Insider Threat Incident Response Procedures: Complete 2025 Framework

The 81-Day Problem: According to the Ponemon Institute 2025 Cost of Insider Threats Report, the average time to contain an insider threat incident is 81 days—nearly three months from detection to resolution. During this extended containment period, the average organization suffers $17.4 million in total costs, including investigation expenses, business disruption, regulatory fines, and reputational damage.

The Real Crisis: A global financial services firm detected unusual file access by a senior database administrator on a Friday afternoon. By Monday morning, the admin had exfiltrated 50,000 customer records and disappeared. The organization spent the next 97 days:

• Conducting forensic investigation ($450K)
• Notifying regulators and customers ($280K)
• Responding to regulatory inquiries and audits ($1.2M)
• Defending class-action lawsuits ($3.8M)
• Implementing remediation measures ($950K)
• Managing public relations crisis ($220K)

Total cost: $6.9 million. The delay in containment—waiting until Monday to act—allowed the insider to complete the exfiltration and cover tracks.

The Reality Check: According to Gartner's 2025 Market Guide for Insider Risk Management (G00805757), only 46% of organizations have documented insider threat incident response procedures. When an incident occurs, ad-hoc response leads to:

• Evidence destruction (employees accidentally overwrite logs during investigation)
• Legal non-compliance (GDPR breach notification missed 72-hour deadline)
• Premature disclosure (suspect alerted before evidence preserved, allowing destruction)
• Privacy violations (employee surveillance without proper legal authorization)

This comprehensive playbook provides step-by-step procedures for detecting, investigating, containing, and recovering from insider threat incidents while maintaining legal defensibility, employee privacy compliance, and business continuity in 2025.

---

Executive Summary: Insider Threat incident response procedures

Key Statistics (2025 Data)

Incident Response Performance:

• 81 days average time to contain insider threat incidents (Ponemon 2025)
• $17.4 million average annual cost of insider threats per organization
• 46% of organizations lack documented insider threat response procedures (Gartner 2025)
• 72 hours mandatory breach notification deadline (GDPR, many state laws)
• 68% of insider incidents involve inadequate evidence preservation (Cybersecurity Insiders 2025)

Response Effectiveness:

• Organizations with documented playbooks contain incidents 57% faster than those without (Ponemon)
• 83% of successful prosecutions resulted from proper evidence preservation
• 91% of regulatory fines related to breach notification failures could have been prevented with proper incident response
• $847,000 average cost savings for organizations with IR playbooks vs ad-hoc response

Common Response Failures:

• 42% alert suspect prematurely, allowing evidence destruction
• 38% fail to preserve volatile evidence (RAM, temporary files)
• 54% don't involve legal counsel early enough (leads to inadmissible evidence)
• 61% lack coordination between IT, security, HR, and legal teams
• 73% fail to document investigation steps (creates legal defensibility issues)

Incident Response Phases

This playbook follows the NIST Incident Response Lifecycle with insider threat-specific adaptations:

1. Preparation (Before Incident)

• Establish incident response team with defined roles (CISO, legal, HR, forensics)
• Implement detection capabilities and monitoring infrastructure
• Document legal authorities and privacy compliance requirements
• Create evidence preservation and chain-of-custody procedures
• Develop communication templates for stakeholders, regulators, affected parties

2. Detection and Analysis (0-48 Hours)

• Identify potential insider threat indicators through monitoring alerts
• Triage alerts to distinguish true incidents from false positives
• Conduct preliminary investigation without alerting suspect
• Assess severity, scope, and business impact
• Engage incident response team and legal counsel

3. Containment (48-72 Hours)

• Implement immediate containment to prevent further damage (disable accounts, revoke access, isolate systems)
• Preserve volatile evidence (RAM dumps, network captures, temporary files)
• Secure non-volatile evidence (disk images, logs, email archives)
• Establish chain of custody for all evidence
• Prevent suspect notification until evidence secured

4. Eradication and Recovery (Days 4-14)

• Remove insider's unauthorized access and backdoors
• Restore affected systems and data from clean backups
• Implement compensating controls to prevent recurrence
• Validate system integrity before returning to production
• Monitor for continued malicious activity

5. Post-Incident Activity (Days 15-30)

• Conduct lessons learned session with incident response team
• Update policies, procedures, and detection capabilities based on findings
• Report to regulators if required (GDPR 72 hours, state breach laws)
• Notify affected parties (customers, employees, partners)
• Pursue legal remedies (civil lawsuit, criminal prosecution, insurance claim)

---

Part 1: Preparation - Building Incident Response Capability

1.1 Insider Threat Incident Response Team (ITIRT)

Core Principle: Insider threat incidents require coordination across technical, legal, HR, and business functions. Siloed response fails.

Team Structure

ITIRT Core Members (Activated for All Incidents):

1. ITIRT Lead (CISO or Security Director)

• Role: Overall incident command and coordination
• Responsibilities:
  • Declare incident and activate ITIRT
  • Coordinate team activities and communication
  • Make containment and remediation decisions
  • Brief executive leadership and board of directors
  • Interface with law enforcement if criminal referral required
• Authority: Decision-making authority for technical containment measures (disable accounts, isolate systems)

2. Digital Forensics Investigator (Internal or External)

• Role: Evidence collection, preservation, and analysis
• Responsibilities:
  • Collect and preserve digital evidence (disk images, RAM dumps, logs, network captures)
  • Maintain chain of custody for all evidence
  • Conduct forensic analysis to determine what, when, how, and by whom
  • Prepare forensic reports for legal proceedings
  • Testify as expert witness if litigation ensues
• Authority: Full access to all systems and data relevant to investigation (with legal authorization)

3. Legal Counsel (In-House or External Attorney)

• Role: Legal guidance and privilege protection
• Responsibilities:
  • Provide legal analysis of incident (criminal, civil, regulatory implications)
  • Ensure investigation complies with employment law, privacy law, evidence rules
  • Establish attorney-client privilege for investigation (protect from discovery in litigation)
  • Advise on notification obligations (GDPR, breach notification laws, contractual obligations)
  • Coordinate with external counsel and law enforcement
• Authority: Directs investigation to maintain attorney-client privilege; can halt activities that create legal risk

4. Human Resources Representative

• Role: Employment and personnel matters
• Responsibilities:
  • Review suspect's employment history, performance reviews, disciplinary records
  • Coordinate suspect interview (if conducted)
  • Advise on employment law compliance (wrongful termination, discrimination, privacy)
  • Implement personnel actions (suspension, termination, reassignment)
  • Manage internal communications to employees (without jeopardizing investigation)
• Authority: Authority over personnel actions (suspension, termination)

5. Business Unit Representative (Manager or Director)

• Role: Business context and operational impact
• Responsibilities:
  • Provide business context (what data was accessed? what is its value? who else has access?)
  • Assess operational impact (business disruption, customer impact, revenue loss)
  • Coordinate business continuity measures
  • Identify affected customers, partners, or stakeholders
  • Support communication to business stakeholders
• Authority: Decision-making authority for business continuity measures (shift responsibilities, reassign work)

ITIRT Extended Members (Activated as Needed):

6. Privacy Officer / Data Protection Officer (DPO)

• When Activated: Incidents involving personal data (customer PII, employee data) or privacy violations
• Role: Privacy compliance and regulatory notification
• Responsibilities:
  • Assess privacy impact (GDPR, CCPA, PIPEDA compliance)
  • Determine breach notification obligations (72-hour GDPR deadline, state law requirements)
  • Prepare regulatory notifications (supervisory authorities, state attorneys general)
  • Coordinate affected individual notifications
  • Advise on privacy-preserving investigation techniques

