As I reflect on my early days learning about digital forensics and incident response, I recall a particularly challenging experience that had an impact on my approach to threat hunting. It was during a SANS FOR500 course where we were presented with a case involving a missing person’s laptop hard drive. The capstone task was: analyze the device and determine what happened to the individual.
I froze, overwhelmed by the number of techniques I learned and knew, but didn’t know how to apply. However, this experience taught me the importance of frameworks in analysis. If only I had a clear framework to follow, I would have been more confident and effective in my analysis.
That’s why I created the PRECEED framework, an acronym that represents a model designed to help threat hunters understand and stop insider threats. By categorizing activities into seven phases – Pivot Point, Reconnaissance, Evasion (Pre-Exfiltration), Collection, Exfiltration, Evasion (Post-Exfil) and Damage – we can develop a proactive approach to identify potential insider threats.
Understanding the PRECEED Framework
The PRECEED framework offers a structured approach to insider threat hunting, ensuring that you don’t miss critical indicators throughout the incident. Here’s how each element fits into the model:
- Pivot Point: This marks the beginning of the malicious activity sequence. It could be triggered by recruitment from a foreign nation-state, bribery, or negative interactions with managers.
- Reconnaissance: An insider may start exploring internal systems to gather sensitive information or identify methods for data extraction.
- Evasion (Pre-Exfiltration): Within the PRECEED framework, there are two phases of evasion. Pre-exfiltration Evasion involves avoiding security controls to aggregate and exfiltrate data.
- Collection: The insider is actively moving or downloading data in preparation for exfiltration.
- Exfiltration: This phase involves removing data from the environment, possibly by uploading it to a website, printing the information, or transferring it to a removable storage device.
- Evasion (Post-Exfiltration): This phase focuses on covering tracks and deleting evidence (e.g. downloading and executing CCleaner).
- Damage: We won’t focus our hunting efforts on the final phase of the insider threat incident because if you get to this phase, the insider threat has achieved their actions on objective and the incident has been discovered.
The PRECEED framework is more than just a model – it’s a tool that empowers you with confidence and expertise in threat hunting. By leveraging its structure, you can identify potential threats earlier, contain them faster, and ultimately prevent data breaches and other security incidents.