Business Insider Threats

Recently, Fluency was asked to assist with possible insider threat that one of our clients was concerned may have occurred. With permission, here is a sanitized overview of how the team provided a smoking gun to the client.

Background

A client approached Fluency with a straight forward request for assistance. They were concerned (given certain indicators) that a temporary worker had procured and used proprietary information from another company while conducting work for the client.

Fluency was given the name of the user, the computer involved, the name of the company claiming to have had its proprietary information misused, and a 1-year window to search for more conclusive data. We were asked to identify files that had been uploaded and downloaded by the user, especially related to the name of the company in question.

With many security tools, a one-year window would be near impossible to search (assuming that much data was even stored), but Fluency was built with this capability in mind. It’s back-end, the proprietary LavaDB was robust and fast enough that searching through a year’s worth of data (which Fluency stores by default from its clients) was not such a monumental task. LavaDB’s speed is unmatched in the industry. In this example, the client averages 9TB of data ingress per month which took only 2 minutes to search.

Flow Analysis

Fluency began its search by analyzing the flow metadata that was recorded for both that user and that computer in question. The metadata included all inbound and outbound connections involving either of those entities. Flow data can be associated (correlated) with a user due to Fluency’s User and Entity Behavior Analytics (UEBA) dynamic linking capabilities.

Looking at the data, it appeared that the only relevant activity to the user and computer was accessing the website of the company in question. It was accessed only once, and that access was to an overview page. Looking at the files transferred from the site, it appeared that only what was publicly available on the site (and nothing malicious) was transferred.

Query 1

Username + flows with <COMPANYNAME> in the https.uris.uri field

Query 2

Hostname + flows with <COMPANYNAME> in the https.uris.uri field

Only 3 hits were identified. They were all to the company’s overview site. Files downloaded were identified and determined to be non-malicious publicly available.

Event Analysis

Even though the client had specifically pointed to uploads and downloads, we expanded its search outward from that starting point instead of calling it a day. While Flow data is one aspect of Fluency’s capabilities, another important aspect is the collection of Event data. This event data typically includes everything from SaaS based apps like O365, Active Directory events, EDR (AV), and Firewall,. Note Fluency ingresses much more based on the client’s infrastructure.

For this client, we had access to M365/O365, Active Directory, SentinelOne (Complete + Cloud Funnel), and other data sources which we could search. After identifying no ties between the temporary user and any O365 accounts we concentrated on the SentinelOne’s combined data feeds. Being able to walk back a year was a huge benefit to the client as they did not know exactly when this data transfer may have happened.

Query 3

Events identified involving HOSTNAME

The following events were found of interest on the host in question:

• SanDisk connections

• Generic Mass Storage (USB)

• Flash Drive (USB)

Removable Storage

Walking the Cloud Funnel data back we did identify that the user in question had attached two different removable storage devices to the computer being used. This led us further to investigate events around those time periods for any file activity. The activity was tremendous. The person in question had copied a large number of files to both of those removable drives. This was our first real indicator that non authorized activity had happened.

Query 4

HOSTNAME events filtering for SanDisk connections, Generic Mass Storage devices, and Flash Drives (as identified above).

Narrowing Results

We shared our findings with the client who then asked if we could get more granular. Using Fluency’s regular expression search support, we were able to further identify exact files for the client. By using a keyword provided by the client, we identified thousands of files that had been copied to both removable drives by the user in question related specifically to the proprietary information being misused. This was the precise non authorized insight the client needed to move forward with their investigations.

Resulting Final Query

Modified version of Query 4 that narrowed the search down to a specific time frame and filtered on the following connected drives:

"G:\Extreme SSD 1T" and G:\Seagate Backup Plus"

with the following regular expression to filter the filenames to the relevant items:

<HOSTNAME> AND (@sentinelone.data.targetFile.path:/.*<COMPANYNAME>.*$/ OR @sentinelone.data.file.path:/.*<COMPANYNAME>.*$/)

We also created a custom facet for the client with this final search information for ease of access, when they need this visibility again.

*NOTE: <HOSTNAME> and <COMPANYNAME> are sanitized placeholders.

Summary

With multiple queries as well as a spreadsheet of file transfer data in hand, Fluency was able to provide the client with sufficient data to identify what was taken, when it was taken, and what was done with it.

The key takeaways that made Fluency the perfect choice for this incident were:

• the ability to have one year’s worth of data retention

• the ability to search one year’s worth of data quickly

• robust regular expression search and trigger capabilities

• the fact the client had opted to use and include the Cloud Funnel data feed

• and especially User and Entity Behavior Analytics (UEBA) that can associate disparate entities (such as users and computers) together.