Covertly Restrict Insider Threat Actor Access

ContainmentP145 min
👤 Insider Threat
IR AnalystSwitch roles in the top navigation to see different perspectives.

Implement covert access restrictions on the suspected insider while preserving the investigation. Enhance monitoring without alerting the subject.

Actions

  1. 1.Deploy enhanced monitoring on the suspect account: increase audit logging level, enable mailbox auditing, add to DLP monitoring groups. All changes must be invisible to the user.
  2. 2.Restrict access to sensitive data covertly: use Conditional Access policies to limit sessions, restrict access from personal devices, or require step-up authentication for sensitive resources.
  3. 3.Implement DLP policies to monitor and optionally block data exfiltration attempts: email attachments, cloud storage uploads, USB transfers, and print operations.
  4. 4.Create a dedicated monitoring dashboard for the suspect account: track file access, email activity, login locations, and data transfer volumes.
  5. 5.Coordinate with HR and Legal before any access changes. Document all monitoring activities and the business justification for each.

Queries

SigninLogs | where TimeGenerated > ago(7d) | where UserPrincipalName == "SUSPECT_USER" | summarize LoginCount=count(), DistinctIPs=dcount(IPAddress), Locations=make_set(Location) by AppDisplayName | order by LoginCount desc // Baseline suspect activity
OfficeActivity | where TimeGenerated > ago(7d) | where UserId == "SUSPECT_USER" | where Operation in ("FileDownloaded","FileAccessed","FileCopied","MailItemsAccessed") | summarize count() by Operation, bin(TimeGenerated, 1h) | order by TimeGenerated asc // Track data access patterns
DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName == "SUSPECT_USER" | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FolderPath has_any ("USB","Removable","OneDrive","Dropbox","Google Drive") | project Timestamp, FileName, FolderPath, ActionType // Detect exfiltration to removable/cloud storage

Notes

  • Insider investigations require extreme discretion. Any indication that the subject is being monitored may cause them to destroy evidence or accelerate harmful actions.
  • All monitoring must be authorized by Legal and HR and comply with applicable privacy laws and company policy.