Selecting insider threat use cases for your organization
Determining which insider threats your organization is most vulnerable to is a lengthy but crucial step in conducting this insider threat workshop with your team. Before you begin, make sure that you have a solid understanding of the workflows and teams in your security operations center. Select the appropriate stakeholders from those teams who can speak to short term and long term monitoring goals, pain points, and critical assets and users.
With the right people in the room, you can use the following frameworks to guide conversations to select the insider threat use cases that matter most to your organization. You do not have to use all of them. Review this article and determine which of the following will be most beneficial to your team.
- Insider threat monitoring generalization chart
- Matt Snyder's insider threat matrix
- The Insider Threat TTP Knowledge Base
- MITRE ATT&CK TTP Knowledge Base
- Daily user activity
- Splunk insider threat use case repositories
Also remember that you don't have to work on all your identified threats all at once. You can sort insider threats into priority order and go through the remaining steps in this workshop multiple times as needed.
This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.
Insider threat monitoring generalization chart
Generally speaking, insider threat activity can be viewed as falling into five major areas - access, network, communications, collection and exfiltration. There are also a number of sensitive information types to label for monitoring purposes and contextual risk factors that are important to account for. The chart below summarizes these areas of concern.
Insider Threat Monitoring Artifact | Detail/Example |
---|---|
Threat Category - Access |
|
Threat Category - Network |
|
Threat Category - Communications |
|
Threat Category - Collection |
|
Threat Category - Exfiltration |
|
Sensitive Information Types |
|
Contextual Risk Factors |
|
Matt Snyder's insider threat matrix
Insider threats are not singular events. They are like external threat actors and they follow a similar attack chain. You will need to build an insider threat matrix that is personalized for your business. A great example of this is the one proposed by Matt Snyder, Program Lead of Advanced Security Analytics at VMWare. During his .conf2021 talk titled "Proactive Risk Based Alerting for Insider Threats", he shared a Git repository of the Insider Threat matrix he developed. This is an interactive resource that you can use to walk your team through what is most important to your business and get it documented in the context of building an insider threat program.
The Insider Threat TTP Knowledge Base
The Insider Threat TTP Knowledge Base is not part of Enterprise ATT&CK but represents a collection of insider threat actions that have been observed in enterprise networks and aligns this evidence to existing Enterprise ATT&CK TTPs.
The goal for insider threat monitoring is to establish a baseline for what’s normal so it’s easier to identify unusual activities. Whether it be out of the box content, or custom detections, insider threats will fall under one of these seven indicator types:
- User activity changes. Coworkers, managers, and partners might be in the best position to know if someone has become a risk to the organization. For example, a risky insider who is motivated to cause a data security incident might have sudden observable attitude changes as an unusual sign.
- A sequence of related risky activities. A single user action, such as downloading confidential data, might not be a potential risk on its own, but a series of actions could indicate potential data security risks. For example, suppose a user renamed confidential files to appear less sensitive, downloaded them from cloud storage, saved them on a portable device, and deleted them from cloud storage. In this case, it could suggest that the user was potentially trying to exfiltrate sensitive data while evading detection.
- Abnormal system access. Potential insider risks might start with users accessing resources that they don’t usually need for their job. For example, users who normally only access marketing-related systems suddenly start accessing finance systems multiple times a day.
- Privileges escalation. Organizations usually protect and govern valuable resources by assigning privileged access and roles to limited personnel. If an employee tries to escalate their privileges without a clear business justification, it could be a sign of potential insider risk.
- Anomalous data exfiltration. Employees often access and share confidential data at work. However, when a user suddenly shares or downloads an unusual volume of sensitive data compared to their past activities or peers in a similar role, it could indicate a potential data security incident.
- Departing employee data exfiltration. Data exfiltration often rises alongside resignations and can be either intentional or unintentional. An unintentional incident might look like a departing employee inadvertently copying sensitive data to keep a record of their accomplishments in their role, while a malicious incident could look like knowingly downloading sensitive data for personal gain or to assist them in their next position. When resignation events coincide with other unusual activities, it might indicate a data security incident.
