Chris Denbigh-White is a threat hunter in Jazz Networks cyber analyst services team.
The aim of any mature security model should be resilience. Naturally, all reasonable steps should be taken to secure data with the knowledge that this may fail. If it fails, preventative controls are not going to help the business recover.
It is when the preventative controls have failed that a response needs to be set in motion. The sole aim of this response is resilience and ensuring the company maintains its ability to trade with minimum financial or reputational exposure.
A common misconception is that incident response should follow a linear flow; An insider incident happens and at the other side of the process is a secure and recovered business. Processes involving security and resilience should always be cyclical with a built-in means to flex to the ever-changing environments in which they operate.
This response process follows the phases of preparation, identification and classification, containment, remediation, and lessons learned.
Every organization is different. Incidents will present themselves with differing causes, consequences, and severity. To respond, one must genuinely prepare.
“While the military axiom states that “no plan survives contact with the enemy,” having no plan at all will guarantee failure.”
The ideal response is calm when faced with an insider threat. As with any successful military response, this unruffled confidence is achieved through assessment, planning, execution, and reflection.
These plans (otherwise referred to as playbooks, strategies, swimlanes, or other) will be the thing that turns blind panic in the face of an insider incident into calm resolution and control.
Document who has a role within the plan, make it accessible to everyone, and include clear steps in the event of a breach.
2) Identification and classification
The identification and classification phase is where the business realizes it has a problem. After realizing there might be an incident, rapid harvesting and understanding information is critical. The term “insider threat event” can cover a multitude of potentially business-harming situations, so it is essential to discover what is happening quickly.
Identification and classification is achieved using a blend of technology and process. Using technology to understand what has happened, or more often is still happening, is helpful. However, a method to determine what the data means to the business is vital.
A vital part of the identification phase is classifying how critical the event. Based on the value attached to the crown jewels, we can move to classify the potential compromise of those assets in terms of critical, high, medium, or low.
Critical: Genuine and imminent risk to the ongoing existence of the business or vital business operations. Risk of harm or loss of life as a result of the incident.
High: Significant financial and/or reputational damage either initially or by any resulting statutory investigations and sanctions.
Medium: Financial and/or reputational damage either initially or by any resulting statutory investigation or sanctions.
Low: Minimal exposure to financial and/or reputational damage. Internal compromises and/or HR and policy violations are included in this category, which might form the basis of disciplinary proceedings, but not necessarily result in any tangible loss for the business.
The decisions around classification should be made by the insider threat response group. These classifications represent an overall threat to the business as opposed to individual areas such as IT or HR.
The decisions made around the criticality of the incident will determine some of the steps taken in containment. A priority here is to ensure that the incident does not increase in severity. While it might not be possible to remediate at this point entirely, it is possible to take steps to reduce the potential damage caused.
Containment can fall into various categories:
Physical containment of data or access to stop further breach.
Legal containment through action (e.g., firing staff member leaking information) or non-disclosure agreement (e.g., those—possibly externals—involved in incident response).
Communication to limit reputational damage of breach or to fulfill statutory obligations. The actions might include, but not limited to, publishing press releases and mandatory reporting to government and governance agencies.
Whatever the actions taken in containment, this phase aims to seize back control of the situation. From a position of control, the steps in remediation can take place to return the business to normal operation.
Remediation involves taking the final steps to return the business to normal operation. Containment activities must be completed before the remediation phase is initiated. It is only from a position of control that remediation can be achieved.
Remediation can take various forms which may include:
HR based remediation: An employee may face sanctions or their employment terminated.
Technical remediation: Underlying vulnerabilities in the IT estate can be addressed.
Statutory remediation: Sanctions, fines, or mandated remediation actions can be undertaken.
Remediation brings the business back to a state of normal. However, valuable information will have been discovered along the way, and this is where the next phase of “lessons learned” comes in.
5) Lessons learned
It is easy to think of the “lessons learned” phase as a list of useful information and operational tips–which is only part of this phase. For the organization to truly learn the lessons resulting from an insider incident, they must operationalize this information.
Useful information for this stage could include the following areas:
The process of securing information
The identification and classification process
How to stop this happening again (or at least realizing the event is happening sooner)
Idea to make the whole process easier and smoother
It is imperative not to only see the lessons learned phase as a means of identifying things that can be improved. It is a means of evaluating the whole process: good and bad. It should also not be a “blame list” with single non-transferable root causes. Firstly, this is not the section for this information. Secondly, if the change is not repeatable, then it will be complicated to operationalize.
All too often, the phase “lessons learned” is only paid lip service or overlooked entirely. This neglect happens despite being the phase that will serve to reduce the likelihood of a business repeatedly making the same mistakes.
At the end of this phase, the members of the insider threat group should have some positive, practical, and actionable statements about the incident in which they have recently been involved.
These statements can cover subjects from high-level policy change to practical items, i.e., requirement for an ad-hoc budget for hotels and pizza (extended hours in response to an incident).
“The aim of lessons learned is to make it easier next time.”
The operationalized information from lessons learned should be fed into the phase one, preparation, to ensure that the insider threat program is agile enough to improve and meet the needs of the business continually.
It is through this cycle of preparation, execution, and evaluation that the process is truly tested. The first time this process is activated must not be during a live, real-world incident.
Remember that this process is a cycle, so committing to regular and continuous testing of your insider threat program is essential. Testing can take the form of tabletop exercises, process walk-throughs, or even fully-fledged breach simulations. The most important thing is that all members of the insider threat working group are comfortable with their roles, the process, and regular and robust tests.
For this reason, start today. Even if, as a company, you have not selected the perfect technology to support your insider threat program - start now.
Chris Denbigh-White, MBCS GCIH GPEN GNFA CISSP, is a former police and intelligence officer. He has worked in system design and defense for both the public and private sectors. He is a passionate communicator and enjoys explaining technical topics in accessible ways for non-technical audiences. He contributes to the advisory board of the SANS Institute and assists in cerification question writing for the ISC2 CISSP exam. Chris currently works with Jazz Analytical Services as a Threat Hunter helping clients protect what really matters.