7. Public Relations / Communications

• When Activated: High-profile incidents with media attention or public disclosure
• Role: External and internal communications
• Responsibilities:
  • Prepare public statements and press releases
  • Manage media inquiries
  • Coordinate internal employee communications
  • Monitor social media and news coverage
  • Protect organizational reputation

8. Executive Leadership (CEO, CFO, COO)

• When Activated: Incidents with significant business impact (>$1M, executive involved, regulatory investigation)
• Role: Strategic decision-making and stakeholder management
• Responsibilities:
  • Approve major containment decisions (shut down operations, notify customers, engage law enforcement)
  • Allocate resources for investigation and remediation
  • Brief board of directors
  • Engage with regulators, customers, or partners at executive level

9. Cyber Insurance Representative

• When Activated: Incidents likely to trigger insurance claim (data breach, business interruption)
• Role: Insurance claim coordination
• Responsibilities:
  • Notify insurer of incident (within policy timeframe, often 24-48 hours)
  • Coordinate with insurer's breach coach or forensics provider
  • Document costs for insurance claim (investigation, notification, legal fees)
  • Obtain approval for major expenses (forensics, legal counsel)

10. Third-Party Forensics Firm (External)

• When Activated: Complex investigations requiring specialized expertise, insider with forensic skills (can counter internal investigation), or attorney-client privilege protection
• Role: Independent forensic investigation
• Responsibilities:
  • Conduct independent forensic analysis
  • Provide expert testimony if litigation
  • Maintain attorney-client privilege (hired by legal counsel, not IT)

ITIRT Activation Criteria

Automatic Activation (High-Severity Incidents):

• Exfiltration of >10,000 customer records or sensitive data (trade secrets, source code, M&A plans)
• Data destruction or sabotage affecting critical systems
• Privileged user abuse (admin access misused for unauthorized purposes)
• Suspected fraud involving >$100K
• Insider working with external threat actor (third-party collusion)
• Regulatory or law enforcement notification required

Discretionary Activation (Medium-Severity Incidents):

• Suspicious activity requiring further investigation (anomalous data access, policy violations)
• Potential insider threat indicators (pre-cursors like reconnaissance, downloading hacking tools)
• Employee termination with suspicious pre-termination activity
• Data loss incident with unclear intent (accidental vs malicious)

No Activation (Low-Severity Incidents):

• Routine policy violations (personal use of company email, prohibited website access)
• Accidental data disclosure with no malicious intent and minimal impact
• False positives from monitoring systems after initial triage

1.2 Legal Authorities and Privacy Compliance

Critical Mistake: Organizations conduct invasive investigations without legal authority, leading to privacy violations, wrongful termination lawsuits, and inadmissible evidence.

Pre-Investigation Legal Checklist

Legal Authorization Checklist - Insider Threat Investigation

STEP 1: ESTABLISH LEGAL BASIS FOR INVESTIGATION
☐ Review employment policies: Does employee monitoring policy provide authority?
☐ Review monitoring consent: Did employee acknowledge monitoring policy?
☐ Review system access agreements: Did employee agree to monitoring as condition of system access?
☐ Consult legal counsel: Is investigation legally justified?

Legal Bases for Investigation:
- Employer Right to Protect Assets: Investigating theft, fraud, or sabotage to company property
- Contractual Authority: Employee policy acknowledges employer's right to monitor and investigate
- Legal Obligation: Investigation required by law (e.g., financial services regulations)
- Consent: Employee explicitly consented to monitoring and investigation

STEP 2: ASSESS PRIVACY LAW COMPLIANCE
☐ EU/UK (GDPR): Is investigation necessary and proportionate? Conduct DPIA if systematic monitoring.
☐ US State Laws: California (CCPA), Illinois (BIPA), New York (SHIELD) notification requirements met?
☐ Canada (PIPEDA): Is investigation reasonable given privacy expectations?
☐ Australia (Privacy Act): Is collection reasonably necessary for investigation?

STEP 3: DETERMINE PERMISSIBLE INVESTIGATION SCOPE
☐ Work Devices: Company-provided laptops, phones, desktops (permissible with policy)
☐ Personal Devices: BYOD devices with work profile/MDM only (not personal data)
☐ Company Systems: Company email, file servers, databases (permissible with policy)
☐ Personal Accounts: Personal email, personal cloud storage (NOT permissible without consent or court order)
☐ Communications: Work email metadata (permissible), work email content (permissible with justification)
☐ Physical Spaces: Company offices, parking lots (permissible), home office (limited without consent)

STEP 4: ESTABLISH ATTORNEY-CLIENT PRIVILEGE (Recommended)
☐ Retain external legal counsel to direct investigation
☐ Hire forensics firm through legal counsel (not directly by IT)
☐ All investigation communications routed through legal counsel
☐ Investigation reports prepared for legal counsel (not business executives directly)

Why: Protects investigation details from discovery in litigation; suspect cannot force disclosure of investigation methods, findings, or communications.

STEP 5: DOCUMENT LEGAL AUTHORIZATION
☐ Document business justification for investigation (suspected theft, fraud, sabotage)
☐ Document legal bases (employment policy, monitoring consent, legal obligation)
☐ Document privacy compliance assessment (GDPR balancing test, CCPA compliance, etc.)
☐ Obtain approval from legal counsel to proceed
☐ File documentation in privileged legal file (not HR or IT file)

Approved by: _______________________ (Legal Counsel)
Date: _______________________

Privacy-Compliant Investigation Principles

1. Necessity and Proportionality (GDPR Standard, Applicable Globally)

Principle: Investigation scope must be necessary to achieve legitimate purpose and proportionate to the harm being investigated.

Application:

Scenario: Employee suspected of stealing customer contact list.

Necessary Investigation Steps: ✅

• Review employee's file access logs (determine which files accessed)
• Review file transfer logs (determine if files were transferred externally)
• Review email logs (determine if files were emailed to personal account)
• Image employee's work laptop hard drive (determine if files were copied to USB or cloud)

Unnecessary (Disproportionate) Steps: ❌

• Monitor employee's spouse's social media accounts (unrelated to workplace conduct)
• Review employee's personal medical records (unrelated to theft investigation)
• Install covert surveillance in employee's home office (excessively invasive)
• Monitor employee's personal phone calls and text messages (exceeds scope of work-related investigation)

2. Transparency vs. Covert Investigation

General Rule: Employees should be notified of monitoring and investigations (transparency principle).

Exception: Covert investigation permitted when:

• Notification would jeopardize investigation (allow evidence destruction, flight, collusion)
• Reasonable suspicion of serious misconduct (criminal activity, gross misconduct)
• Authorized by senior management (CEO, board of directors, legal counsel)
• Limited in duration (days or weeks, not months)
• Reviewed regularly to determine ongoing necessity

Example Covert Investigation Authorization:

Covert Investigation Authorization

Subject: [Employee Name, ID]
Suspected Misconduct: Exfiltration of customer financial data for sale on dark web
Justification for Covert Investigation:
- Employee has database administrator privileges and can delete evidence if alerted
- Preliminary evidence suggests sophisticated anti-forensics measures (log deletion, encrypted exfiltration)
- Notification would allow suspect to complete evidence destruction and flee

Investigation Scope:
- Forensic imaging of work laptop and work phone (covert, while employee on lunch break)
- Review of database access logs for past 90 days
- Review of file transfer logs and email for past 90 days
- Network traffic analysis for covert data exfiltration channels

Duration: 7 days (covert evidence collection phase), then transition to overt investigation with suspension

Authorized by:
- Legal Counsel: _______________________ Date: _______
- CISO: _______________________ Date: _______
- CEO: _______________________ Date: _______

Review Date: [DATE + 7 days] (reassess necessity of covert investigation)

3. Data Minimization

Principle: Collect only evidence necessary for investigation. Avoid over-collection that captures irrelevant personal information.

