Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics
  • Datamodel: Authentication, Endpoint
  • Last Updated: 2022-05-19
  • Author: Jose Hernandez, Splunk
  • ID: c633df29-a950-4c4c-a0f8-02be6730797c

Narrative

Insider Threats are best defined by CISA: “Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization’s network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.” An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.

Detections

Name Technique Type
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
Multiple Users Failing To Authenticate From Process Password Spraying, Brute Force Anomaly
Potential password in username Local Accounts, Credentials In Files Hunting
Windows Users Authenticate Using Explicit Credentials Password Spraying, Brute Force Anomaly

Reference

source | version: 1