Skip to content

Data Infiltration

ID: S1002

Description: An employee is suspected of taking confidential information or trade secrets from a prior employer and introducing it to internal systems.

An actor may bring unauthorized external intellectual property onto Company “end user” devices (like laptops or desktops). Depending on the time frame under consideration, past devices that the actor no longer actively uses may need to be examined as well.

  • Q1005  What files have ever been on a computer?
  • Q1006  What files are present on a computer?
  • Q1014  What files did the actor open on their computer?
  • Q1027  Are there any sudden changes in the number of files on a device?

Has the actor introduced any ExternalCompany files to Company assets via downloading? F1002

  • Q1001  What files were downloaded using a web browser?
  • Q1008  What programs are installed on a computer?
  • Q1009  What interactions with external cloud storage sites did the actor have using their web browser?
  • Q1015  What syncing activities did external "cloud storage" applications do on a computer?
  • Q1025  What external accounts has the actor used in their web browser?
  • Q1026  What files were downloaded from messaging apps?
  • Q1031  How much network traffic was there to/from a machine?

Has the actor introduced any ExternalCompany files to Company assets via removable storage devices? F1003

  • Q1002  What USB devices were attached to a computer?
  • Q1012  What files were copied from a USB device to a computer?
  • Q1013  What files are present on a USB device?

Are there any indications of communication with ExternalCompany? F1029

An actor may be exchanging information with an external company, commonly via websites or email messages. The following Questions are broad, and the results will need to be filtered for terms related to the external company.

  • Q1020  What pages did web browsers visit?
  • Q1084  What data was uploaded to a website via a web browser?
  • Q1085  What DNS requests have been made from a system?
  • Q1086  What web-based email messages were viewed in a web browser?

Has the actor connected to any ExternalCompany systems? F1030

An actor may be connecting to services or systems associated with ExternalCompany, possibly through a client, a terminal, or a web browser.

  • Q1087  Did the user access any common PaaS/SaaS services?
  • Q1088  Did the user connect to any non-Company systems using the command line?
  • Q1089  Did the user download any Citrix configuration (.ica) files?
  • Q1090  Did the user interact with any git repositories?