![]() Also make sure you take note of any corporate policies the client has because this might change what you choose to exclude/include in the timelines. Why two timelines? Because once an employee is identified as an insider, information access becomes a key concern. One timeline capturing ALL relevant activity showing what the user was actively doing since being identified as an insider.During an insider job, artefacts that show system wake/hibernation, or artefacts proving a user opened something on their taskbar are just as important as the malicious activity itself depending on the client needs.įor these cases, analysts should *consider* create TWO timelines depending on the client needs and the nature of the incident: The main difference between insider jobs and other jobs is the fact that clients usually want a timeline of both activity around the “malicious action” and also a timeline of “legitimate” activity leading up to, during and post the malicious actions to remove reasonable doubt that it was somebody else. The forensic investigation of a suspected insider follows a different approach in methodology than the classic methodology for investigating threat actors. Insider threats are unfortunately a real and active threat.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |