Insider Threat

Malicious or negligent activity by an authorized user, employee, contractor, or business partner that compromises data or systems.

Triage

3 procedures
P1

Bound the Investigation Timeframe

~30 min
P1

Identify Patient Zero (First Compromised System)

~60 min
P2

Validate the Initial Access Vector

~45 min

Containment

3 procedures
P1

Credential and Account Lockdown

~45 min
P1

Block Active Exfiltration Pathways

~30 min
P1

Covertly Restrict Insider Threat Actor Access

~45 min
Sponsored

Preservation

4 procedures
P1

Volatile Memory Capture

~60 min
P1

Log Preservation and Snapshot

~45 min
P2

Document Chain of Custody for All Collected Evidence

~30 min
P2

Covert Evidence Capture for Insider Threat

~120 min

Collection

5 procedures
P2

EDR Telemetry Collection

~120 min
P2

M365 Unified Audit Log Collection

~90 min
P2

Collect DLP Policy Alerts and Hits

~45 min
P2

Identify Alternative Evidence When Primary Logs Are Missing

~60 min
P3

Coordinate Log Collection from Third-Party Vendors

~120 min

Analysis

4 procedures
P1

Lateral Movement Analysis and Mapping

~120 min
P1

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

~90 min
P1

Analyze Evidence of Credential Dumping Techniques

~90 min
P2

Identify Data Staging and Compression Activity

~60 min

Eradication

2 procedures
P1

Eradication Verification Checklist

~90 min
P2

Post-Incident Configuration Hardening

~180 min

Recovery

1 procedure
P2

Phased Service Restoration with Enhanced Monitoring

~120 min

Post-Incident Review

4 procedures
P2

Create New Detection Rules Based on Incident Findings

~90 min
P2

Generate Comprehensive Incident Report

~180 min
P2

Review Data Disclosure and Notification Decision Evidence

~90 min
P3

Conduct Lessons Learned Review Session

~120 min