls
  • DNS queries to dark web
  • Logging into multiple users from same device
  • User account logging in from new devices
Threat Category - Communications
  • Outgoing emails (can increase for competitors, outside country, etc.)
  • Keyword alerts (email, IM, etc.) or linguistic analysis on communications
  • Excessive overseas calls
  • Forwarding internal communications to third parties
Threat Category - Collection
  • Archive creation (ZIP, TAR, TGZ, RAR, etc.)
  • Plugging in new devices
  • PST (Outlook mail archive) creation / moves
  • Data loss prevention (DLP) alerts
  • Connecting to network shares for first time
  • Downloading files from new file sharing locations
  • Sensitive file access
  • Large data transfer or large number of files sent to a local disk or external drive or file sharing site
Threat Category - Exfiltration
  • Deviations from baseline upload/download per port week over week
  • Outbound emails with archive files
  • Outbound emails to personal email addresses
  • Printing log deviations
  • Data loss prevention (DLP) alerts
  • Large data transfer or large number of files sent to a local disk or external drive or file sharing site
Sensitive Information Types
  • Personally identifiable information (PII)
  • Protected health information (PHI)
  • Financial information
  • Competitive intelligence
  • Customer information
  • Intellectual property
  • Research and development
  • Sensitive information
Contextual Risk Factors
  • Privileged access roles
  • Notice of termination or resignation
  • Noncompliance with training requirements
  • Organizational policy violation reports
  • Declining performance ratings
  • Demotion or passed over for promotion
  • Disparaging or irresponsible social media habits
  • Corporate ethics violation reports
  • Significant financial stress

Matt Snyder's insider threat matrix

Insider threats are not singular events. They are like external threat actors and they follow a similar attack chain. You will need to build an insider threat matrix that is personalized for your business. A great example of this is the one proposed by Matt Snyder, Program Lead of Advanced Security Analytics at VMWare. During his .conf2021 talk titled "Proactive Risk Based Alerting for Insider Threats", he shared a Git repository of the Insider Threat matrix he developed. This is an interactive resource that you can use to walk your team through what is most important to your business and get it documented in the context of building an insider threat program.

The Insider Threat TTP Knowledge Base

The Insider Threat TTP Knowledge Base is not part of Enterprise ATT&CK but represents a collection of insider threat actions that have been observed in enterprise networks and aligns this evidence to existing Enterprise ATT&CK TTPs.

The goal for insider threat monitoring is to establish a baseline for what’s normal so it’s easier to identify unusual activities. Whether it be out of the box content, or custom detections, insider threats will fall under one of these seven indicator types:

  • User activity changes. Coworkers, managers, and partners might be in the best position to know if someone has become a risk to the organization. For example, a risky insider who is motivated to cause a data security incident might have sudden observable attitude changes as an unusual sign.
  • A sequence of related risky activities. A single user action, such as downloading confidential data, might not be a potential risk on its own, but a series of actions could indicate potential data security risks. For example, suppose a user renamed confidential files to appear less sensitive, downloaded them from cloud storage, saved them on a portable device, and deleted them from cloud storage. In this case, it could suggest that the user was potentially trying to exfiltrate sensitive data while evading detection.
  • Abnormal system access. Potential insider risks might start with users accessing resources that they don’t usually need for their job. For example, users who normally only access marketing-related systems suddenly start accessing finance systems multiple times a day.
  • Privileges escalation. Organizations usually protect and govern valuable resources by assigning privileged access and roles to limited personnel. If an employee tries to escalate their privileges without a clear business justification, it could be a sign of potential insider risk.
  • Anomalous data exfiltration. Employees often access and share confidential data at work. However, when a user suddenly shares or downloads an unusual volume of sensitive data compared to their past activities or peers in a similar role, it could indicate a potential data security incident.
  • Departing employee data exfiltration. Data exfiltration often rises alongside resignations and can be either intentional or unintentional. An unintentional incident might look like a departing employee inadvertently copying sensitive data to keep a record of their accomplishments in their role, while a malicious incident could look like knowingly downloading sensitive data for personal gain or to assist them in their next position. When resignation events coincide with other unusual activities, it might indicate a data security incident.
  • Intimidation and harassment. One of the early signs of insider risks could be a user expressing threatening, harassing, or discriminatory communication. It not only causes harm to a company’s culture, but could also lead to other potential incidents.

MITRE ATT&CK TTP Knowledge Base

Splunk Enterprise Security (ES) comes with a threat intelligence feed that maps all of the MITRE ATT&CK IDs to the information contained in the MITRE database. These IDs are also used as annotations in all Splunk out-of-the-box content from Splunk Enterprise Security, Splunk Security Essentials, and ES Content Update analytical stories. It is best practice to include these annotation references in any custom use case content that you discuss and develop. This annotation information must be populated into the risk rule definition; without it, the rule will not operate properly within the ES Risk Analysis framework. This annotation drives the inclusion of a lot of additional enrichment data in an alert when it fires. It also drives a number of useful ES workflow actions and investigative dashboards.