Implementation:

Scenario: Investigating employee suspected of emailing confidential product roadmap to competitor.

Minimized Collection: ✅

• Email sent to competitor's domain (targeted collection)
• Emails with attachments labeled "confidential" (keyword filtering)
• File access to "Product Roadmap 2025.pdf" (specific file)

Over-Collection (Non-Compliant): ❌

• All emails sent by employee for past 2 years (excessive)
• All files accessed by employee (irrelevant data)
• Personal emails on company system unrelated to investigation (privacy violation)

Tools for Data Minimization:

• Forensic keyword searching (collect only files/emails matching keywords)
• Date range filtering (limit to timeframe of suspected misconduct)
• De-duplication and filtering (remove irrelevant data before analysis)

1.3 Evidence Preservation and Chain of Custody

Critical Principle: Evidence must be preserved in legally defensible manner to be admissible in court or regulatory proceedings.

Order of Volatility (Collect Evidence Before It's Lost)

Digital evidence volatility = likelihood that evidence will be lost or modified if not collected immediately.

Collection Priority (Most Volatile First):

1. RAM (Random Access Memory) - CRITICAL (Seconds to Minutes)

• What's There: Running processes, open files, encryption keys, network connections, malware in memory
• Why Critical: Lost when system powered off or rebooted
• Collection Method: Live RAM dump using forensic tools (FTK Imager, WinPMEM, LiME)
• Timeframe: Collect BEFORE powering off suspect's computer

2. Network Traffic - CRITICAL (Seconds to Minutes)

• What's There: Real-time data exfiltration, command-and-control traffic, file transfers
• Why Critical: Lost as soon as transmission completes (unless captured)
• Collection Method: Network packet capture (Wireshark, tcpdump, NetWitness)
• Timeframe: Collect during active incident; historical traffic available only if logging enabled

3. Temporary Files and Caches - HIGH (Minutes to Hours)

• What's There: Browser history, download history, clipboard contents, recently accessed files
• Why Critical: Overwritten by normal system operations
• Collection Method: Forensic collection of temp folders, browser caches, registry (Windows), plist files (macOS)
• Timeframe: Collect within hours of incident

4. System Logs - MEDIUM (Days to Weeks)

• What's There: Authentication logs, file access logs, security events, application logs
• Why Critical: Overwritten when log files reach size limit or retention period expires
• Collection Method: Export logs from SIEM, syslog server, Windows Event Logs, application logs
• Timeframe: Collect within days; check retention policies (often 30-90 days)

5. Hard Drives and SSDs - LOW (Weeks to Months)

• What's There: Files, emails, documents, applications, deleted files (recoverable), file metadata
• Why Critical: Persistent storage (not lost unless deliberately deleted or overwritten)
• Collection Method: Forensic disk imaging (write-blocked to prevent modification)
• Timeframe: Collect within days to weeks (prevent suspect from deleting evidence)

6. Backups and Archives - LOWEST (Months to Years)

• What's There: Historical copies of files, emails, databases as of backup date
• Why Critical: Persistent (not modified unless backup system compromised)
• Collection Method: Restore from backup system or request from backup team
• Timeframe: Collect as needed for investigation; lower priority than live systems

Chain of Custody Procedures

Purpose: Document who collected, handled, analyzed, and stored evidence at every step. Ensures evidence authenticity and admissibility in legal proceedings.

Chain of Custody Documentation:

CHAIN OF CUSTODY RECORD

Case Number: [INC-2025-0042]
Case Name: [Employee Name] - Suspected Data Exfiltration
Date Incident Reported: [2025-01-15 09:34 PST]

EVIDENCE ITEM: [001]
Description: Laptop Dell Latitude 7400, Serial Number [ABC123456]
Location Found: Employee workstation, Building 3, Desk 42
Collected By: [Forensics Investigator Name]
Date/Time Collected: [2025-01-15 14:22 PST]
Collection Method: Powered down laptop, photographed, placed in evidence bag, sealed with tamper-evident tape

CUSTODY TRANSFERS:
Transfer 1:
- Transferred From: [Forensics Investigator Name]
- Transferred To: [Evidence Custodian Name]
- Date/Time: [2025-01-15 15:10 PST]
- Purpose: Transport to forensics lab
- Signature (From): _________________
- Signature (To): _________________

Transfer 2:
- Transferred From: [Evidence Custodian Name]
- Transferred To: [Forensics Analyst Name]
- Date/Time: [2025-01-16 08:00 PST]
- Purpose: Forensic imaging and analysis
- Signature (From): _________________
- Signature (To): _________________

ANALYSIS PERFORMED:
Analysis 1:
- Analyst: [Forensics Analyst Name]
- Date/Time: [2025-01-16 08:30 - 12:45 PST]
- Procedure: Forensic disk imaging using FTK Imager 4.7
- Hash Values: MD5: [hash], SHA-256: [hash]
- Findings: 47GB disk image created; 12 suspicious files identified
- Signature: _________________

STORAGE:
Current Location: Evidence locker #5, Forensics Lab, Building 1
Access Controls: Keycard access (authorized personnel only), video surveillance
Stored By: [Evidence Custodian Name]
Date: [2025-01-16 13:00 PST]
Signature: _________________

EVIDENCE DISPOSITION:
☐ Evidence retained (case ongoing)
☐ Evidence returned to owner
☐ Evidence destroyed (retention period expired)
☐ Evidence transferred to law enforcement (case referred for prosecution)

Best Practices:

• Seal Evidence: Use tamper-evident bags/seals; document any breaks in seal
• Hash Evidence: Generate cryptographic hashes (MD5, SHA-256) of digital evidence immediately after collection; verify hash before analysis (proves evidence not modified)
• Photograph Evidence: Take photos of evidence in original location before collection
• Minimal Handlers: Limit number of people handling evidence (each transfer creates risk of contamination or challenge to authenticity)
• Store Securely: Locked evidence locker or room with access controls and video surveillance

---

Part 2: Detection and Analysis - Identifying Insider Threats

2.1 Insider Threat Detection Indicators

Organizations with effective insider threat programs detect incidents through multiple telemetry sources. No single indicator is definitive; clustering of multiple indicators increases confidence.