- Intimidation and harassment. One of the early signs of insider risks could be a user expressing threatening, harassing, or discriminatory communication. It not only causes harm to a company’s culture, but could also lead to other potential incidents.
MITRE ATT&CK TTP Knowledge Base
Splunk Enterprise Security (ES) comes with a threat intelligence feed that maps all of the MITRE ATT&CK IDs to the information contained in the MITRE database. These IDs are also used as annotations in all Splunk out-of-the-box content from Splunk Enterprise Security, Splunk Security Essentials, and ES Content Update analytical stories. It is best practice to include these annotation references in any custom use case content that you discuss and develop. This annotation information must be populated into the risk rule definition; without it, the rule will not operate properly within the ES Risk Analysis framework. This annotation drives the inclusion of a lot of additional enrichment data in an alert when it fires. It also drives a number of useful ES workflow actions and investigative dashboards.
Daily user activity
Daily aggregated risk scores can be used to detect insider threat activities/anomalies. These scores can be assigned after the daily calculations are performed, using summary indexes or lookup tables. Baseline user activity examples are provided in the following table.
At-Risk Activity | Daily Calculated Values | Splunk Query Example |
---|---|---|
Data upload | Egress Bytes [SUM] Egress Packets [COUNT] URL string [LENGTH] DNS query [LENGTH] DNS query [COUNT] User agent string [LENGTH] User agent string [COUNT] Egress IPs[COUNT] URL domain [COUNT] Protocols used [COUNT] |
Egress Bytes [SUM]
DNS query [LENGTH]
|
Removable media | Unique serial numbers [COUNT] Unique systems accessed with Removable Media [COUNT] Bytes transferred [SUM] Files transferred [SUM] |
Unique systems accessed with Removable Media [COUNT]
|
Number of printers utilized[COUNT] Number of print jobs [COUNT] Number of pages printed [SUM] |
Number of pages printed [SUM]
|
|
Data consolidation | Number of systems accessed [COUNT] Unique user agent string [COUNT] Bytes downloaded, for all systems [SUM] Bytes downloaded, per system accessed [SUM] Packets downloaded [COUNT] Document access, total [COUNT] Document access, by classification [COUNT] |
Number of systems accessed [COUNT]
|
User actions | Login Match, Mismatch [COUNT] Login Location [COUNT] User Position Change [COUNT] Two-factor token use [COUNT] Badge scan, Total [COUNT] Badge scan, Per scan location [COUNT] |
VPN Login Location [COUNT]
|
File share | Number of shares accessed [COUNT] Unique user agent string [COUNT] Bytes downloaded, for all shares [SUM] Bytes downloaded, per share accessed [SUM] Packets downloaded [COUNT] Document access, total [COUNT] Document access, by classification [COUNT] |
Document access, total [COUNT}
|
(Table Reference: SANS White Paper, Balaji Balakrishnan, “Insider Threat Mitigation Guidance”)
Splunk insider threat use case repositories
ES Use Case Library (ESCU)
There are a handful of insider threat related use cases in the ESCU app worth reviewing for this workshop. To find them, log onto your ES Search Head (or SHC) and browse to Configure > Content > Use Case Library. In the library, filter on the left panel to Abuse Use cases, and review those analytical stories with your team.
Splunk Security Essentials App (SSE)
In the SSE app, on the MITRE ATT&CK-Driven Content Recommendation page, choose the category Insider Threat, and start with the other filters set to all content. You can change these later to drill down on fewer use cases if the initial list is too large to review.
Many of the insider threat use cases in the SSE app require Splunk User Behavior Analytics (UBA). This workshop isn’t scoped to prepare for a UBA implementation. That doesn’t mean that conversations can’t be had about UBA, but the use case discussion shouldn't focus on what can be deployed in ES via UBA risk rules.
Splunk Security Content Github
Another good resource for insider threat use cases is the Splunk Security Content GitHub repository. It contains an up-to-date coverage map for all the content tagged with MITRE techniques. It also has all Splunk security content and helpful configurations all in one place.