Finding The “Why” During Insider Risk Investigations

Insider Risk

Insider Risk is a uniquely human problem, and being an effective Insider Risk investigator requires an understanding of those human elements, as well as technical prowess. With this post I’d like to discuss an aspect of this human element — specifically interviews and inquiries conducted during investigations.

As security practitioners, we are often confronted with situations where we need to respond without the luxury of a complete set of facts. Our tools are fairly good at the “who” and “what” of a situation — user X moved a file to removable media, a document was sent via email to this address — but this is rarely enough information. Most often the purpose of insider investigations is the pursuit of the “why” of a situation, and gaining that context usually requires speaking directly with users.

Interactions with the subject of an investigation will often wholly dictate the outcome of that investigation. Once an investigator has compiled as much context as possible from the technical solutions available to them, they are still often left with questions and contextual gaps surrounding the event, making an interview with the subject necessary.

Before going directly to a subject it may be useful to conduct supporting interviews with others adjacent to that subject to gain more information — this will be context dependent, sometimes circumstances are cut and dried, but often crucial context is missing. Bear in mind that increasing the scope of an investigation unnecessarily adds complexity and increases the risk that a subject may become aware of an investigation before you intend (especially a concern in instances where there is a potential for ongoing activity). Depending on the event in question, and the needs for confidentiality, there may be individuals who can bring clarity to the investigation such as Human Resources or Legal partners, departmental peers, a subject’s manager, or the application owner or administrator. Consider these avenues to add context to an investigation:

  • A subject’s manager can provide background on a subject’s job duties, including what information they would require access to, and how normal workflows proceed.
  • An information owner can provide a better understanding of the sensitivity and outline appropriate handling of a piece of data, including potential consequences of improper access or disclosure.
  • Company legal council can help illustrate any potential legal, regulatory, or repetitional damage that could result from particular activity.
  • Human Resources representatives can provide insight into relevant personnel challenges that can provide background or affect next steps of an investigation.
  • A subject’s coworker may be able to offer context into general process questions. Be careful, asking a peer about specific events may be a breach of confidentiality and could compromise an investigation.

As a general rule, all aspects of an investigation should be treated with the highest level of confidentiality, especially interviews with those outside a subject’s direct chain of command. Impropriety or mishandling of confidential information damages an investigators reputation and threatens an organization’s ability to respond to insider risks.

Once as much context as possible is assembled from technical sources and supporting interviews, a subject may need to be interviewed directly. In these cases it is important to assume positive intent, not to jump to conclusions, or be accusatory with subjects. The approach, timing, and forum of the interview should all be considered carefully depending on the nature and risk associated with the event. From my experience, here are a few approaches to consider:

  • Should the investigator reach out via an internal messaging application or pick up the phone and call directly? Instant messaging has the advantage of being fast and informal, best for a quick question or setting up a more formal conversation. Judging a subject’s reaction to a question is near impossible via text though, and even just tone of voice and speech patterns can lend additional information.
  • Should a formal or informal in-person (where possible) interview be considered? Informal chats with subjects (such as dropping by their workstation, or approaching them in a common space) can help set a subject at ease. Formally scheduled meetings give the subject time to prepare, which can help or hurt depending on the circumstances, but do lend weight to an investigation, which can be useful to influence behavior.
  • Present pandemic circumstances have forced our company to work remotely, how can I adapt an investigation process to continue to be effective? While in person interviews are the gold standard, current circumstances will present challenges to this type of interaction for the foreseeable future. In order to continue to conduct investigations effectively, doubling down on video conferencing, screen sharing, and open lines of communication will help to minimize disruptions to normal investigation processes.
  • Should a third party be present during an interview, such as the user’s manager, company legal council, or another security investigator? Regardless of the seriousness of an investigation, it’s prudent to have another person present during an interview, should it come down to the Investigator’s vs. the subject’s word. Having a manager or legal council present can lend gravity to proceedings if need be.
  • If a video interview is conducted, should it be recorded? Depending on your jurisdiction consent from all parties may be required to make a recording legal. If a recording is not possible for technical or legal reasons, having a third party join the call can be useful. Recordings can also serve as concrete evidence in instances where a subject is asked to take some action in the presence of investigators (such as delete files from a personal drive).
  • If an interview must be scheduled in advance, how transparent should Investigators be about the subject of the conversation? This will be highly situational. In cases where there is a concern about a subject taking additional harmful actions, it may be best to be vague about its purpose. That said, outright deception of a subject may constitute entrapment and toes a moral line that each investigator must judge for themselves.
  • After an interview is completed, what level of documentation and follow up is required? This will again be situational, but in general the more notes that are collected the better. Additionally, making notes as close to the actual conversation aids in accurate recall of important details.

While these considerations may be new to some cyber security professionals, they are common-place to those with law enforcement and behavioral psychology backgrounds. Since insider risk is a human problem at its core, conducting investigations and effective interviews are a mix of art and science. Rigorous investigation and interviewing practices can help mature your organization’s Insider Risk Management process and make it more effective. There are a number of interviewer trainings available, but the majority are provided by, and directed toward law enforcement. That said, they’d be valuable for security practitioners. Another option to consider that we find helpful is benchmarking with other Insider Risk practitioners at peer companies. Given present trends, cybersecurity specific interviewer training will hopefully become more readily available in the near future. 

If you enjoyed this blog check out redblue42.com for more content like this.