Description: An employee is suspected of taking confidential information or trade secrets from a prior employer and introducing it to internal systems.
Are any ExternalCompany-related files on the actor’s assigned Company assets? F1001
An actor may bring unauthorized external intellectual property onto Company “end user” devices (like laptops or desktops). Depending on the time frame under consideration, past devices that the actor no longer actively uses may need to be examined as well.
- Q1005 What files have ever been on a computer?
- Q1006 What files are present on a computer?
- Q1014 What files did the actor open on their computer?
- Q1027 Are there any sudden changes in the number of files on a device?
Has the actor introduced any ExternalCompany files to Company assets via downloading? F1002
- Q1001 What files were downloaded using a web browser?
- Q1008 What programs are installed on a computer?
- Q1009 What interactions with external cloud storage sites did the actor have using their web browser?
- Q1015 What syncing activities did external "cloud storage" applications do on a computer?
- Q1025 What external accounts has the actor used in their web browser?
- Q1026 What files were downloaded from messaging apps?
- Q1031 How much network traffic was there to/from a machine?
Has the actor introduced any ExternalCompany files to Company assets via removable storage devices? F1003
- Q1002 What USB devices were attached to a computer?
- Q1012 What files were copied from a USB device to a computer?
- Q1013 What files are present on a USB device?
Are there any indications of communication with ExternalCompany? F1029
An actor may be exchanging information with an external company, commonly via websites or email messages. The following Questions are broad, and the results will need to be filtered for terms related to the external company.
- Q1020 What pages did web browsers visit?
- Q1084 What data was uploaded to a website via a web browser?
- Q1085 What DNS requests have been made from a system?
- Q1086 What web-based email messages were viewed in a web browser?
Has the actor connected to any ExternalCompany systems? F1030
An actor may be connecting to services or systems associated with ExternalCompany, possibly through a client, a terminal, or a web browser.
- Q1087 Did the user access any common PaaS/SaaS services?
- Q1088 Did the user connect to any non-Company systems using the command line?
- Q1089 Did the user download any Citrix configuration (.ica) files?
- Q1090 Did the user interact with any git repositories?