Technical Indicators (System and Network Telemetry)

Data Exfiltration Indicators:

High-Confidence Indicators (Likely Malicious):

• Large file transfers to personal cloud storage (Dropbox, Google Drive, OneDrive personal accounts)
• Bulk database queries or exports outside normal job responsibilities
• Emailing sensitive files to personal email or external addresses
• Copying files to USB drives or external hard drives (especially if USB policy prohibits)
• Uploading files to file-sharing sites (WeTransfer, SendSpace)
• Large outbound network traffic to unusual destinations (especially during non-business hours)

Medium-Confidence Indicators (Investigate Further):

• Accessing files outside normal job role or responsibilities
• Downloading unusually high volume of files
• Accessing files marked "confidential" or "trade secret"
• Remote access from unusual locations (especially foreign countries if not business-related)
• Use of encryption tools (encrypting files before exfiltration to evade DLP)

Example Alert:

ALERT: HIGH-RISK FILE TRANSFER
User: [email protected]
Date/Time: 2025-01-15 23:42 PST (outside business hours)
Action: Uploaded 2,500 files (4.2 GB) to personal Dropbox account
Files: Customer contact lists, sales pipeline data, pricing information
Risk Score: 95/100 (CRITICAL)
Recommended Action: Initiate investigation immediately

Sabotage and Destruction Indicators:

High-Confidence Indicators:

• Bulk deletion of files or databases
• Modification or deletion of system logs (anti-forensics)
• Disabling security tools (antivirus, EDR, DLP)
• Creating or using administrator accounts not assigned to user
• Installing remote access tools (TeamViewer, AnyDesk) without IT authorization
• Time-bomb or logic-bomb code (scheduled malicious actions)

Medium-Confidence Indicators:

• Unusual system configuration changes
• Access to backup systems (potential data destruction)
• Searching for "how to delete logs" or "cover tracks"

Fraud and Unauthorized Access Indicators:

High-Confidence Indicators:

• Accessing accounts or records with no business relationship (e.g., nurse accessing celebrity patient record)
• Modifying financial records or transactions
• Creating unauthorized user accounts or elevating privileges
• Accessing systems from competitor's network (moonlighting or data theft)
• VPN access from two geographically distant locations within short timeframe (credential sharing)

Medium-Confidence Indicators:

• After-hours access to financial systems
• Accessing HR payroll or compensation data outside HR role
• Repeatedly failed login attempts followed by successful login (password guessing or credential theft)

Behavioral Indicators (Human Behavior Patterns)

Pre-Offense Indicators (Warning Signs Before Incident):

Employment-Related Stressors:

• Recent termination notice or resignation (especially with short notice period)
• Denied promotion or raise
• Negative performance review or disciplinary action
• Conflict with management or colleagues
• Demotion or reassignment to less desirable role

Personal Stressors:

• Financial difficulties (bankruptcy, foreclosure, gambling, debt)
• Divorce or relationship problems
• Substance abuse or addiction
• Medical issues (self or family)
• Legal troubles

Concerning Behaviors:

• Sudden change in behavior (irritability, withdrawal, aggression)
• Expressing grievances or resentment toward company
• Attempting to access information outside job role
• Working unusual hours without explanation
• Taking work home that doesn't leave the office normally
• Disgruntlement with security controls (complaining about monitoring, asking how to bypass)

IMPORTANT: Behavioral indicators must be evaluated carefully to avoid discrimination. Personal stressors (medical issues, divorce, financial problems) are not inherently suspicious and many people experience these without engaging in insider threats. Consider behavioral indicators only in combination with technical indicators, and involve HR to ensure compliance with disability, medical leave, and employment laws.

Post-Offense Indicators (After Incident Occurred)

• Suspect exhibits unusual stress, anxiety, or nervousness
• Suspect avoids IT security or management
• Suspect refuses to provide passwords or unlock devices when requested
• Suspect suddenly requests time off or leave after incident detected
• Suspect begins deleting files or wiping devices
• Suspect's accounts show unusual activity after working hours (automated malware or accomplice activity)

2.2 Alert Triage and Initial Investigation

Goal: Rapidly assess whether alert represents true insider threat incident requiring full ITIRT activation, or false positive that can be dismissed.

Timeframe: 2-4 hours for initial triage; 24-48 hours for preliminary investigation.

Triage Decision Tree

STEP 1: INITIAL ALERT REVIEW (15-30 minutes)
│
├─ What triggered alert?
│  ├─ Technical indicator (file transfer, data access)
│  ├─ Behavioral indicator (user reported concern)
│  └─ Third-party tip (law enforcement, customer, partner)
│
├─ Is alert consistent with user's normal behavior?
│  ├─ YES → Likely false positive; document and dismiss
│  └─ NO → Proceed to Step 2
│
STEP 2: CONTEXT GATHERING (1-2 hours)
│
├─ Review user's role and responsibilities
│  ├─ Does user's job require access to flagged data? (sales rep accessing customer contacts = normal)
│  ├─ Is activity consistent with current projects? (analyst downloading large datasets for report = normal)
│  └─ Is timing explained by business need? (late-night access for system maintenance = may be normal)
│
├─ Review user's access history
│  ├─ Is this first occurrence or pattern? (one-time vs repeated)
│  ├─ Has volume/frequency changed recently? (10x increase in file downloads)
│  └─ Are there other concerning activities? (clustering of indicators)
│
├─ Consult with user's manager (WITHOUT alerting suspect)
│  ├─ "We detected large file download by [user]. Is this related to [project]?"
│  ├─ Manager confirms business justification → Likely false positive
│  └─ Manager has no knowledge of activity → Proceed to Step 3
│
STEP 3: SEVERITY ASSESSMENT (30-60 minutes)
│
├─ What data was accessed/exfiltrated?
│  ├─ Low Risk: Public information, user's own files
│  ├─ Medium Risk: Internal business data, employee data
│  └─ High Risk: Customer PII, financial data, trade secrets, source code
│
├─ What is potential business impact?
│  ├─ Low Impact: <$50K, minimal business disruption
│  ├─ Medium Impact: $50K-$500K, moderate disruption, reputational risk
│  └─ High Impact: >$500K, severe disruption, regulatory fines, competitive harm
│
├─ Is activity ongoing or complete?
│  ├─ Ongoing: Immediate containment required
│  └─ Complete: Investigation and evidence preservation required
│
STEP 4: DECISION
│
├─ FALSE POSITIVE → Document reasoning, tune detection rule, close ticket
├─ LOW/MEDIUM SEVERITY → Continue preliminary investigation; consult legal counsel
└─ HIGH SEVERITY → Activate ITIRT immediately; initiate containment

Preliminary Investigation Checklist

Goal: Gather sufficient evidence to determine whether full investigation is warranted, without alerting suspect.

PRELIMINARY INVESTIGATION CHECKLIST

Case ID: [INC-2025-XXXX]
Alert Date/Time: [YYYY-MM-DD HH:MM]
Investigated By: [Name]
Date: [YYYY-MM-DD]

STEP 1: ALERT DETAILS
☐ Document alert source ([DLP](/glossary/data-loss-prevention), [SIEM](/glossary/security-information-event-management), [UEBA](/glossary/user-entity-behavior-analytics), user report)
☐ Document technical indicators (file transfer, data access, authentication anomaly)
☐ Document behavioral indicators (if applicable)
☐ Capture screenshots of alerts

STEP 2: USER PROFILE
☐ User name and ID
☐ Job title and department
☐ Manager name and contact
☐ Employment start date
☐ Termination or resignation pending? (Y/N)
☐ Recent performance issues or disciplinary actions? (Y/N)
☐ Access level (standard user, privileged user, administrator)
☐ Systems and data authorized to access

STEP 3: ACTIVITY REVIEW (Without Alerting Suspect)
☐ Review user's file access logs for past 30 days
☐ Review user's email activity (metadata only at this stage)
☐ Review user's network activity (destinations, volume)
☐ Review user's authentication logs (login times, locations, failures)
☐ Review user's application usage (unusual applications, hacking tools)
☐ Compare to user's historical baseline (is activity anomalous?)

STEP 4: BUSINESS JUSTIFICATION INQUIRY
☐ Consult user's manager (without disclosing investigation)
   - Question: "We detected [activity] by [user]. Is this related to [project/business need]?"
   - Manager Response: ____________________________________
☐ Review user's recent projects and assignments (does activity align with work?)
☐ Review user's calendar (was user on vacation/leave during suspicious activity?)

