Flight Risk Web Browsing

Description

This search implements several heuristics to look for indications that a user is a flight risk from Web Logs. Detect a user who may be leaving before they do.


Use Case

Insider Threat

Category

Insider Threat

Security Impact

Detecting users who are about to leave, before they actually give notice, can provide you the opportunity to potentially fix the situation for an unhappy employee, but also can help you prevent the exfiltration of sensitive data (which usually happens before an employee actually gives notice). Look for the indications that an employee may be leaving, by checking proxy logs.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration

Data Sources

Web Proxy

   How to Implement

Initial implementation of this search is very straightforward -- just implement Common Information Model compliant proxy logs, and it will work. You should then evaluate how many false positives you get from the different components, and tune as appropriate. Focus your efforts on reducing event volume to a reasonable level, and then use the results to add into the ES Risk Framework or the UBA Threat Models.

   Known False Positives

This search will innately generate false positives when a user is helping a friend who is job hunting, or interviewing a candidate. While you can attempt to build the correlation searches to tune out some of those false positives (e.g., alert on sustained job hunting browsing for a user who is not in HR and is not the hiring manager for any open positions), that can be practically impossible. It's more common to use a flight risk alert to correlate with other risky events, such as data exfil alerts coming from your DLP or your UEBA systems.

   How To Respond

There are several checks being run in this search. Most of these will require some tuning, and are often best to combine with another correlation searches that look for anomalous activities (e.g., data exfiltration).

  • Browsing to Job Hunting Sites over Multiple Days: while recruiters may spend their entire days on job hunting sites, most users will not heavily use job hunting sites.
  • Searching for "Interview Questions": when starting a job hunt, most people will refresh themselves on common interview questions, or look for similar resources. While this could indicate that someone is interviewing a candidate at your company, it can also be a crafty way to detect a flight risk.
  • Browsing to the Top Results for Interview Questions: while most organizations won't be able to introspect Google searches because of their complete implementation of HTTPS with certificate pinning, you can see if users click on the top results for those queries.

You should likely not look at the results of this search directly, but correlate it with other risky events via the Risk Framework in ES or the Threat Models in UBA.

   Help

Flight Risk Web Browsing Help

This example leverages the search assistant. Our dataset is an anonymized collection of . For this analysis, we are .

SPL for Flight Risk Web Browsing

Demo Data

First we bring in our demo dataset of anonymized proxy events.
Next, we filter to look at just job-search data, which is the PAN categorization for used for job search sites.
Next, we look at the number of days in which job hunting was occurred.
Finally, we filter for users where we've seen printing on multiple days.

Live Data

First we bring in our dataset of proxy events, filtered for just proxy activity.
Next, we look at the number of days in which job hunting was occurred.
Finally, we filter for users where we've seen printing on multiple days.

Screenshot of Demo Data