Insider Threat

TSMC

TSMC employees reportedly stole 2nm trade secrets to share with Rapidus — accused are said to have shared 'hundreds of process integration technical photos'

https://www.tomshardware.com/tech-industry/semiconductors/tsmc-employees-reportedly-stole-2nm-trade-secrets-to-share-with-rapidus-accused-are-said-to-have-shared-hundreds-of-process-integration-technical-photos

Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

https://www.lawfaremedia.org/article/peter-williams--ex-asd--pleads-guilty-to-selling-eight-exploits-to-russia

Three categories of Insider Threats:

• Malicious insiders

  • Theft of IP

  • Sabotage

  • Espionage

• Negligent Insiders

  • Ignoring policy and procedures

  • falling for phishing or social engineering attacks

  • Misusing or oversharing privileges

• Accidental insiders

  • Accidental disclosures of sensitive info (e.g., emails, file uploads)

  • Loss of devices

  • Unintentional installation of software

Systematic ethical decisions

Employees who have people problems.

Many corporations are blocking the usage of personal applications entirely (e.g., google, webmail, drop box, etc) and also adding additional levels of system monitoring like Proofpoint ObserveIT activity recording.

List of some insider threat indicators:

• Direct correspondence with competitors

• Email messages with abnormally large attachments or amounts of data

• Domain Name System (DNS) queries associated with Dark Web activities

• Use of activity masking tools (e.g., virtual private networks [VPN] or the Onion Router Tor])

• Executing offensive tools

• Executing malware

• Connecting an unauthorized device to the network

• Downloading or installing prohibited software

• Unexpected activity outside of normal working hours

• Attempts to bypass or disable malware protection tools or security controls

• Attaching an unidentified device to a workstation (USB, external hard drive)

• Maintaining access to sensitive data after termination notice

• Different users attempting to log in from the same workstation or device

• Lack of log messages or monitoring data

• Unauthorized modification of centrally stored files

• Copying large numbers of documents to a local drive

• Authentication failures or failed login attempts

• Unauthorized configuration file changes or permission changes

• Unauthorized database content changes

• Irresponsible social media habits

• Unauthorized attempts to escalate permissions or privileges, especially without a need to know

• Attempting to print or copy protected or restricted documents

• Abnormally large number of software or operating system errors

• Insider attempts to access resources not associated with that insider’s normal role

• User account used from multiple devices

• Multiple accounts identified for a single user

• Triggering of key words or phrases in emails, text messages, or phone calls

Tools used to abuse Insider Threats

Anonymity Tools - VPNs

??????

Anonymity Tools - Browsing

Thanks for pointing out TAILS "The Amnesiac Incognito Live System".  I have heard of it but never used it.

"Recently the Afaaq Electronic Foundation (AEF), an arm of the Islamic State who are dedicated to “raising security and technical awareness” among jihadists, published their advice on how to avoid law enforcement surveillance. Their message was broadcast on Telegram, with a message of “Stay calm and use strong encryption”:  It provides a focus on the three T’s which are cause law enforcement to lose sleep: Tor, Telegram and Tails OS."  (Buchanan, 2018).

The TAILS feature to wipe memory seems pretty bullet-proof.  The main forensic evidence for CD-booted filesystems are gathered through memory analysis.  The TAILS memory wipe feature adds an additional hurdle to the investigator in that they would have to capture memory while TAILS is being used.

"By automating forensic memory analysis of RAM, Digital Forensics Solutions has provided investigators with a method to completely reconstruct a live CD-booted filesystem. Recovery of the filesystem not only allows for standard forensic process to be followed, including the recovery of all relevant evidence, but it also allows for the evidence obtained and the results gathered to be used in a legal setting. Through the development of the Volatility memory analysis plug-in, the anti-forensics power of live CDs has been greatly diminished, and analysis of these systems is now possible for investigators of all skill levels."  (Case, 2011).

To add even more security TAILS started supporting secure boot in 2020.

"However, until today, despite the plethora of security and privacy features it possessed, Tails did not support UEFI Secure Boot setups. Users who wanted to use Tails on a computer had to disable Secure Boot in the computer's BIOS, leaving their devices vulnerable to firmware tampering that could later compromise the communications carried out through Tails.  According to the Tails website, work began on adding Secure Boot to Tails six years ago (Links to an external site.), and starting with Tails 4.5, released yesterday (Links to an external site.), users can now safely enable Secure Boot and run it alongside Tails, out of the box, without having to do anything or run complicated workarounds."  (Cimpanu, 2020)

Microsoft Defender for Endpoint (and the broader Defender XDR stack) does generate alerts aligned to data staging and collection for exfiltration, but they are not always labeled explicitly as “data collection.” Instead, they map to MITRE ATT&CK TA0009 (Collection) and often overlap with Exfiltration (TA0010) behaviors.

In practice, Defender detects this activity through a combination of file aggregation, compression, staging, and abnormal access patterns.

