Chain of Custody Part 2
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 2 minutes
Hello. My name is David,
And welcome to you managing. And it
well, that way. Just finished up the chain of custody on. Talked about the importance of properly documenting the evidence that you seize. Gave you Cem rural examples the importance of that.
Um and it applies whether it is a legal case. Human resource. I'm case or,
uh, any other type of case where uses evidence from somebody Brady purpose, reason, but for your protection, their protection and
the company's protection. Now we're gonna talk about
insider threat detection in response. In the world today,
insider threat is riel, Uh, varies across the industry back through somewhat, um,
and it ranges widely. You get everything criminal Civil Thio.
You know, um, a word to use for, uh, annoyance issues. Um,
so insider threat actually covers a very wide range of individuals out. This'll I hear Isa Graphic from a recent report. Stanford University did a study 97% of the inside of the cases I usually involved in for you whose behavior
a supervisor had flag,
but the organization had failed to follow up on. As we move through this, you're going thio. See that there are indicators usual insider threats. 92% of insiders Their cases were preceded by a negative working. Then
that information could have been a promotion in it. Then just stay and internal Just you supervise your fellow employees,
for that matter. People were very vindictive in um
so you need to keep that in mind not just for dealing with from the incident response either house, but in your own personal, uh, 90% in this with 90% of I T employees indicated lost jobs. Hey would take since the company data with them. When they lack,
9%. What do you i ke employees have access to?
Oh, the views A's? Yes, almost everything in income. So when it comes to insider threat, it's not something that should be played were overlooked or treated as a non issue, which sometimes it iss To be perfectly honest, I wanna marry.
Now if you shot that King beauty in stores. Now, get a little example here on convenience store. There are a lot of security cameras, surveillance cameras, correct. Yeah. Uh, if you look
carefully a large proportion of those vacations cameras aren't watching customers.
They're watching the employees
something to keep in mind, knowing from back height of environment into cyber security environment. Um, I watched hammers on time because was these police officers on
more aware of that? And some people are. But if you go into places and start looking at cameras, you're gonna find majority of them or pointed it cash register in cat years,
and they are watching and documenting them to pre vent inside a threat. Now, when it comes to cyber World, I'm one of the things that I hear all the time. Who watches the watchers?
Yeah, the cyber security people in the eye. He people working with it in a company on the environment who watches them.
Good question. Isn't he Watches the system admits the network to watch is the exchange at who monitors them and they're reading,
uh, employees e mails without authorization. Who monitors is the the tier one sock analyst to see if they're downloading movies, uh, via their corporate network,
because it's a quicker connection and what they have at home.
Yeah, these are all questions that need to be addressed when it comes to insider threat. The the G A O analysis of the Department of Defense had a really good report to come out and lays down there at the bottom of this figure that I pulled out of that report.
There's tons of stuff out. Really, Um,
the D e a. D breaks it down and phases deter, prevent effective and action, which is a pretty good way to think of the inside of a threat On day. I even identify the insiders
military employees. Of course, the key civilian employees knew he has a ton of civilian employees that could be considered threats,
distracters and consultants. And on and on
now they, of course, expanded in today's day and age. Really, I do. Insider threats could be everything from an active shooter. Thio Espionage Thio. Unintentional actions that cause the loss of data Were a moss of network availability
very, very important to keep all those in mind when it comes to insider threats, they Brady down to do to her on prevent I give some good ideas, and hence on steps that you can take in order to
help identify and hope we stop insider
threats. Uh, it's a good source to draw from. I broke it out a little bit differently for us because we're not necessarily in the A D or military environment. We're in a a civilian environment, so we have to deal with being just a little bit differently.
But some of the same role
views air there. So you have your anything. Thank on knowing that it could be something as simple as unusual network activity from an employee.
And upon investigating it, you see that they're going to Pirated movie Web sites and download Pirated movies. Be the corporate. And yes, I know I used that word or
Heller's Been calling happens quite frequently in the civilian world. Down on Technical could be something as simple as social media posts, where they're complaining about the company, a very public manner showing that they are what's calling his frontal
uh, would be a great interview or zey. They're involved in a romantic relationship with another employee that go sat, look in there are villains, I and they are
implications that so that could be an indicator. Usually when there's indicators star occurring your past, the prevention stage. Now reinvention can cover a lot of things, everything from internal training, please to identify and react to internal threats
to monitoring employees. Activities. Both say email of network activity, making sure that you have good warning banners up warning the Empoli's that they are on the environment and that all their activities are subject to monitoring.
Then you have, of course, a dissection days, which could be human resource is legal.
Employees and supervisors could all become involved at that point, and then over time that their actions are going to a place where they're trying to steal data. It's gonna happen over a period of time. Now, at the bottom in the red,
you've got sort of the stages of it. Recruitment, tipping,
recruitment. If it's, say, corporate espionage were military espionage, somebody wants some secrets, whether it's corporate, where military or government doesn't matter, there's all sorts of things out there. Chocolate chip cookie recipe
could be something that somebody steals. I get a table top for an ice cream company
one time, and I asked them, You know, what was one of the threat threats that they had identified a paste in? It was that insider threat stealing their ice cream recipes that was huge to them, So don't ever look those kinds of things I tending on the business specter that you're working in
those kinds of worries and concerns are gonna change. So people in mind
then, if an insider is going bad, of course they're going to start doing searching, Recall across the network, collect that data and it finally removed the data from that book.
So how do we prevent it? House, Um, defensive controls, of course, policies, training access can flow, setting up control so that you can monitor large data transfers. For example,
we're, ah, knitting user actions. And then there's even working Cole's network system audits to do digital forensics on you have people monitor individual such V accounts for signs of a people or unhappiness, and on a big one
is the employee removal procedure.
If someone is going to be fired or, like go, then
there should be a policy procedure in place to make sure that their network access is removed where they actually do anything. The carrots. That's an overview of insider threat on investigating them in hand. You have any questions? Reach out to me and maybe 135 on cyber. See you there