Insider Threat Management

How to Incorporate Digital Forensics Teams into Insider Threat Investigations

Share with your network!

(Updated on 02/22/2021)

Insider threats are more common today than ever before, and whether they are intentional or accidental, they often require investigation. To mitigate the potential risks that insider threats pose to your business, it’s key to know what your digital forensics capabilities look like. 

What are digital forensics?

Digital forensics refers to the process of finding and analyzing electronic data. The purpose of this may be to investigate an incident, such as an insider threat-caused breach. Digital forensics is generally used to collect data in order for it to be used in legal proceedings (though it may be used for other purposes as well). 

In some cases, you will want to have a specific digital forensics team in-house. This can consist of security analysts or even IT personnel who are properly trained and equipped with robust tooling to enable them to conduct thorough digital forensics during an investigation. Depending on the size of your team and nature of your business, however, you may also need to retain a third-party digital forensics team. 

Regardless of your approach, it’s key to plan ahead so that you know what the procedures will look like long before an actual investigation takes place. Let’s take a deeper look. 

What is a Digital Forensics Team in the Context of Insider Threats?

If an insider threat-related incident takes place, you will need to conduct a thorough investigation to understand what happened, how, why, and who was behind it. Digital forensics is often necessary to analyze the data sources and produce the necessary evidence in the event that the incident must be prosecuted. 

Where Do Digital Forensics Teams Belong in an Incident Response Plan?

How you will handle digital forensic activities in the event of an insider threat incident should be laid out clearly in your incident response plan. While digital forensics teams are often brought in after the fact, you should know in advance what that team looks like and have a budget in place for their activities. 

Determining Your Digital Forensics Capabilities

The big question for many businesses is whether you have sufficient in-house capabilities or need to outsource in some way. When compiling your incident response plan, take the time to identify in-house personnel who may be able to handle digital forensic investigations. 

If you do not currently have anyone in-house who can do this, do you prefer to hire someone? If so, we recommend doing so sooner rather than later. Keep in mind that having an in-house digital forensics team necessitates investing in software and tooling that will empower them to do their jobs thoroughly and without delay. 

The final option is to outsource to a third party. In this case, you will want to identify and vet outside consultants or digital forensic experts. You may want to go ahead and sign a contract so that some of the logistical details are taken care of in advance and won’t slow down a potential investigation. 

As you develop your incident response plan, assign roles to current personnel, future hires, or third parties. The clearer these roles are delineated, the less chance there is that the investigation will take an inordinately long amount of time and a breach will continue to fester and cause damage to the organization. 

An Example of Digital Forensics Team Involvement

It may be helpful to take a look at an example of how a digital forensics team often plays a role within a given incident response plan. Let’s take a look at an example scenario below:

InfoSec Reporting: Example Scenario

Collection: Infosec reports to the Insider Threat Team about a potential data leak event triggered by the existing insider threat management solution.

Triage: Insider Threat Team obtains additional information from InfoSec, HR and management on whether the DL event is within:

  • The scope of what the employee is allowed to do
  • Within his job role
  • Was actually performed by the employee or by an impersonator
  • Was it malicious, negligence or within company policy

Investigate: The insider threat team reports the DL event to HR and requests employment status such as whether the employee is under a performance review. The insider threat team also consults with the employee manager about whether the employee actions were legitimate and within the normal business policy. The team then conducts logical follow-on investigation to determine all facts and root cause of the event.

Action: If the employee’s activity was within the acceptable business policy, the incident will be closed, and the insider threat team will report back to InfoSec with suggestions to properly configure the DL in order to exclude these types of alerts again. The incident will be documented, and policies may need to be revised.

If the employee’s activity was not within the acceptable business policy, the team will initiate deeper user activity monitoring including screen recording. The insider threat team will request that the InfoSec or Digital Forensics Team review all logs for that employee for any additional risk indicators. Based on the forensic investigation result, the insider threat team will either close the case or consult with the legal department on necessary follow-up actions.

Building a Comprehensive Insider Threat Program

An incident response plan including robust digital forensics capabilities is just one part of a broader insider threat program. We recommend understanding how digital forensics fits into this broader program and assessing the maturity of your current capabilities so you can plan for continuous improvement. Additionally, investing in a tool like Proofpoint ITM with specific insider threat investigations capability will enable any digital forensics team to quickly understand the who, what, when, where, and why of any insider threat-related incident.