STEP 5: DATA SENSITIVITY ASSESSMENT
☐ What data was accessed/exfiltrated?
   - Customer PII (names, addresses, SSNs, financial data)
   - Employee data (HR records, compensation, performance reviews)
   - Trade secrets (source code, algorithms, product roadmaps, M&A plans)
   - Financial data (revenue, pricing, costs)
   - Other: ____________________________________
☐ Classification level: Public / Internal / Confidential / Highly Confidential
☐ Estimated number of records: ____________________________________
☐ Estimated business value: $ ____________________________________

STEP 6: POTENTIAL IMPACT
☐ Business disruption: None / Minimal / Moderate / Severe
☐ Regulatory impact: None / State breach law / GDPR / HIPAA / Other: ____________________________________
☐ Customer impact: None / <100 customers / 100-10K / >10K
☐ Competitive harm: None / Minimal / Moderate / Severe
☐ Reputational harm: None / Minimal / Moderate / Severe

STEP 7: LEGAL CONSULTATION
☐ Consult legal counsel (brief on findings)
☐ Legal counsel assessment: Proceed with full investigation (Y/N)
☐ Legal counsel directives: ____________________________________

STEP 8: DECISION
☐ FALSE POSITIVE - Close ticket, tune detection rule
☐ INVESTIGATE FURTHER - Continue monitoring, gather additional evidence
☐ ACTIVATE ITIRT - Full investigation and containment required

Decision Approved By: _______________________
Date/Time: _______________________

2.3 Evidence Collection During Active Incident

Critical Timing: Once decision made to activate ITIRT, evidence collection must begin immediately before suspect becomes aware and destroys evidence.

Covert Evidence Collection (Before Suspect Notified)

Goal: Preserve volatile evidence without alerting suspect.

Scenario: Suspect is currently in office, working at computer. Investigation team needs to collect evidence without suspect knowing.

Method 1: Remote Evidence Collection (Preferred if Possible)

Advantages:

• No physical contact with suspect
• Can be performed while suspect away from desk (lunch, meeting)
• Reduces risk of confrontation

Steps:

REMOTE EVIDENCE COLLECTION PROCEDURE

PREREQUISITES:
☐ Legal authorization obtained (legal counsel approval)
☐ Remote access tools deployed on suspect's device (EDR, remote admin tools)
☐ Suspect away from desk or distracted

COLLECTION STEPS:
☐ 1. Preserve volatile evidence FIRST:
   ☐ a. Capture RAM dump via EDR agent (CrowdStrike, SentinelOne) or remote tool
   ☐ b. Capture network connections (netstat output, active sessions)
   ☐ c. Capture running processes list
   ☐ d. Capture logged-in users and sessions

☐ 2. Preserve log evidence:
   ☐ a. Export Windows Event Logs (Security, System, Application)
   ☐ b. Export application logs (browser history, email client logs, VPN logs)
   ☐ c. Export security tool logs (antivirus, EDR, [DLP](/glossary/data-loss-prevention))

☐ 3. Preserve file evidence:
   ☐ a. Identify recently modified files (past 7-30 days)
   ☐ b. Identify recently accessed files (potential exfiltration targets)
   ☐ c. Copy suspicious files to secure location (encrypted, access-controlled)
   ☐ d. Calculate hash values (MD5, SHA-256) of all collected files

☐ 4. Preserve communication evidence:
   ☐ a. Export sent email (especially to external/personal addresses)
   ☐ b. Export chat logs (Slack, Teams, personal chat apps)
   ☐ c. Preserve browser history and download history

☐ 5. Document collection:
   ☐ a. Screenshot of evidence collection commands and outputs
   ☐ b. Record date/time of collection and investigator name
   ☐ c. Document chain of custody for all collected evidence

TIMEFRAME: 30-90 minutes (before suspect returns to desk)

Method 2: Physical Evidence Collection (If Remote Not Possible)

When Required:

• Suspect's device not connected to network (offline laptop)
• Remote tools not deployed or not functioning
• Need physical device for forensic imaging

Procedure:

Option A: After-Hours Collection (Preferred)

• Wait until suspect leaves for day
• Enter workspace after hours (with building security or manager escort)
• Collect device, photograph workspace, seal in evidence bag
• Leave desk undisturbed (or leave replacement device if suspect will notice absence)

Option B: During-Hours Collection (Confrontational)

• Approach suspect with HR and security
• Inform suspect of investigation and request device
• Suspend suspect (with pay pending investigation)
• Escort suspect from premises (do not allow return to desk unsupervised)
• Collect device and seal in evidence bag

⚠️ WARNING: During-hours collection alerts suspect and may trigger evidence destruction if suspect has access to other devices or accounts. Only use if:

• Suspect poses imminent risk (active sabotage, ongoing data exfiltration)
• After-hours collection not possible (suspect works remotely, device always with suspect)
• Legal counsel authorizes confrontation approach

Forensic Imaging Procedure

Purpose: Create bit-for-bit copy of hard drive for analysis. Original device preserved in pristine condition; all analysis performed on copy.

Equipment Required:

• Forensic workstation (dedicated computer for forensics)
• Write blocker (hardware device preventing modification of evidence drive)
• Forensic imaging software (FTK Imager, EnCase, dd/dc3dd)
• Large storage device (external drive or network storage for image files)

Imaging Procedure:

FORENSIC DISK IMAGING PROCEDURE

CASE ID: [INC-2025-XXXX]
EVIDENCE ITEM: [Laptop Dell Latitude 7400, S/N ABC123456]
IMAGED BY: [Forensics Analyst Name]
DATE/TIME: [YYYY-MM-DD HH:MM]

STEP 1: PREPARE EVIDENCE DEVICE
☐ 1. Photograph evidence device (all sides, labels, serial numbers)
☐ 2. Document condition (scratches, damage, tamper evidence)
☐ 3. Do NOT power on device yet (may modify data)

STEP 2: CONNECT WRITE BLOCKER
☐ 1. Remove hard drive from suspect's device (or connect via USB if laptop)
☐ 2. Connect hard drive to write blocker (Tableau, CRU write blocker)
☐ 3. Connect write blocker to forensic workstation
☐ 4. Verify write blocker LED indicates read-only mode

STEP 3: VERIFY DEVICE INFORMATION
☐ 1. Record device details:
   - Manufacturer: ____________________________________
   - Model: ____________________________________
   - Serial Number: ____________________________________
   - Capacity: ____________________________________
   - Interface: (SATA, NVMe, USB)

STEP 4: CREATE FORENSIC IMAGE
☐ 1. Launch forensic imaging tool (FTK Imager 4.7)
☐ 2. Select source device (evidence drive via write blocker)
☐ 3. Select destination (external drive, network storage)
☐ 4. Select image format:
   - E01 (EnCase format, recommended for compression and metadata)
   - Raw/DD (bit-for-bit copy, larger file size)
☐ 5. Configure image settings:
   - Case Number: [INC-2025-XXXX]
   - Evidence Number: [001]
   - Examiner: [Name]
   - Description: [Laptop from suspect John Doe, desk 42, building 3]
☐ 6. Enable hash calculation (MD5 and SHA-256)
☐ 7. Enable verify after imaging (re-calculate hash to confirm integrity)
☐ 8. Start imaging process

STEP 5: MONITOR IMAGING PROGRESS
☐ Imaging started: [HH:MM]
☐ Estimated completion: [HH:MM] (typically 1-4 hours depending on drive size)
☐ Monitor for errors (disk read errors, bad sectors)

