The IP Trail: Mapping Insider Threats Through Network Forensics

What’s the first thing that gets into your mind when you hear the term “cybersecurity threats”? For most of us, it would be the image of a hacker in some hidden location doing their best to infiltrate a company or government agency’s website or system. What many do not realize, however, is that these threats can also come from internal sources or insiders who are connected with the company and agency and have easy access to protocols and systems.

These are called insider threats and they’re often difficult to anticipate or notice because the sources are trusted, such as employees or team members. A common scenario would be a disgruntled employee exacting revenge by stealing sensitive information from the company. Some cases also involve employees or team members, especially new ones, who accidentally click on the wrong link or on a compromised link. Even the simplest threat can cause major problems and may even destroy a company or agency. So it’s good to know that these users leave their IP trail in the network.

To trace the users’ trail, one has to apply network forensics. This will give the investigating authority significant threat details, such as when and how it happened, as well as who initiated the action. It’s similar to what detectives get when they gather forensic information.

However, insider threats are not only becoming more common nowadays but they have also become more complex, which is why businesses, government agencies, and organizations are now turning to smart technology for both their tools and strategies. Bugcrowd’s innovative approach is a good example of how trusted hackers from different locations are teamed up so they can help companies and organizations identify and fend off threats using their own strategies and smart tools.

This article will give you a better understanding of network forensics, specifically in its function as a tool for protection against network threats.

What Is an Insider Threat?

An insider threat pertains to a risk initiated by someone from within the targeted company or organization. The threat can be from a former employee, business partner, contractor, or a current employee with access to the company’s sensitive data or systems.

Image by Pixabay.

Insider threats are classified into three types:

1. Negligent employees or insiders who mistakenly or accidentally click on dangerous links or set up systems the wrong way
2. Malicious insiders who purposely damage, leak, or steal valuable data
3. Compromised insiders whose accounts have been hacked or misused by someone else

Since they are company insiders, getting access is not a problem and they do not have to ask permission from anyone else. Such situations are difficult to notice or detect so it can take time before anyone will notice that something is wrong.

What is Network Forensics?

If you like watching CSI, Criminal Minds, or NCIS, you’ll easily understand the concept of network forensics because it is similar to what the investigators in these TV shows do when confronted with a crime scene. However, instead of checking the DNA and getting fingerprints from the scene, network forensics investigators are trained to identify and analyze data activity, logs, and packets on the affected network to determine the cause of the risk.

Network forensics pays attention to:

• The trail or digital footprints of the action on the compromised network
• IP address trails (an IP address is composed of unique numbers that are used to identify or represent devices)
• The collected data, which is analyzed and used to determine the timeline of events, thereby providing essential information, such as who accessed the system, where it was accessed, and when it was accessed

The digital trail is similar to the breadcrumbs that Hansel and Gretel left when they ventured into the forest. It gives investigators a direction so they’ll know where to go to uncover the source.

But How Does an IP Trail Tell a Story?

The IP address, which is the “identity” of a device, provides significant information to network forensics investigators.

Here’s an example of how IP addresses can help establish the story of an incident:

• Your system detects a download at 4:00 a.m., sensitive data is accessed.
• No one is scheduled to work at that time, in the office or remotely.
• Upon checking the logs, investigators discover that the download was initiated by an internal IP address, which is traced to an employee’s device.
• Collected data further reveals that the device was used not in the office but in a foreign location.

With all this information, investigators can immediately determine that the system can be at risk and they will start to perform a more comprehensive investigation.

What to Look for in Network Activity

Image by Pixabay.

Insider threats may not be visible to the eye but there are signs that may be easy to spot. These network traffic red flags include:

• File transfers of unusually large volumes
• Data or system access by someone not assigned to that task
• Remote logins or unscheduled logins, especially during non-working hours
• Too many login failures, like what happens when someone is guessing a username/password
• Connections to unusual or unsafe websites or unknown devices, or external IPs

One or two signs may not sound scary but they can become a red flag when combined with other actions.

Reasons Insider Threats Are Hard to Detect

Aside from the fact that the source is someone from or connected with the company, there are other reasons why insider threats are often difficult to detect:

1. Since insiders are the ones infiltrating the system, they access with their real accounts, so everything looks normal
2. Network traffic is generally high, with huge volumes of logs. As such, there’s too much noise so any unusual behavior gets lost in the traffic.
3. False positives are common, so not every red-flagged action is a threat. Sometimes, they’re just honest mistakes.
4. Insiders who are technologically advanced and smart often employ tactics that cover up their tracks. Some of them even use another insider’s login details.

Thus, efficient network forensics requires both trained human judgment and advanced technology & automated tools. This is the only way to detect risks and protect systems effectively and comprehensively.

Here’s How to Stay One Step Ahead

There are things to follow if investigators want to stay ahead of insider threats and it involves more than just “immediately reacting” when there are red flags.

Companies need an efficient process for spotting the warning signs; the earlier, the better. Strong systems are also necessary.

The best practices include:

• Limit data and systems access to employees who directly need them for their job.
• Monitor unusual behavior using monitoring tools, specifically those that send out alerts to teams when unusual actions are detected.
• Regularly review or audit logs and permissions as this will help identify possible red flags.
• Employees should be taught and trained on how to identify and handle phishing and other suspicious actions. They should also undergo training for safe data handling.
• Establish a strong and efficient security culture so that anyone will be comfortable when reporting unusual behavior or mistakes.