Insider Threat

Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics
• Datamodel: Authentication, Endpoint, Endpoint_Processes
• Last Updated: 2022-05-19
• Author: Jose Hernandez, Splunk
• ID: c633df29-a950-4c4c-a0f8-02be6730797c

Narrative

Insider Threats are best defined by CISA: “Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization’s network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.” An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.

Detections

Name	Technique	Type
Anomalous usage of Archive Tools	Archive via Utility, Archive Collected Data	Anomaly
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter	Anomaly
Detect RClone Command-Line Usage	Automated Exfiltration	TTP
Fsutil Zeroing File	Indicator Removal	TTP
Grant Permission Using Cacls Utility	File and Directory Permissions Modification	TTP
Gsuite Drive Share In External Email	Exfiltration to Cloud Storage, Exfiltration Over Web Service	Anomaly
Gsuite Outbound Email With Attachment To External Domain	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
Hiding Files And Directories With Attrib exe	Windows File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
High Frequency Copy Of Files In Network Share	Transfer Data to Cloud Account	Anomaly
Potential password in username	Local Accounts, Credentials In Files	Hunting
Sdelete Application Execution	Data Destruction, File Deletion, Indicator Removal	Anomaly
WevtUtil Usage To Clear Logs	Indicator Removal, Clear Windows Event Logs	TTP
Wevtutil Usage To Disable Logs	Indicator Removal, Clear Windows Event Logs	TTP
Windows Curl Upload to Remote Destination	Ingress Tool Transfer	TTP
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials	Password Spraying, Brute Force	TTP
Windows Multiple Users Failed To Authenticate From Process	Password Spraying, Brute Force	TTP
Windows Remote Access Software Hunt	Remote Access Software	Hunting
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process	Password Spraying, Brute Force	Anomaly

Reference

• https://www.imperva.com/learn/application-security/insider-threats/
• https://www.cisa.gov/defining-insider-threats
• https://www.code42.com/glossary/types-of-insider-threats/
• https://github.com/Insider-Threat/Insider-Threat
• https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/

source | version: 1