Ask the Expert: How Do I Respond to an Insider Attack?

Ask the Expert

Kyung Kim, Head of Cybersecurity for FTI Consulting’s APAC region, looks at the five steps companies should take when they discover an insider is responsible for a cyber breach.

Every physical crime results in a physical crime scene. And within every physical crime scene, a trail of evidence exists that detectives must follow and preserve while it’s still fresh to begin identifying possible suspects and motives.

The same level of urgency and speed — and even procedures — is required in the private sector when a cybersecurity incident caused by an insider occurs. Forensic investigators must quickly preserve evidence, conduct background checks, identify and interview potential suspects, and assess the damage while the trail is still hot.

Sometimes evidence points to an insider whose motive may be financially or politically driven — or both. Other times, the incident may have been caused by an unwitting insider who happened to open a malicious email, launching a ransomware attack that disabled company servers. In either case, here are five steps organizations should take after they’ve discovered that an insider has turned their network and servers into a crime scene.

Preserve the Evidence.

As with any investigation, preserving as much physical evidence as possible is crucial. In a cyber crime, evidence comes in the form of digital endpoints — in this case, the hardware. These include the organization’s server, laptops, desktops, personal smartphones, and smart tablets.

Forensic investigators need to get these items in hand promptly to prevent post-crime tampering or alteration. Organizations can stay ahead of this step by implementing and enforcing a chain of custody documentation policy.

Look for and collect DNA.

A record of system logins (or “logs”) is the “DNA” of a cyber crime and is some of the most important evidence. These include firewall logs, antivirus logs, web server access logs and audit logs. Additionally, VPN logs can reveal which employees accessed the firm’s server on weekends or on the very day when the cybersecurity incident occurred. These are the digital fingerprints that must be preserved and analyzed.

Collecting the DNA can be tedious. Investigators often have to analyze millions of employee logins. There are text messages, phone calls and emails as well. That’s why organizations use SIEM (security information event management) solutions, which are often invaluable in an investigation. They make real-time analysis of cybersecurity alerts and breaches possible.

Narrow Down a List of Subjects.

Investigators can work with the company to identify possible suspects, such as disgruntled employees or a data analyst who routinely works with sensitive company data. A full background report on each suspect should be supplied by the organization’s compliance officers, general counsel and either the Chief Information Security Officer (CISO), the Chief Information Officer (CIO) or the head of IT.

From there, interviews can begin.

Dig Deeper Into the Clues.

Investigators can dig deeper into the suspect’s online activity. Is the suspect connecting to the internal server at odd hours of the day? Is the suspect transferring a high volume of files? Are they accessing sensitive files? Investigators can spot these issues by monitoring anomalies, firewall logs and the company’s file integrity monitoring system to examine the suspect’s activity. If more than one red flag appears for a suspect, investigators will want to take a closer look at that person in general.

Improve Organization Protocols.

Once the insider threat is identified, the organization can take appropriate legal action. In the aftermath, it’s a good time for management to step back and determine how it can improve operations and tighten security.

Strengthening an organization’s personnel exit policy is one area to focus on. This means requiring all firm-issued hardware and devices to be returned to the IT department (and for the IT department to disconnect their access to internal servers). It also means conducting exit interviews to learn why an employee is leaving and to ask for any recommendations they could make about tightening security. Perhaps most important, an exit interview offers a chance to gently remind the departing employee that the NDA they signed is still in effect, if applicable.

An attack from an insider is jarring for any organization. Trying to identify and contain that threat can seem downright overwhelming. It’s not. As with every crime, there is a human element involved in a cybersecurity incident, and as every investigator knows, the weakest link in a crime is the human himself.

© Copyright 2020. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.

More Info

Share this page


Key Contact

Kyung Kim

Senior Managing Director