STEP 6: VERIFY IMAGE INTEGRITY
☐ 1. Imaging completed: [HH:MM]
☐ 2. Record hash values:
   - Source Drive MD5: ____________________________________
   - Source Drive SHA-256: ____________________________________
   - Image File MD5: ____________________________________
   - Image File SHA-256: ____________________________________
☐ 3. Verify hashes match (Source = Image) ✅ Hashes match / ❌ Hashes DO NOT match
☐ 4. If hashes do not match, re-image (possible hardware failure or bad sectors)

STEP 7: DOCUMENT IMAGING
☐ 1. Screenshot of imaging tool showing hash values
☐ 2. Export imaging log file
☐ 3. Update chain of custody record (imaging completed)
☐ 4. Store image file on secure storage (encrypted, access-controlled)
☐ 5. Store original device in evidence locker (do not power on again)

IMAGING COMPLETE ✅
Forensic Image File: [INC-2025-XXXX_Evidence-001_Laptop.E01]
File Size: [XX GB]
Hash Values Verified: [✅ YES / ❌ NO]
Next Steps: Forensic analysis of image file

---

Part 3: Containment - Stopping the Insider Threat

3.1 Containment Decision Matrix

Goal: Stop ongoing damage while preserving evidence and maintaining business operations.

Containment Trade-offs:

• Speed vs. Stealth: Fast containment (disable accounts immediately) alerts suspect but stops damage. Slow containment (monitor suspect) preserves investigation but allows continued harm.
• Security vs. Business Continuity: Aggressive containment (shut down systems) stops threat but disrupts business. Surgical containment (disable only suspect's access) maintains operations but may miss accomplice accounts or backdoors.

Containment Urgency Assessment

IMMEDIATE CONTAINMENT (Within 1 Hour):

Scenarios:

• Active data exfiltration in progress (ongoing large file transfer)
• System sabotage or destruction occurring
• Privileged account abuse with potential for widespread damage
• Ransomware or malware deployment
• Insider working with external threat actor (APT, organized crime)

Actions:

• Disable suspect's accounts (all systems, VPN, email, applications)
• Disable suspect's devices (revoke certificates, wipe via MDM if necessary)
• Isolate affected systems from network (network segmentation, firewall rules)
• Preserve volatile evidence (RAM dump, network traffic capture)
• Notify executive leadership and legal counsel

EXPEDITED CONTAINMENT (Within 24 Hours):

Scenarios:

• Data exfiltration completed but suspect still has access (risk of additional theft)
• Suspected fraud or unauthorized financial transactions
• Policy violations with significant harm (non-compliance creating regulatory risk)
• Resignation or termination notice submitted (elevated risk during notice period)

Actions:

• Disable suspect's accounts during non-business hours (minimize disruption)
• Preserve evidence (disk imaging, log collection)
• Prepare separation procedures (coordinate with HR)
• Brief executive leadership

DELAYED CONTAINMENT (Monitoring Phase, 2-7 Days):

Scenarios:

• Preliminary evidence suggests insider threat but not yet conclusive
• Need additional evidence for legal proceedings (monitor to observe full extent of activity)
• Insider is sophisticated and may have anti-forensics capabilities (collect evidence covertly before alerting)

Actions:

• Enhanced monitoring of suspect (real-time alerts, network traffic recording)
• Covert evidence collection (remote forensics, log preservation)
• Prepare containment procedures (ready to execute on short notice if escalation occurs)
• Legal counsel consultation (ensure monitoring is lawful and evidence will be admissible)

3.2 Technical Containment Procedures

Account Disablement

Standard Procedure:

INSIDER THREAT ACCOUNT DISABLEMENT PROCEDURE

CASE ID: [INC-2025-XXXX]
SUSPECT: [John Doe, [email protected], Employee ID 12345]
AUTHORIZED BY: [Legal Counsel Name], [CISO Name], [HR Director Name]
EXECUTED BY: [IT Administrator Name]
DATE/TIME: [YYYY-MM-DD HH:MM]

STEP 1: IDENTIFY ALL SUSPECT ACCOUNTS
☐ Primary domain account: [DOMAIN\jdoe]
☐ Email account: [[email protected]]
☐ VPN accounts: [List any separate VPN credentials]
☐ Application accounts: [Salesforce, AWS, GitHub, internal apps]
☐ Privileged accounts: [admin accounts, service accounts created by suspect]
☐ Personal accounts using company SSO: [personal email if federated login]
☐ Mobile device accounts: [MDM enrollment, email sync to phone]

STEP 2: PRESERVE EVIDENCE BEFORE DISABLEMENT
☐ Export suspect's email (PST file or journaling export)
☐ Export suspect's files (OneDrive, network drives, shared folders)
☐ Capture suspect's group memberships and permissions (for forensic analysis)
☐ Capture suspect's recent activity logs (last 30 days from [SIEM](/glossary/security-information-event-management))
☐ Screenshot of suspect's account properties (creation date, last login, attributes)

STEP 3: DISABLE ACCOUNTS (Execute Simultaneously)
☐ Active Directory/Domain account:
   - Disable account (do not delete - preserves audit trail)
   - Revoke active sessions (force logoff if currently logged in)
   - Reset password (prevent suspect from re-accessing if credentials cached)
   - Remove from all groups (especially privileged groups)
   - Record time of disablement: [HH:MM]

☐ Email account:
   - Disable mailbox access (convert to shared mailbox or disable protocols)
   - Revoke active sessions (remote wipe mobile device email sync)
   - Set auto-reply (if business continuity requires): "I am no longer available. Please contact [Manager] at [email]."
   - Forward incoming email to [Manager or HR] (preserve business communications)
   - Record time of disablement: [HH:MM]

☐ VPN account:
   - Disable VPN access (revoke certificates, delete VPN user)
   - Terminate active VPN sessions
   - Record time of disablement: [HH:MM]

☐ Application accounts:
   - SaaS applications (Salesforce, AWS, etc.): Disable or delete user account
   - Internal applications: Disable account or remove licenses
   - Shared accounts: Change passwords if suspect had access
   - Record time of disablement: [HH:MM]

☐ Privileged accounts:
   - Disable all admin accounts associated with suspect
   - Audit for backdoor accounts (accounts created by suspect but not in his name)
   - Change passwords on service accounts suspect had access to
   - Record time of disablement: [HH:MM]

☐ Mobile devices:
   - MDM remote wipe (corporate-owned devices) or remove work profile (BYOD)
   - Disable mobile email sync
   - Disable mobile VPN access
   - Record time of disablement: [HH:MM]

STEP 4: VERIFY DISABLEMENT
☐ Test authentication (verify suspect cannot log in to any system)
☐ Check active sessions (verify no active sessions remain)
☐ Check VPN logs (verify no new VPN connections from suspect)
☐ Check email access logs (verify no new email access)

STEP 5: PHYSICAL ACCESS REVOCATION
☐ Disable badge access (building, secure areas, parking garage)
☐ Notify building security (provide suspect's photo, do not allow entry)
☐ Collect company-issued devices if suspect on-site (laptop, phone, badge, keys)
☐ Change door codes or locks if suspect had physical keys

STEP 6: MONITOR FOR EVASION ATTEMPTS
☐ Monitor for login attempts (suspect may try to access accounts after disablement)
☐ Monitor for privilege escalation attempts (if backdoor accounts exist)
☐ Monitor for external access attempts (personal devices, external networks)
☐ Alert security team if evasion attempts detected

