Ideology

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Google's Chrome browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Login Data. This file is a JSON file and can be opened in any text editor, such as Notepad. This contains the URL, page title, date added, and date the bookmark was last used.

Google's Chrome browser stores cookies that can reveal valuable insights into user behavior, including login details, session durations, and frequently visited sites.

On Windows, this information is stored in the following location:

C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Network\cookies.

This database file can be opened in software such as DB Browser For SQLite. The ‘cookies' table is of interest to understand recent activity within Chrome.

Google's Chrome browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Google's Chrome browser stores some login data of accessed websites, that can provide the URLs and usernames used for authentication.

On Windows, this information is stored in the following location:

C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Login Data.

This file is a database file and can be opened in software such as DB Browser For SQLite. The ‘logins’ and ‘stats’ tables are of immediate interest to understand saved login data.

The passwords are not visible as they are encrypted. However, the encryption key is stored locally and can be used to decrypt saved passwords. The key is stored in the file C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Local State, which can be read with any text editor, such as Notepad, and searching for the “encrypted_key” value. The tool decrypt_chrome_password.py (referenced) can decrypt the AES-encrypted passwords to plaintext.

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.

Mozilla's Firefox browser stores the history of accessed websites.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.

Message trace is a feature within Exchange that permits the ability to identify inbound and outbound emails within the organization.

This can be used to see which mailboxes have sent or received emails, the time, the subject line, and recipients.

Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association).

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.