Just the facts...
The role of security in a non-technology / insider threat related investigation
Part of my responsibilities at my first real security engineering job, was to conduct dispute investigations for an e-commerce auto auction website. Many people would say they didn’t bid on an item hoping to get out of the bid. I hears excuses such as:
Someone hacked my account
An employee bid on it by accident
My cat walked on my keyboard and bid on the item
These disputes were handled by a special department in customer service, so what did the security team have to do with this? Well our role was to provide supporting technical evidence around the incident to allow the department to make a decision. Our role was not to make a judgement, but just provide any metadata about the transaction and user to allow the department to make a decision.
I would have to go collect logs from various sources to and write a narrative (report) that described and summarized all the facts. Some information I would have to collect:
IP Address & Location of current transaction
IP Address & Location of previous transactions (if any)
User-agent of the transaction(s)
Bid history of the item
All of the above will help an investigator or customer support person to answer questions such as:
Did the person have a history of bidding on items from the same computer and location?
Did the person have multiple bids on an item from the same location and device?
Security’s Role In A Non-Security Incident
When there is a vulnerability being exploited, or ransomware, or serious bug bounty we’re on deck leading the security incident. Our role is usually very clear.
However, when the incident is more of an HR incident or an ethical investigation, security’s role is to support the business to make informed decisions. I mean, regardless, this is usually our role anyway.
How security can/should support the business:
Provide technical details and metadata around the incident
Provide all possible options to the business on possible forensics actions available
Provide the business with other examples of similar cases at other companies and potential impact
Some of these cases are related to “Insider Threat” security issues, where the threat actor is an “insider” such as an employee or contractor. Here is a funny, yet very concerning example: Outsourced: Employee Sends Own Job To China; Surfs Web.
If this has been helpful or insightful to you, please share or comment below.