WEBVTT 1 00:00:00.090 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:03.750 we will learn about attribution. 3 00:00:03.750 --> 00:00:07.590 Attribution is the process of identifying the source 4 00:00:07.590 --> 00:00:11.370 or threat actor responsible for a security incident. 5 00:00:11.370 --> 00:00:14.910 A type of actor that an incident may be attributed to 6 00:00:14.910 --> 00:00:16.890 is an insider threat. 7 00:00:16.890 --> 00:00:18.600 Insider threats occur 8 00:00:18.600 --> 00:00:21.630 when an individual within the organization, 9 00:00:21.630 --> 00:00:24.330 such as an employee or contractor, 10 00:00:24.330 --> 00:00:28.920 intentionally or unintentionally compromise systems or data. 11 00:00:28.920 --> 00:00:30.570 In this situation, 12 00:00:30.570 --> 00:00:33.570 attribution focuses on gathering evidence, 13 00:00:33.570 --> 00:00:35.040 such as access logs 14 00:00:35.040 --> 00:00:36.960 and behavioral analytics, 15 00:00:36.960 --> 00:00:39.870 to confirm the threat originated internally 16 00:00:39.870 --> 00:00:42.030 and determine if the incident was caused 17 00:00:42.030 --> 00:00:45.510 by negligence, error, or malicious intent. 18 00:00:45.510 --> 00:00:49.590 Let's learn more about attribution to an insider threat. 19 00:00:49.590 --> 00:00:53.400 Attribution in cybersecurity enables an organization 20 00:00:53.400 --> 00:00:55.200 to identify the source 21 00:00:55.200 --> 00:00:59.190 or actor behind a security breach or incident. 22 00:00:59.190 --> 00:01:02.040 When an incident is linked to an insider, 23 00:01:02.040 --> 00:01:04.950 the term insider threat is used. 24 00:01:04.950 --> 00:01:06.750 An insider threat occurs 25 00:01:06.750 --> 00:01:09.750 when an individual within the organization, 26 00:01:09.750 --> 00:01:12.510 such as an employee, contractor, 27 00:01:12.510 --> 00:01:14.220 or trusted business partner, 28 00:01:14.220 --> 00:01:16.980 compromises the organization's security, 29 00:01:16.980 --> 00:01:20.130 either intentionally or unintentionally. 30 00:01:20.130 --> 00:01:24.420 This type of threat can range from accidental data exposure 31 00:01:24.420 --> 00:01:26.040 due to negligence 32 00:01:26.040 --> 00:01:28.860 to a deliberate attack with malicious intent. 33 00:01:28.860 --> 00:01:31.230 Recognizing that the threat originates 34 00:01:31.230 --> 00:01:33.450 from within the organization 35 00:01:33.450 --> 00:01:36.150 is critical to tailoring the response 36 00:01:36.150 --> 00:01:39.150 and strengthening internal security measures. 37 00:01:39.150 --> 00:01:42.450 Attribution to an insider threat involves gathering 38 00:01:42.450 --> 00:01:44.160 and analyzing evidence 39 00:01:44.160 --> 00:01:46.470 that demonstrates the threat originated 40 00:01:46.470 --> 00:01:49.410 from someone inside the organization. 41 00:01:49.410 --> 00:01:53.100 This evidence can help distinguish between an intentional 42 00:01:53.100 --> 00:01:55.170 and unintentional threat. 43 00:01:55.170 --> 00:01:58.680 For instance, access logs can reveal patterns 44 00:01:58.680 --> 00:02:00.600 of suspicious activity, 45 00:02:00.600 --> 00:02:02.640 such as accessing files 46 00:02:02.640 --> 00:02:05.730 outside the individual's typical role, 47 00:02:05.730 --> 00:02:07.830 or during unusual hours. 