Insider Threat Playbook¶

Metadata¶

Trigger Conditions¶

Activate this playbook on any of the following:

• [ ] UEBA (User and Entity Behavior Analytics) anomaly score exceeding 80/100
• [ ] DLP alert: mass download of sensitive documents (e.g., >100 files in < 1 hour)
• [ ] After-hours access to sensitive repositories not normally accessed
• [ ] Access from personal device or unmanaged endpoint to sensitive data
• [ ] Email or file upload to personal cloud storage (Google Drive, Dropbox, personal Outlook)
• [ ] Large USB mass storage device write activity
• [ ] Access pattern correlated with resignation notice or HR disciplinary action
• [ ] Privileged user accessing peer data outside their role (lateral browsing)
• [ ] Security tool or logging agent tampered with or disabled by the user
• [ ] Peer report or manager escalation of suspicious behavior

Decision Tree¶

flowchart TD
    A([Insider Threat Trigger]) --> B[STOP — Do not alert subject\nNotify IR Lead only\nOpen confidential incident record]
    B --> C[Preserve all evidence\nSnapshot logs, UEBA score,\nDLP alerts to evidence folder]
    C --> D{Immediate risk?\nOngoing exfiltration\nor safety threat?}
    D -- Yes: Active exfil --> E[Emergency legal consult\nConsider real-time\nDLP block + network throttle\nwithout alerting user]
    D -- No --> F[Convene confidential\nIR + Legal + HR call]
    E --> F
    F --> G[Determine investigation scope:\nDigital only, or physical access too?]
    G --> H[Covert investigation phase\nForensics, log analysis,\nemail review with legal approval]
    H --> I{Sufficient evidence\nfor action?}
    I -- Yes --> J{Criminal activity\nor civil/HR matter?}
    I -- No --> K[Continue monitoring\nweekly IR + Legal sync]
    J -- Criminal --> L[Law enforcement referral\npreserve chain of custody\ndo not terminate yet\ncoordinate with FBI]
    J -- HR / Civil --> M[Coordinated termination:\nSimultaneous physical +\nlogical access revocation]
    L --> N([Post-Incident: Policy\nAccess review\nUEBA retraining])
    M --> N

Legal Considerations¶

Employee Privacy Rights¶

Legal Hold Requirements¶

• [ ] Issue legal hold immediately — do not allow auto-deletion of email, chat logs, or backup rotation
• [ ] Notify IT and records management to preserve all data for the subject
• [ ] Document scope of legal hold in writing with counsel
• [ ] Preserve data for minimum 90 days pending investigation outcome

# Microsoft 365 — Place mailbox on Litigation Hold
Set-Mailbox -Identity "subject.employee@company.com" `
    -LitigationHoldEnabled $true `
    -LitigationHoldDuration 180 `
    -LitigationHoldOwner "IR Team - Case: INC-XXXX"
Write-Host "[$(Get-Date -Format u)] Litigation hold placed on mailbox."

# Place Teams / SharePoint content on hold via Compliance Center
# Security & Compliance > Content Search > Create eDiscovery Hold
# Scope: user mailbox + OneDrive + Teams messages

HR Involvement Protocol¶

• [ ] HR VP/Director informed via secure, in-person or encrypted channel — not Slack
• [ ] HR reviews employment contract, NDA, acceptable use policy applicability
• [ ] HR advises on whether subject is protected class or on FMLA/ADA accommodation
• [ ] HR prepares separation documents for coordinated termination if evidence is sufficient
• [ ] HR coordinates with manager — manager must not be informed if they are involved

Evidence Preservation¶

Chain of Custody Requirements¶

• [ ] All evidence stored in write-protected, access-logged evidence repository
• [ ] Hash all evidence files at time of collection: sha256sum evidence_file > evidence_file.sha256
• [ ] Document: who collected, when, from which system, using what tool
• [ ] Evidence access restricted to IR Lead, Legal Counsel, and named investigators
• [ ] Do not share with HR or management until legal review is complete

Endpoint Evidence Collection¶

# Live forensic collection (if endpoint is accessible) — use forensic tooling
# Preferred: use trusted forensic agent (Velociraptor, CrowdStrike RTR, or bootable forensic image)

# Collect with CrowdStrike Real Time Response (RTR)
# Connect to host: crowdstrike-rtr connect <DEVICE_ID>

# Memory capture (critical — contains decrypted files, credentials, browser sessions)
# winpmem_mini_x64.exe /o memory_$(hostname)_$(date +%Y%m%d).raw

# Collect key artifacts
zip -r endpoint_artifacts_$(date +%Y%m%d).zip \
  "$USERPROFILE/AppData/Roaming/Microsoft/Windows/Recent/" \
  "$USERPROFILE/AppData/Local/Microsoft/Windows/WebCache/" \
  "$USERPROFILE/AppData/Roaming/Mozilla/Firefox/Profiles/" \
  "$USERPROFILE/AppData/Local/Google/Chrome/User Data/Default/History"