STEP 7: DOCUMENT CONTAINMENT
☐ Record all actions taken and timestamps
☐ Screenshot of disabled accounts
☐ Export logs showing disablement actions
☐ Update chain of custody (evidence preserved before disablement)
☐ Brief ITIRT on containment completion

CONTAINMENT COMPLETE ✅
Accounts Disabled: [Primary account, email, VPN, 12 application accounts, 2 admin accounts]
Time to Complete: [15 minutes]
Evasion Attempts Detected: [YES / NO]
Next Steps: Continue evidence analysis, coordinate HR separation

Network Isolation

When Required:

• Suspect has sophisticated technical skills (may have backdoors, anti-forensics tools)
• Ongoing malware or command-and-control activity
• Need to prevent lateral movement or additional compromise

Procedure:

NETWORK ISOLATION PROCEDURE

SUSPECT DEVICE: [Laptop Dell Latitude 7400, S/N ABC123456, IP 10.50.42.100]
AUTHORIZED BY: [CISO Name]
EXECUTED BY: [Network Security Engineer Name]
DATE/TIME: [YYYY-MM-DD HH:MM]

STEP 1: IDENTIFY SUSPECT DEVICES AND IP ADDRESSES
☐ Laptop IP address: [10.50.42.100]
☐ Desktop IP address (if applicable): [10.50.42.101]
☐ Mobile device IP (if connected to corporate Wi-Fi): [10.60.10.50]
☐ VPN IP address (if remote): [172.16.5.25]
☐ MAC addresses: [00:1A:2B:3C:4D:5E]

STEP 2: IMPLEMENT FIREWALL RULES (Network-Based Isolation)
☐ Block outbound traffic from suspect IP addresses (prevent data exfiltration)
☐ Block inbound traffic to suspect IP addresses (prevent C2 communication)
☐ Exception: Allow connection to forensic workstation (for remote evidence collection if needed)
☐ Log all blocked connection attempts (capture evasion attempts)

STEP 3: IMPLEMENT 802.1X / NAC ISOLATION (Port-Based Isolation)
☐ Identify suspect's switch ports (building, floor, port number)
☐ Move switch port to quarantine VLAN (isolated network with no access)
☐ OR disable switch port entirely (if immediate isolation required)

STEP 4: VERIFY ISOLATION
☐ Ping test from suspect device (should fail)
☐ Verify suspect device cannot access internet, file servers, databases
☐ Verify suspect device cannot communicate with other internal devices
☐ Verify forensic workstation CAN access suspect device (if remote forensics needed)

STEP 5: PRESERVE FORENSIC EVIDENCE
☐ Capture network traffic before isolation (packet capture of ongoing activity)
☐ Document suspect's network activity prior to isolation (destinations, protocols, volume)

STEP 6: MONITOR FOR EVASION
☐ Monitor for new devices (suspect may switch to personal laptop/phone)
☐ Monitor for VPN access from non-corporate devices
☐ Monitor for rogue access points (suspect may create hotspot to bypass isolation)

ISOLATION COMPLETE ✅
Device Isolated: [Laptop 10.50.42.100]
Isolation Method: [Firewall block + Quarantine VLAN]
Verified: [✅ YES / ❌ NO]

3.3 HR and Personnel Actions

Goal: Coordinate with HR to implement appropriate employment actions while preserving investigation and avoiding wrongful termination claims.

Suspension Pending Investigation

When Appropriate:

• Investigation ongoing and requires time to complete
• Risk of continued harm if suspect remains employed
• Separation not yet justified (insufficient evidence for termination)

Suspension Types:

Paid Administrative Leave (Preferred):

• Advantages: Reduces wrongful termination risk (employee still receiving income); preserves cooperation (employee may be more willing to cooperate if still paid)
• Duration: Typically 1-2 weeks (extended to 30 days if complex investigation)
• Communication: "You are placed on paid administrative leave pending completion of an internal investigation. You are required to remain available for meetings. Do not access company systems or contact employees about this matter."

Unpaid Suspension:

• Advantages: Emphasizes seriousness of situation
• Disadvantages: Higher wrongful termination risk; may violate employment contract or union agreement
• Restrictions: May not be permissible in some jurisdictions (California exempt employees cannot be suspended without pay)

Suspension Notification Template:

SUSPENSION NOTIFICATION LETTER

[Date]

[Employee Name]
[Address]

Re: Paid Administrative Leave

Dear [Employee Name],

Effective immediately, you are placed on paid administrative leave pending the completion of an internal investigation into matters related to your employment. During this leave:

1. You must remain available for meetings with company representatives, legal counsel, and/or investigators. We will provide reasonable notice (24-48 hours) for any requested meetings.

2. You are prohibited from accessing company systems, including email, file servers, applications, and physical facilities. Your building access badge has been temporarily disabled.

3. You are prohibited from contacting company employees regarding this investigation unless authorized by [HR Director or Legal Counsel].

4. You will continue to receive your regular salary and benefits during this leave period.

5. You are required to return all company property in your possession, including [laptop, mobile phone, badge, keys, documents], to [HR contact] by [date, typically within 24-48 hours].

6. You are reminded of your confidentiality obligations under your employment agreement. Do not disclose confidential company information or discuss this matter publicly.

This administrative leave is not a determination of wrongdoing. The company will complete the investigation promptly and inform you of the outcome.

If you have questions about this leave or the investigation, please contact [HR Director Name] at [phone/email].

Sincerely,

[HR Director Name]
[Title]

ACKNOWLEDGMENT:
I acknowledge receipt of this notice and understand the terms of my administrative leave.

Employee Signature: _______________________ Date: _______

Termination for Cause

When Appropriate:

• Investigation complete and evidence supports termination
• Insider threat incident constitutes gross misconduct or policy violation justifying termination
• Legal counsel and HR agree termination is legally defensible

Termination Considerations:

Legal Risks:

• Wrongful Termination: Employee sues claiming termination violated employment contract, public policy, or discrimination laws
• Defamation: Employee sues claiming false accusation damaged reputation
• Privacy Violation: Employee sues claiming investigation violated privacy rights

Mitigation:

• Document Evidence: Comprehensive investigation report with evidence supporting termination decision
• Consistent Application: Demonstrate that similar misconduct by other employees resulted in similar discipline
• Legal Counsel Review: Have employment attorney review termination decision and documentation
• Follow Progressive Discipline: If employment policy requires warnings before termination, ensure policy followed (unless gross misconduct exception applies)

Termination Meeting Procedure:

TERMINATION MEETING PROCEDURE - INSIDER THREAT CASE

PARTICIPANTS:
- HR Representative (meeting lead)
- Employee's Manager (optional, provides business context)
- Witness (second HR representative or security)
- Legal Counsel (on standby if questions arise; typically not in room)
- Security (on standby outside room if risk of violence)

MEETING LOCATION:
- Private conference room (not employee's office)
- Near exit (easy for employee to leave after meeting)
- No audience (protect employee's dignity)

MEETING SCRIPT:

[HR]: "[Employee name], thank you for meeting with us. I'll get straight to the point. The company has completed its investigation into [describe conduct: unauthorized access to confidential data]. Based on our findings, your employment is terminated effective immediately for violation of company policy [cite specific policy number/name].

[Pause for employee response - let employee speak if they wish, but do not argue or debate]

[HR]: "Here is your termination letter outlining the decision [hand letter to employee]. You will receive your final paycheck, including accrued vacation, on [date per state law, typically next regular payday or within 72 hours depending on jurisdiction].