48 00:02:07.830 --> 00:02:12.420 So if an employee in finance accesses files specific 49 00:02:12.420 --> 00:02:16.290 to research and development, it may raise a red flag. 50 00:02:16.290 --> 00:02:20.430 In this way, logs form an important piece of evidence 51 00:02:20.430 --> 00:02:23.070 in confirming that the activity is indeed 52 00:02:23.070 --> 00:02:24.930 from within the organization, 53 00:02:24.930 --> 00:02:28.650 and in determining whether the activity was intentional 54 00:02:28.650 --> 00:02:30.300 or unintentional. 55 00:02:30.300 --> 00:02:34.350 Detecting insider threats requires a blend of tools 56 00:02:34.350 --> 00:02:38.670 and methods focused on both technical and physical security. 57 00:02:38.670 --> 00:02:42.360 Many companies use behavioral analytics software, 58 00:02:42.360 --> 00:02:45.390 like Splunk User Behavior Analytics, 59 00:02:45.390 --> 00:02:50.390 or Exabeam to track user activity and identify anomalies. 60 00:02:50.610 --> 00:02:53.310 This software establishes a baseline 61 00:02:53.310 --> 00:02:55.980 for each user's regular activity, 62 00:02:55.980 --> 00:02:58.080 and then flags deviations, 63 00:02:58.080 --> 00:03:02.280 such as accessing sensitive files outside work hours, 64 00:03:02.280 --> 00:03:04.950 or copying large volumes of data. 65 00:03:04.950 --> 00:03:08.850 Additionally, monitoring software like Teramind 66 00:03:08.850 --> 00:03:12.330 or ActivTrak can capture keystrokes, emails, 67 00:03:12.330 --> 00:03:14.010 and web activity, 68 00:03:14.010 --> 00:03:17.880 providing further insight into an insider's actions. 69 00:03:17.880 --> 00:03:20.940 So by cross-referencing these data points, 70 00:03:20.940 --> 00:03:24.060 an organization can build a clearer picture 71 00:03:24.060 --> 00:03:26.370 of potentially harmful activities, 72 00:03:26.370 --> 00:03:30.900 and better attribute the source of any suspicious behavior. 73 00:03:30.900 --> 00:03:35.010 Next, physical security measures also play a role 74 00:03:35.010 --> 00:03:37.620 in identifying insider threats. 75 00:03:37.620 --> 00:03:39.960 For instance, security cameras 76 00:03:39.960 --> 00:03:42.840 and access control systems can log 77 00:03:42.840 --> 00:03:47.070 and record physical movements within restricted areas. 78 00:03:47.070 --> 00:03:49.470 If an employee is frequently seen 79 00:03:49.470 --> 00:03:53.310 entering a restricted data center without a clear need, 80 00:03:53.310 --> 00:03:56.280 it could indicate suspicious behavior. 81 00:03:56.280 --> 00:04:00.300 Also, badge systems can track who enters specific areas 82 00:04:00.300 --> 00:04:02.010 of a building and when, 83 00:04:02.010 --> 00:04:03.750 allowing security teams 84 00:04:03.750 --> 00:04:07.950 to correlate these records with digital access logs 85 00:04:07.950 --> 00:04:10.860 to identify suspicious entries. 86 00:04:10.860 --> 00:04:12.600 Combining these physical 87 00:04:12.600 --> 00:04:16.260 and technical records creates a comprehensive view 88 00:04:16.260 --> 00:04:18.180 of an insider's activity, 89 00:04:18.180 --> 00:04:22.350 making it easier to attribute actions to an individual 90 00:04:22.350 --> 00:04:24.180 and assess intent. 91 00:04:24.180 --> 00:04:27.660 Finally, an absolutely critical aspect 92 00:04:27.660 --> 00:04:30.690 of managing insider threats is ensuring 93 00:04:30.690 --> 00:04:34.950 that the organizational offboarding process is secure 94 00:04:34.950 --> 00:04:36.480 and effective. 