Daily user activity

Daily aggregated risk scores can be used to detect insider threat activities/anomalies. These scores can be assigned after the daily calculations are performed, using summary indexes or lookup tables. Baseline user activity examples are provided in the following table.

At-Risk Activity Daily Calculated Values Splunk Query Example
Data upload Egress Bytes [SUM]
Egress Packets [COUNT]
URL string [LENGTH]
DNS query [LENGTH]
DNS query [COUNT]
User agent string [LENGTH]
User agent string [COUNT]
Egress IPs[COUNT]
URL domain [COUNT]
Protocols used [COUNT]

Egress Bytes [SUM]

sourcetype=firewall
| stats sum(bytes) BY clientip
URL string [LENGTH]

sourcetype=proxy
| eval url_length=len(url)
| stats count(clientip) BY Length

DNS query [LENGTH]

sourcetype=dns
| eval Length=len(query)
| stats count(clientip) BY Length

Removable media Unique serial numbers [COUNT]
Unique systems accessed with Removable Media
[COUNT]
Bytes transferred [SUM]
Files transferred [SUM]

Unique systems accessed with Removable Media [COUNT]

sourcetype=WinRegistry
key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*
" registry_type=CreateKey
| eval Date=strftime(_time,
"%Y/%m/%d %H:%M:%S")
| rex
"key_path.usbstor\S(?<DeviceType>.)&ven\S(?<Vendo
r>.)&prod\S(?<Product>\S)&rev\S"
| stats count BY Date, host, Vendor, Product, DeviceType

Print Number of printers utilized[COUNT]
Number of print jobs [COUNT]
Number of pages printed [SUM]

Number of pages printed [SUM]

sourcetype=WinPrintMon type=PrintJob operation=add
|stats sum(page_printed) BY user

Data consolidation Number of systems accessed [COUNT]
Unique user agent string [COUNT]
Bytes downloaded, for all systems [SUM]
Bytes downloaded, per system accessed [SUM]
Packets downloaded [COUNT]
Document access, total [COUNT]
Document access, by classification [COUNT]

Number of systems accessed [COUNT]

sourcetype=”WinEventLog:Security” EventCode=4769
| bin _time span=1d
| stats dc(ServiceName) BY _time user
| rename dc(ServiceName) AS count
| collect index=userstats

User actions Login Match, Mismatch [COUNT]
Login Location [COUNT]
User Position Change [COUNT]
Two-factor token use [COUNT]
Badge scan, Total [COUNT]
Badge scan, Per scan location [COUNT]

VPN Login Location [COUNT]

sourcetype=vpn
| transaction user
| table type,_time,user,country
| collect userstats

File share Number of shares accessed [COUNT]
Unique user agent string [COUNT]
Bytes downloaded, for all shares [SUM]
Bytes downloaded, per share accessed [SUM]
Packets downloaded [COUNT]
Document access, total [COUNT]
Document access, by classification [COUNT]

Document access, total [COUNT}

sourcetype="WinEventLog:Security" EventID=560 OR
EventID=4656 Object_Type=File
| eval
Date=strftime(_time, "%Y/%m/%d") |eval
UserName=coalesce(Primary_User_Name,
Client_User_Name)
| search UserName!="*$" AND
UserName!="NETWORK SERVICE"
| stats count BY Date, Image_File_Name, UserName, Type, host

(Table Reference: SANS White Paper, Balaji Balakrishnan, “Insider Threat Mitigation Guidance”)

Splunk insider threat use case repositories

ES Use Case Library (ESCU)

There are a handful of insider threat related use cases in the ESCU app worth reviewing for this workshop. To find them, log onto your ES Search Head (or SHC) and browse to Configure > Content > Use Case Library. In the library, filter on the left panel to Abuse Use cases, and review those analytical stories with your team.

Splunk Security Essentials App (SSE)

In the SSE app, on the MITRE ATT&CK-Driven Content Recommendation page, choose the category Insider Threat, and start with the other filters set to all content. You can change these later to drill down on fewer use cases if the initial list is too large to review.

Many of the insider threat use cases in the SSE app require Splunk User Behavior Analytics (UBA). This workshop isn’t scoped to prepare for a UBA implementation. That doesn’t mean that conversations can’t be had about UBA, but the use case discussion shouldn't focus on what can be deployed in ES via UBA risk rules.

Splunk Security Content Github

Another good resource for insider threat use cases is the Splunk Security Content GitHub repository. It contains an up-to-date coverage map for all the content tagged with MITRE techniques. It also has all Splunk security content and helpful configurations all in one place.