Flight Risk Printing

Description

This search implements two heuristics to look for indications that a user is a flight risk. Many people will print offer letters, drafts of their resume, or related docs on the work environment (for convenience, or because they don't have a printer at home). Detect when that happens.


Use Case

Insider Threat

Category

Insider Threat

Security Impact

Detecting users who are about to leave, before they actually give notice, can provide you the opportunity to potentially fix the situation for an unhappy employee, but also can help you prevent the exfiltration of sensitive data (which usually happens before an employee actually gives notice). Look for the indications that an employee may be leaving, by checking printer logs.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over Physical Medium

Kill Chain Phases

Actions on Objectives

Data Sources

User Activity Audit

   How to Implement

This search implements several heuristics to look for indications that a user is a flight risk, detailed below. While most savvy employees will use a personal email address when emailing competitors, everyone in Security has some story of employees who don't.

   Known False Positives

This search will innately generate false positives when a user prints an old copy of their resume for a new boss, or a user prints a family member's resume, or of course for managers or users in HR who will print offer letters for their explicit job duties. While you can attempt to build the correlation searches to tune out those false positives (e.g., alert when a user prints an offer letter and is not in HR and is not the hiring manager for any open positions), that can be practically very difficult. It's more common to use a flight risk alert to correlate with other risky events, such as data exfil alerts coming from your DLP or your UEBA systems.

   How To Respond

You should likely not look at this search directly, but correlate it with other risky events via the Risk Framework in ES or the Threat Models in UBA.

   Help

Flight Risk Printing Help

This example leverages the simple search assistant. Our dataset is an anonymized collection of printer logs.

SPL for Flight Risk Printing

Demo Data

First we pull in our demo dataset.
We filter for print jobs that look suspicious based on the filename. Here we're looking for the terms resume, interview, or offer letter.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.
Next, we count how many days we've seen suspicious files printed, and list those files out for convenience
Finally, we filter for users where we've seen printing on multiple days.

Live Data

First we pull in our printer dataset. We filter for print jobs that look suspicious based on the filename. Here we're looking for the terms resume, interview, or offer letter.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.
Next, we count how many days we've seen suspicious files printed, and list those files out for convenience
Finally, we filter for users where we've seen printing on multiple days.

Screenshot of Demo Data