95 00:04:36.480 --> 00:04:40.350 This is because if the offboarding process is incomplete 96 00:04:40.350 --> 00:04:41.580 or ineffective, 97 00:04:41.580 --> 00:04:45.300 former employees may still pose an insider threat 98 00:04:45.300 --> 00:04:46.830 by accessing systems 99 00:04:46.830 --> 00:04:50.550 or data they are no longer authorized to view. 100 00:04:50.550 --> 00:04:53.730 For example, if an employee leaves the company 101 00:04:53.730 --> 00:04:56.640 but retains access to sensitive systems, 102 00:04:56.640 --> 00:05:00.690 they could inadvertently or intentionally cause harm. 103 00:05:00.690 --> 00:05:05.220 So ensuring that credentials are deactivated promptly 104 00:05:05.220 --> 00:05:08.430 and that all associated access points, 105 00:05:08.430 --> 00:05:13.140 such as VPN access, cloud services, and email accounts, 106 00:05:13.140 --> 00:05:16.710 are fully revoked helps mitigate this risk 107 00:05:16.710 --> 00:05:20.970 and prevent potential breaches by former employees. 108 00:05:20.970 --> 00:05:23.640 Additionally, removing any permissions 109 00:05:23.640 --> 00:05:25.590 for remote desktop connections, 110 00:05:25.590 --> 00:05:28.830 disabling multifactor authentication tokens, 111 00:05:28.830 --> 00:05:31.560 and securing physical access points, 112 00:05:31.560 --> 00:05:34.950 like badge access to the building or secure areas, 113 00:05:34.950 --> 00:05:37.650 closes off any remaining avenues 114 00:05:37.650 --> 00:05:39.750 through which a former employee 115 00:05:39.750 --> 00:05:42.300 could still access sensitive data. 116 00:05:42.300 --> 00:05:46.740 This comprehensive offboarding process reduces the risk 117 00:05:46.740 --> 00:05:48.600 of unauthorized access, 118 00:05:48.600 --> 00:05:51.720 and strengthens security post-employment. 119 00:05:51.720 --> 00:05:55.500 Ultimately, once an insider threat is identified, 120 00:05:55.500 --> 00:05:58.200 organizations need to respond swiftly 121 00:05:58.200 --> 00:06:00.000 to prevent further risk. 122 00:06:00.000 --> 00:06:04.620 This may involve restricting access, conducting interviews, 123 00:06:04.620 --> 00:06:09.120 or taking legal action if malicious intent is confirmed. 124 00:06:09.120 --> 00:06:10.710 So understanding 125 00:06:10.710 --> 00:06:15.030 that the threat originated internally allows organizations 126 00:06:15.030 --> 00:06:18.720 to adjust security policies, enhance monitoring, 127 00:06:18.720 --> 00:06:22.530 and reduce the risk of similar incidents in the future. 128 00:06:22.530 --> 00:06:24.630 Through proper attribution, 129 00:06:24.630 --> 00:06:28.290 organizations can safeguard sensitive information, 130 00:06:28.290 --> 00:06:33.270 maintain trust, and create a more secure work environment. 131 00:06:33.270 --> 00:06:35.190 So remember, 132 00:06:35.190 --> 00:06:38.580 attribution is about identifying the source 133 00:06:38.580 --> 00:06:40.290 of a security incident, 134 00:06:40.290 --> 00:06:43.110 especially when it involves an insider 135 00:06:43.110 --> 00:06:45.300 within the organization. 136 00:06:45.300 --> 00:06:49.410 Insider threats can occur due to either intentional 137 00:06:49.410 --> 00:06:53.550 or accidental actions by employees, contractors, 138 00:06:53.550 --> 00:06:56.130 or other trusted individuals. 139 00:06:56.130 --> 00:06:57.690 By analyzing evidence, 140 00:06:57.690 --> 00:07:01.260 like access logs and behavioral patterns, 141 00:07:01.260 --> 00:07:05.520 organizations can determine if the activity was internal, 142 00:07:05.520 --> 00:07:10.020 and whether it was caused by negligence or malicious intent. 143 00:07:10.020 --> 00:07:14.070 This approach helps organizations respond effectively, 144 00:07:14.070 --> 00:07:15.660 strengthen security, 145 00:07:15.660 --> 00:07:19.533 and reduce the risk of similar incidents in the future.