Analytics Story: Insider Threat

Date: 2022-05-19 ID: c633df29-a950-4c4c-a0f8-02be6730797c Author: Jose Hernandez, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.

Why it matters

Insider Threats are best defined by CISA: "Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs." An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Hunting
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
Potential password in username Local Accounts, Credentials In Files Hunting
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force TTP
Windows Remote Access Software Hunt Remote Access Software Hunting
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force Anomaly
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Detect Remote Access Software Usage URL Remote Access Software Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
G Suite Drive N/A gsuite:drive:json http:gsuite
G Suite Gmail N/A gsuite:gmail:bigquery http:gsuite
Linux Secure Linux icon Linux linux_secure /var/log/secure
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4648 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1