# Generate hash
sha256sum endpoint_artifacts_$(date +%Y%m%d).zip > endpoint_artifacts.sha256

Log Sources to Preserve¶

Investigation Phases¶

Phase 1 — Digital Forensics (Covert)¶

• [ ] Pull UEBA timeline: all anomalous events for subject, 90-day lookback
• [ ] Pull DLP event log: all data movement events, including blocked and allowed
• [ ] Pull AD access logs: logon/logoff times, privileged access events, group membership changes
• [ ] Pull file access audit log on sensitive repositories (SharePoint, NAS, S3)
• [ ] Review endpoint USB/device activity (Windows Event Log 4663, 20001)
• [ ] Review print queue logs
• [ ] Review web proxy logs for personal cloud storage uploads (Dropbox, WeTransfer, OneDrive personal)

Phase 2 — Email Review (Legal Approval Required)¶

# M365 — Run eDiscovery Content Search (requires legal hold in place)
# Security & Compliance Center > Content Search > New Search
# Scope: subject mailbox + sent items + deleted items
# Keywords: "confidential","proprietary","resume","offer letter","take with me","download","backup"

# Export results to encrypted PST
# Document search parameters, date/time, and reviewer identity

Phase 3 — Access Log Analysis¶

# M365 Unified Audit Log — all activity by subject in last 90 days
Search-UnifiedAuditLog `
    -UserIds "subject.employee@company.com" `
    -StartDate (Get-Date).AddDays(-90) `
    -EndDate (Get-Date) `
    -ResultSize 5000 |
    Export-Csv "subject_audit_log_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation

# Focus queries: file downloads, external sharing, forwarding rules, Teams exports
Search-UnifiedAuditLog `
    -UserIds "subject.employee@company.com" `
    -Operations "FileDownloaded","FileSyncDownloadedFull","SharingSet","AddedToSecureLink" `
    -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) `
    -ResultSize 5000 |
    Export-Csv "subject_file_exfil_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation

Decision Gate: Criminal Referral vs. HR Action vs. Rehabilitation¶

Coordinated Termination Procedure¶

Day-of Termination Sequence (T = HR meeting start time)¶

T-24h:  IT prepares termination scripts. Legal reviews and approves. Physical Security briefed.
T-1h:   IR Lead, HR, Physical Security, and IT on standby bridge.
T+0:    HR begins termination meeting with subject.
T+0:    IT executes account disable simultaneously (coordinated signal from HR).
T+0:    Physical Security accompanies subject — no unescorted access.
T+5min: Verify all access disabled: AD, VPN, cloud, SaaS apps, physical badge.
T+30min: Change all shared passwords and service accounts the subject knew.
T+1h:   Collect company equipment (laptop, phone, tokens, access cards).
T+2h:   Complete evidence preservation of subject's final session.

Account Termination Script:

$subject = "subject.employee@company.com"
$adUser  = "subject.employee"

# Disable AD account
Disable-ADAccount -Identity $adUser
Write-Host "[$(Get-Date -Format u)] AD account disabled"

# Revoke M365 sessions
Revoke-MgUserSignInSession -UserId $subject
Write-Host "[$(Get-Date -Format u)] M365 sessions revoked"

# Disable M365 account
Set-MgUser -UserId $subject -AccountEnabled $false

# Remove from all security groups (except for evidence preservation)
# NOTE: Do NOT remove from groups until evidence collection is complete

# Change all distribution group ownership if subject was owner
# Remove admin roles
$roles = Get-MgUserAppRoleAssignment -UserId $subject
Write-Host "Review and remove $($roles.Count) app role assignments manually."

Post-Incident Actions¶

Access Review¶

• [ ] Conduct access review of all systems the subject had access to
• [ ] Review whether any other employees have inappropriate similar access
• [ ] Validate separation of duties controls
• [ ] Audit service accounts the subject managed or knew credentials for

Policy Updates¶

• [ ] Review DLP policy thresholds — were they set appropriately?
• [ ] Update acceptable use policy if gaps were identified
• [ ] Implement or enhance USB/removable media controls
• [ ] Review and tighten personal cloud storage blocking rules

UEBA Model Retraining¶

• [ ] Feed confirmed insider threat IOCs into UEBA model as positive training examples
• [ ] Review and update behavioral baselines for similar roles
• [ ] Add new detection rules based on observed TTPs

Legal and Privacy Checklist¶

• [ ] Legal hold issued before any investigation activity
• [ ] Legal counsel briefed and approving all monitoring steps
• [ ] HR involvement confirmed and appropriately scoped
• [ ] Employee privacy policy reviewed — monitoring is within disclosed scope
• [ ] Works council / union notification made (if applicable — EU)
• [ ] All evidence hashed and chain of custody documented
• [ ] Access to investigation materials restricted to named individuals
• [ ] Criminal referral decision made and documented (FBI / local law enforcement)
• [ ] Civil litigation hold maintained (even after termination) if legal action anticipated
• [ ] Post-termination: check for subject accessing company systems via residual tokens or shared accounts
• [ ] Lessons learned documented — no subject-identifying detail in general distribution