Common Defender Alert Names Related to Data Collection / Staging

Below are representative alert titles you’ll see (exact naming can vary slightly by version, signal source, and tuning):

File Aggregation / Staging

• Suspicious collection of files for exfiltration

• Potential data staging activity detected

• Large number of files accessed or copied in short time

• Sensitive data accessed by unusual process

Compression / Archiving for Exfiltration

• Suspicious use of archive utility (7zip, WinRAR, tar)

• Archive created with high volume of files

• Possible data exfiltration preparation via compression

Credential / Email / Data Harvesting

• Unusual access to mailbox data

• Mass download of files from SharePoint/OneDrive (via Defender for Cloud Apps)

• Suspicious data access pattern in cloud applications

Command-Line / Tooling Indicators

• Suspicious command line used for data collection

• Use of living-off-the-land tools for file discovery and staging

• Discovery and collection activity from unusual process

Endpoint + Insider Risk Signals

• Anomalous file access by user

• Unusual volume of removable media usage

• Files copied to USB drive in bulk

Important Nuance (Operational Reality)

From a SOC/threat hunting perspective:

• Defender rarely fires a single “this is data exfil staging” alert in isolation.

• Instead, you typically correlate:

  • File access spikes

  • Archive creation

  • Network egress

  • User/device anomalies

This is where Advanced Hunting (KQL) and cross-signal correlation (endpoint + identity + cloud) become critical.

Where You’ll See These Signals

• Endpoint: Defender for Endpoint (DeviceFileEvents, DeviceProcessEvents)

• Identity: Defender for Identity (abnormal access patterns)

• Cloud: Defender for Cloud Apps (mass download, OAuth abuse, etc.)

Practical Detection Strategy

If you're engineering detections, you’ll get better fidelity by chaining behaviors rather than relying on alert names alone. For example:

• File enumeration → archive creation → outbound connection spike

• Sensitive directory access → compression tool → OneDrive/HTTP upload

Known Alert Names and Detection Categories Across the Defender Suite

Microsoft Defender for Endpoint (MDE) — endpoint-level collection detections:

• Suspicious file collection activity detected

• Files collected into archive using compression utilities (e.g., 7zip, WinRAR, tar used in unusual contexts)

• Sensitive file access by unusual process

• Large number of files accessed in short time period

• Detected suspicious file cleanup commands (post-staging cleanup — documented in Defender for Cloud alerts for Windows)

• Detected suspicious network activity (covers data moving off-host after staging)

• Possible credential dumping detected (credential data collection)

• Detected suspicious named pipe communications (data movement via named pipes)

Microsoft Defender for Cloud Apps (MDCA) — cloud data collection detections:

• Unusual file download — triggers when a user downloads an unusually high volume of files

• Unusual file share activity

• Mass download by a single user

• Ransomware activity detected (mass file access/modification pattern, which overlaps with staging behavior)

• Data exfiltration to unsanctioned app

• Unusual ISP for user combined with download activity

• Multiple delete activities (sometimes a precursor to covered-track staging)

• Activity from anonymous IP address with data access

Microsoft Purview / DLP — sensitive data collection:

• Sensitive information shared externally

• Unusual volume of sensitive data accessed

• Insider risk — data theft by departing user

• Insider risk — data leak by a risky user

• Unusual volume of sensitive file activity

Microsoft Defender for Identity (MDI) — Active Directory data collection:

• Reconnaissance using SMB session enumeration

• User and group membership reconnaissance (LDAP)

• Network-mapping reconnaissance (DNS)

• Active Directory attributes reconnaissance using LDAP

• Security principal reconnaissance (LDAP)

Microsoft Defender for Cloud — server-level:

• Detected suspicious file cleanup commands (post-collection cleanup)

• Detected suspicious network activity (staging followed by transfer)

• Detected possible local reconnaissance activity

References

Buchanan, B.  (2018, August 2018).  The 3T challenge for digital forensics: Tails, Telegram and Tor.  Medium.  Retrieved September 10, 2021 from https://medium.com/asecuritysite-when-bob-met-alice/the-3t-challenge-for-digital-forensics-tails-telegram-and-tor-8d800c42af15 (Links to an external site.)

Case, A., Pfeif, D.  (2011).  Evidence Technology Magazine.  Forensic Investigation of Live CDs.  Retrieved September 10, 2021 from https://www.evidencemagazine.com/index.php?option=com_content&task=view&id=735&Itemid=50 (Links to an external site.)

Cimpanu, C.  (2020, April 8).  Tails, the security-focused OS, adds support for Secure Boot.  ZDNet.  retrieved September 10, 2021 from https://www.zdnet.com/article/tails-the-security-focused-os-adds-support-for-secure-boot/

References

Johnson, J.  (2021, January 21).  Most common data exfiltration behaviors during insider threats in the United States in 2020.  Statista.  Retrieved August 21, 2021 from https://www.statista.com/statistics/1155846/most-common-data-exfiltration-insider-threat-types-usa/