Using Digital Forensics to Investigate Insider Threats in the Remote Workforce
By Maria Rogers, ERMProtect, Senior Information Security Manager
With remote work rising due to the COVID-19 pandemic, the focus of cybersecurity enforcement has understandably shifted slightly toward securing the work environment from external threat actors who take advantage of insecurities inherent in at-home networks.
Remote work is both dangerous for companies and appeasing to hackers because organizations do not have full control of the infrastructure when their employees are working from home. Naturally, organizations are trying to come up with ways to protect against outsider threats as they have a new set of weak variables to exploit.
But we can never forget about insider threats to organizations. After all, as the saying goes, humans are the weakest link in cybersecurity. And whether intentionally or accidentally, insiders can wreak havoc on organizations because they are already authorized to access proprietary information including information about security practices, data, and systems.
There are two types of insiders to worry about:
- Non- Malicious Insiders: These are employees and contractors who exploit information due to negligence as a result of one or multiple errors. Their intent is not to cause a breach of information and they are not trying to expose confidential data intentionally.
- Malicious Insiders: Malicious insiders compromise information deliberately. This could be one individual, such as a disgruntled employee, or a group of individuals who by means of collusion want to sabotage the organization. They exploit their access to information for some type of gain, monetary or otherwise.
Investigating Insider Data Breaches
From a digital forensics’ standpoint, one of the most important questions to answer is how does an organization detect both malicious and non-malicious insider breaches for virtual employees?
For starters, audit logs must always be enabled and properly configured. Logs ensure that organizations can collect information for an investigation when a data breach occurs. This means enabling security audit configurations for all critical applications, systems, and network devices and ensuring that you have at least three months of logs immediately available and at least one year stored.
You should also ensure that the logs provide meaningful information - a time stamp, actions performed, affected systems or applications and user information. All actions performed by privileged users, especially, must be logged as they have the keys to the kingdom in many instances.
Now that logs are in place, organizations must ensure that they are monitoring the logs and implementing solutions for correlating logs across critical systems. Solutions such as a Security Information and Event Management (SIEM) not only analyze behavior but increase visibility. A SIEM is a software that aggregates and analyzes data in real time by collecting information from different IT resources across an organization’s infrastructure.
Search for Anomalies
Organizations must also create security metrics in line with the nature of the business that flag anomalous activities indicative of insider threats. Some common warning signs might include insiders downloading excessive data, logging in outside of work hours, copying information to external media such as a USB or hard drive (which can be detected if you have a Data Loss Prevention application or other tool in place which records this), or even sending emails to parties not associated with job function. Other indications could be turning off security tools like antivirus and encryption, or not following security awareness best practices.
Once a data breach has been detected, the next step is to piece together the whole story. This is where hiring an experienced cybersecurity solutions firm such as ERMProtect can help. Cybersecurity firms employ certified professionals who acquire and access evidence in a manner that is legally compliant and admissible in a court of law. They are also independent, and working alongside counsel, can provide management with forensically sound and unbiased findings that guide the go-forward incident response strategy, including disclosures related to the exposure of regulated information.
Deploy Digital Forensics
This is the stage where digital forensics come into play. First, investigators must define what evidence is relevant to review, based on the incident that occurred. For example, if a Security Administrator receives an email alert notifying them that an employee is exfiltrating sensitive data, this would suggest that the relevant evidence to acquire would be a forensically sound image of the employee’s mailbox, email logs, and computer.
With so many employees now working remotely, your IT Security staff or Digital Forensics consultant will need to consider how to acquire evidence from suspected insiders, whom have all their company-owned devices at home, without triggering them to delete any information that could be used to trace them to an incident. In this case, it is important for the appropriate staff to create images of any logs and data that they can access remotely as soon as suspicious activity launches the forensic investigation. For instance, if a cloud-based email solution is in place, administrators can export mailboxes remotely. It is critical to assess what acquisitions can be performed remotely to prevent tampering of evidence from suspected insiders prior to notifying them to return their devices through secure post.
Additionally, organizations should have stringent policies in place outlining consequences for violating use policies. These can be cited to coax the individuals into returning items. Having ways to lock insiders out of systems remotely also is essential, to prevent users from deleting data prior to sending back the computer. Throughout this acquisition process, it is important that everything is documented using chain of custody forms.
Managing the Forensic Examination
After digital forensic investigators have acquired the evidence and copied and stored it in accordance with forensic best practice guidelines, it is time to examine it. There are many forensic tools, both closed and open source, that can be used to parse information, to retrieve files, and perform key word searches.
After analyzing the evidence and drawing conclusions, investigators must document the investigation in writing to ensure that an adequate record is kept for the events that occurred. Remember that this evidence might have to be presented in a court of law. So, it is critical to keep a detailed account of the forensic process and steps taken to draw conclusions from start to finish. A summary of the steps to take are as follows:
- Assess scope of evidence.
- Take into consideration the risk of how an Insider might respond to the request for items and take appropriate actions to secure evidence.
- Acquire evidence in a forensically sound fashion and document everything in chain of custody forms.
- Assess evidence.
- Draw conclusions based on evidence assessment.
- Create a report.
In today’s hectic and remote-working world, monitoring and responding to insider threats in a timely and effective manner is extremely critical. Make sure you take these steps as part of the organization-wide effort to secure your environment from insider threats.
Maria Rogers is a Senior Information Security Manager at ERMProtect Cybersecurity Solutions. She has a master’s degree in cybersecurity and holds the following certifications: Certified Computer Forensics Examiner (CCFE), Certified Ethical Hacker (CEH), EnCase Certified Examiner (EnCE), Certified Information Security Officer (CISA), Certified Information Security Manager (CISM), Payment Card Industry Professional (PCIP) and Payment Card Industry Forensic Investigator (PCI PFI).
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights