detecting-insider-threat-behaviors

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Detecting Insider Threat Behaviors

检测内部威胁行为

When to Use

使用场景

When proactively hunting for indicators of detecting insider threat behaviors in the environment
After threat intelligence indicates active campaigns using these techniques
During incident response to scope compromise related to these techniques
When EDR or SIEM alerts trigger on related indicators
During periodic security assessments and purple team exercises

主动在环境中排查内部威胁行为指标时
威胁情报显示存在使用此类技术的活跃攻击活动后
针对与此类技术相关的入侵范围进行事件响应时
EDR或SIEM触发相关指标告警时
定期安全评估和紫队演练期间

Prerequisites

前提条件

EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
Sysmon deployed with comprehensive configuration
Windows Security Event Log forwarding enabled
Threat intelligence feeds for IOC correlation

具备进程和网络遥测功能的EDR平台（CrowdStrike、MDE、SentinelOne）
已接入相关日志数据的SIEM（Splunk、Elastic、Sentinel）
已部署并配置完善的Sysmon
已启用Windows安全事件日志转发
用于IOC关联的威胁情报源

Workflow

工作流程

Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
Validate Findings: Distinguish true positives from false positives through contextual analysis.
Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
Document and Report: Record findings, update detection rules, and recommend response actions.

提出假设：基于威胁情报或ATT&CK差距分析，定义可验证的假设。
确定数据源：确定验证或推翻假设所需的日志和遥测数据。
执行查询：在SIEM和EDR平台上运行检测查询，收集相关事件。
分析结果：检查查询结果中的异常情况，跨多个数据源进行关联分析。
验证发现：通过上下文分析区分真阳性和假阳性。
关联活动：将发现与更广泛的攻击链和威胁行为者TTPs关联起来。
记录与报告：记录发现内容，更新检测规则，并提出响应行动建议。

Key Concepts

核心概念

Concept	Description
T1078	Valid Accounts
T1530	Data from Cloud Storage Object
T1567	Exfiltration Over Web Service

Concept	Description
T1078	Valid Accounts
T1530	Data from Cloud Storage Object
T1567	Exfiltration Over Web Service

Tools & Systems

工具与系统

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and threat detection
Microsoft Defender for Endpoint	Advanced hunting with KQL
Splunk Enterprise	SIEM log analysis with SPL queries
Elastic Security	Detection rules and investigation timeline
Sysmon	Detailed Windows event monitoring
Velociraptor	Endpoint artifact collection and hunting
Sigma Rules	Cross-platform detection rule format

Tool	Purpose
CrowdStrike Falcon	EDR遥测与威胁检测
Microsoft Defender for Endpoint	使用KQL进行高级威胁狩猎
Splunk Enterprise	使用SPL查询进行SIEM日志分析
Elastic Security	检测规则与调查时间线
Sysmon	详细Windows事件监控
Velociraptor	终端工件收集与威胁狩猎
Sigma Rules	跨平台检测规则格式

Common Scenarios

常见场景

Scenario 1: Employee downloading bulk files before resignation
Scenario 2: IT admin accessing HR data outside job function
Scenario 3: Service account used for unauthorized data queries
Scenario 4: Contractor copying source code to personal cloud storage

场景1：员工离职前下载批量文件
场景2：IT管理员访问超出工作职责范围的HR数据
场景3：服务账号被用于未授权的数据查询
场景4：承包商将源代码复制到个人云存储

Output Format

输出格式

Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]

Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1078
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]