Playbook: Spot Insider Threats Automatically

In security, we tend to think of external actors, though the internal threat can also be significant.  The stats from this recent Deloitte study are alarming:




Many of of the Playbooks we’ve showcased in our library have focused on issues like malware, phishing, or other external problems.  Playbooks can also be written to address internal threats.

The Deloitte study shows that more than half of all employees leaving an organization take sensitive data with them.  The following are warning signs that an employee might leave:

  • Frequent external/personal recipients
  • Change in time to respond to manager
  • Change in volume of email sent (up or down)
  • Increase in visits to job search sites
  • Increase in access to personal email sites
  • Visits to cloud/file share sites
  • Bursts in printing on weekends and holidays
  • Decrease in visits to corporate apps; increase in leisure sites
  • Changes in work hours (up or down)

You could develop a Playbook that profiles the “Potential Leavers” based on monitoring for the warning signs.  For example, for a deviation in work hours you might calculate hours/changes, then enrich with what’s being done in the extra anomalous hours using data from Active Directory, the endpoint product, proxies, print-job details, etc.

Automating this process in Phantom has several benefits including reducing the time to execution from minutes or hours down to seconds, as well as ensuring the process is handled accurately and consistently every time.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.

CP Morey

Posted by


Show All Tags
Show Less Tags