Insider Threat Management
– 6 Unusual Data Behaviors
An insider threat strategy should include a way to easily and efficiently spot unusual data
behaviors that are actually risky and require response. Here are just six examples of anomalies
that your insider threat solution should be able to spot
OFF-HOURS ACTIVITY
Even since working from home
changed their schedule, Loki
never clocks in after 11 P.M.
Yesterday, they sent 30GB to a
thumb drive just after midnight.
Hey Loki, can we have
a chat?
OFF-HOURS ACTIVITY
Even since working from home
changed their schedule, Loki
never clocks in after 11 P.M.
Yesterday, they sent 30GB to a
thumb drive just after midnight.
Hey Loki, can we have
a chat?
FILE MIME TYPE
MISMATCH
Thanos just renamed a file
“Cute Cat Pix” and gave it
a .jpeg extension. Just one
problem: the actual content
of the file is source code, not
an image.
PERMISSIONS ALERT
Ultron just changed the permission on a Google Doc to “Anyone can edit.” And guess what — it’s your “top secret product roadmap.” Time to check in with Ultron.
SMART PEOPLE
PLAN THEIR EXIT
Hela just quit.
Anyone can watch whether
Hela downloads huge files in
the next two weeks.
But can you see what was
moved over the past
90 days?
PERMISSIONS ALERT
Ultron just changed the
permission on a Google Doc
to “Anyone can edit.”
And guess what — it’s your
“top secret product roadmap.”
Time to check in
with Ultron.
Unusual user activity might be inadvertent, but sometimes it’s malicious (and even innocent mistakes can cause data loss!).
A view of all behavior — whether it’s files, the vectors by that they move, or the people who move them — can surface that particular activity which represents real risk.
Account Takeover (ATO): A form of identity theft and fraud, the goal of an ATO attack is for a malicious third party to capture and exploit a user’s account credentials, enabling the attacker to pose as the victim for other operations.
Angler Phishing: Phishing through social media that includes direct messages and phony alert emails from social media sites.
Brand Impersonation: Pretending to send messages from a well-known brand to masquerade as a trusted source.
Business Email Compromise (BEC): Using legitimate email accounts from a business partner to fraudulently obtain money or data.
Credential Theft: Tricking the victim into providing their credentials to bad actors, sometimes using a website or link.
Filter: Shields used by software to funnel traffic, like spam email, into another location.
Lure: Also called bait or a hook, the lure is the email or message that “phishermen” use to attract the target’s attention.
Malware Attack: A piece of malicious code or software that infects systems to facilitate cybercrime like data encryption or theft. All ransomware is by nature malware, but there are other types of malware, like key loggers and payment skimmers, that can be delivered via phishing.
Phishing Attack: A cyberattack in which a cybercriminal sends a victim a message that is designed to lure them into taking an action that facilitates another kind of cyberattack against the victim, like getting someone to open an attachment that contains ransomware. Phishing can also defraud the victim out of valuable information like passwords.
Phishing Resistance: This is the amount of savvy that employees show when faced with phishing — a skillset that enables them to spot and stop dangerous messages.
Payload: The “bomb” that a phishing message carries that is typically some manner of malware or ransomware. Quarantine: A separate system location where dangerous messages are sent for review for a preset period of time, in order to prevent them from reaching most employees.
Ransomware: A subtype of malware, ransomware encrypts a victim’s data and systems, enabling cybercriminals to demand a ransom for the decryption key. Ransomware can also be used to steal data, shut down production lines, and take infrastructure offline. It is the preferred weapon of nation-state cybercriminals.
Spear-Phishing: Learning details about the target and then crafting an email that will entice them to interact with it. This is the most common form of phishing, often utilizing data about the victim gathered from the dark web. It’s also the primary delivery system for malware and ransomware.
Spoofing: Attacks that take a legitimate message, cloning it, and then using it to facilitate a phishing attack.
Whaling/CEO Fraud: A highly targeted, sophisticated attack aimed at a CEO or another senior executive in order to persuade them to perform an action, such as a wire transfer of funds.