insider threat / data exfiltration - methodology

what evidence exists and how fast it dies

the first 10 minutes

1. confirm HR departure date and last day; do not alert the subject until preservation is started.
2. export 30-day file access audit for the user and their peer group role.
3. pull DLP incidents involving the user in the departure window.
4. export USB connection history from EDR for the user workstation(s).
5. preserve cloud share sync and external share links created in the last 21 days.
6. snapshot mailbox forward rules and external send patterns.
7. pull badge logs for after-hours building access in the final two weeks.
8. disable outbound cloud sync for the user only if counsel agrees; do not wipe the account yet.
9. open legal hold on mailbox and home share if litigation is likely.
10. begin the path below.

the path

1. 1. insider threat indicator scorer

   activity audit csv or json. composite risk score from access spikes, peer outliers, and departure-window flags.why first: triage the whole user story before drilling into individual log types.

2. 2. data access anomaly detector

   4663-style file access export. baseline vs exfil spike on sensitive paths and archive bundles.why second: IP theft is volume and path, not a single malware beacon.

3. 3. peer group comparison analyzer

   compare subject vs role peers on access counts, share hits, and after-hours share opens.why third: jchen looked normal in isolation but was a 4x outlier vs firmware engineers.

4. 4. time of day activity fingerprinter

   logon and file activity timestamps. detects schedule shift in the final 14 days before exit.why fourth: insiders exfil after hours when DLP and helpdesk are quiet.

5. 5. user behavior baseline profiler

   session length, logon frequency, and host count vs 21-day baseline.why fifth: separates one bad day from a sustained departure-window pattern.

6. 6. copy paste behavior forensics

   clipboard or DLP copy events chained to outlook send or cloud upload.why sixth: finance doc to personal email is the smoking gun when USB logs are missing.

7. 7. user workstation affinity mapper

   maps normal workstation set vs new logons to build servers or admin jump boxes.why seventh: lateral movement to admin file shares shows intent beyond accidental copy.

8. 8. credential lateral movement tracer

   credential harvest artifacts plus subsequent logons on privileged hosts.why last: ties harvested creds to admin share access in one chain for counsel.

common false leads

• one large zip on last day was backup. correlate with peer baseline and path sensitivity.
• USB use is policy violation not theft. check file names and DLP blocks, not just device insert.
• after-hours logon was VPN patch window. validate against change tickets and peer activity.
• personal email send was accidental. copy-paste chain from confidential share is harder to explain away.
• no malware so no insider case. IP exfil is often credential abuse with no binary.

what we can tell you, what we can't

we can tell you:

• peer-relative access outliers and departure-window spikes
• after-hours schedule shifts from timestamp fingerprints
• copy-paste to exfil chains when DLP exports exist
• workstation affinity breaks and lateral logon sequences
• composite insider risk scoring from exported audits

we can't tell you:

• whether files left the building on paper or phone photos
• HR disciplinary outcome or termination decision
• trade secret status of specific files. counsel and engineering lead territory
• live DLP block or account disable in your tenant

handing it off

• HR + legal: timeline UTC, peer comparison summary, DLP hits, preserved export sha-256 list.
• law enforcement (if trade secret theft): file access proof, USB log, cloud external shares, credential lateral chain.
• IT: accounts to disable, shares to revoke, legal hold scope.

further reading

• CISA insider threat mitigation
• MITRE ATT&CK exfiltration tactics
• NIST insider threat program guidance

reference investigation