Your benefits will continue through [end of month or per COBRA]. You will receive COBRA information by mail within 14 days.

We need to collect company property now. Please provide [laptop, phone, badge, keys, documents]."

[Employee returns property; security retrieves from employee's desk if employee refuses]

[HR]: "Do you have any personal belongings at your desk? [If yes] We will pack your personal items and ship them to you, or you may arrange a supervised visit to collect them. [If no] You will need to leave the building now. [Security escort] will escort you to ensure you can collect your belongings and exit safely."

[HR]: "You are reminded of your confidentiality obligations under your employment agreement. Do not disclose confidential company information. Do not disparage the company publicly. Do not contact company employees about this matter.

If you have questions about your final pay or benefits, contact [HR contact]. If you have questions about the termination decision, you may contact [Legal Counsel or HR Director], but the decision is final.

Do you have any questions?"

[Answer questions about final pay, benefits, logistics only - do NOT discuss evidence or investigative findings]

[HR]: "I understand this is difficult. We wish you the best. Please follow [Security] to collect your belongings and exit the building."

[Meeting concludes; employee escorted from building]

POST-MEETING ACTIONS:
☐ Document meeting (date, time, participants, employee's statements)
☐ Verify all company property returned (laptop, phone, badge, keys)
☐ Pack personal belongings (have manager or HR pack, ship to employee's home)
☐ Confirm IT access revoked (accounts disabled, building access removed)
☐ Process final paycheck (include accrued vacation per state law)
☐ Send COBRA notice (within 14 days)
☐ Send termination letter and separation agreement (if applicable)

---

Part 4: Eradication, Recovery, and Post-Incident

4.1 Eradication - Removing Insider's Access and Backdoors

Goal: Ensure terminated insider has no residual access to systems, data, or facilities.

Audit Checklist:

POST-TERMINATION ACCESS AUDIT

TERMINATED EMPLOYEE: [John Doe, Employee ID 12345]
TERMINATION DATE: [YYYY-MM-DD]
AUDIT CONDUCTED BY: [Security Team Member]
AUDIT DATE: [YYYY-MM-DD]

STEP 1: ACCOUNT VERIFICATION
☐ All user accounts disabled (AD, email, VPN, applications) - Verified [DATE]
☐ No active sessions detected (login monitoring for 7 days post-termination) - Verified [DATE]
☐ Password reset on any shared accounts terminated employee had access to - Verified [DATE]

STEP 2: BACKDOOR DETECTION
☐ Audit for rogue accounts created by terminated employee:
   ☐ Search Active Directory for accounts created by terminated employee
   ☐ Review privileged accounts (admin, service accounts) created in past 90 days
   ☐ Review application accounts (API keys, service accounts) created by employee
☐ Accounts found requiring review: [List accounts]
☐ Rogue accounts disabled: [List accounts disabled]

☐ Audit for unauthorized access methods:
   ☐ Review VPN logs for unusual access patterns before termination
   ☐ Review firewall rules for unauthorized remote access rules
   ☐ Review remote desktop/TeamViewer/AnyDesk installations
☐ Unauthorized access methods found: [List findings]
☐ Unauthorized access methods removed: [Confirmed]

☐ Audit for scheduled tasks or logic bombs:
   ☐ Review Windows Task Scheduler for tasks created by terminated employee
   ☐ Review cron jobs (Linux/Unix) for suspicious scheduled tasks
   ☐ Review database jobs for suspicious queries or procedures
☐ Suspicious scheduled tasks found: [List tasks]
☐ Suspicious tasks disabled: [Confirmed]

STEP 3: DATA REMOVAL
☐ Remove terminated employee's data from shared drives (if appropriate):
   ☐ Personal files deleted or archived
   ☐ Work files transferred to manager
☐ Remove terminated employee from email distribution lists, shared mailboxes
☐ Remove terminated employee from collaboration tools (Slack channels, Teams groups, SharePoint permissions)

STEP 4: PHYSICAL ACCESS VERIFICATION
☐ Badge access disabled - Verified [DATE]
☐ Photo provided to security guards (do not allow entry) - Verified [DATE]
☐ Physical keys returned or locks changed - Verified [DATE]
☐ Parking access revoked - Verified [DATE]

STEP 5: THIRD-PARTY ACCESS VERIFICATION
☐ Terminated employee removed from vendor/partner systems (if applicable)
☐ Terminated employee removed from customer systems (if applicable)
☐ Terminated employee removed from cloud IAM (AWS, Azure, GCP)

STEP 6: MONITORING FOR POST-TERMINATION ACTIVITY
☐ Monitor for login attempts from terminated employee (past 30 days):
   ☐ Failed login attempts detected: [Number]
   ☐ Successful logins detected: [Number - investigate immediately if >0]
☐ Monitor for data exfiltration attempts post-termination:
   ☐ Suspicious activity detected: [YES / NO]
☐ Monitor for social engineering attempts (terminated employee contacting IT/help desk):
   ☐ Attempts detected: [YES / NO]

AUDIT COMPLETE ✅
Residual Access Found: [YES / NO]
Backdoors Detected: [YES / NO]
Recommendations: [Implement enhanced offboarding procedures, additional monitoring]

Audit Approved By: _______________________
Date: _______________________

4.2 Recovery - Restoring Operations and Affected Systems

Goal: Return to normal operations while implementing lessons learned.

Recovery Procedures:

1. Data Restoration (If Sabotage or Destruction Occurred)

DATA RESTORATION PROCEDURE

AFFECTED SYSTEMS: [File server, database, application]
INCIDENT: [Insider deleted 50,000 customer records]
RECOVERY LEAD: [IT Manager Name]
DATE: [YYYY-MM-DD]

STEP 1: ASSESS DAMAGE
☐ Identify affected systems and data
☐ Determine extent of data loss (number of records, files, databases)
☐ Determine business impact (customer impact, operational disruption)

STEP 2: IDENTIFY RESTORATION SOURCE
☐ Most recent clean backup: [DATE/TIME of backup]
☐ Backup location: [Tape, disk, cloud]
☐ Backup integrity verified: [✅ YES / ❌ NO]
☐ Backup contains affected data: [✅ YES / ❌ NO]

STEP 3: RESTORE DATA
☐ Restore from backup to isolated environment (do not restore directly to production - verify integrity first)
☐ Verify restored data integrity (sample checks, record counts)
☐ Scan for malware or backdoors in restored data
☐ Restore to production environment

STEP 4: VALIDATE RESTORATION
☐ User acceptance testing (have business users verify data)
☐ Reconciliation (compare restored data to known-good state)
☐ Monitor for issues (performance problems, data corruption)

STEP 5: IMPLEMENT PREVENTIVE MEASURES
☐ Enhanced access controls (reduce who can delete data)
☐ Recycle bin or soft delete (allow data recovery without backup restoration)
☐ Immutable backups (prevent insider from deleting backups)

RESTORATION COMPLETE ✅
Data Loss: [0 records lost - full recovery from backup]
Downtime: [4 hours]
Lessons Learned: [Implement soft delete, enhanced access controls]

2. System Hardening (Prevent Recurrence)

POST-INCIDENT SYSTEM HARDENING

STEP 1: ACCESS CONTROL IMPROVEMENTS
☐ Review and reduce privileged account usage (principle of least privilege)
☐ Implement just-in-time (JIT) access (temporary elevation instead of permanent admin rights)
☐ Implement [privileged access management (PAM)](/glossary/privileged-access-management) (PAM) tool (CyberArk, BeyondTrust)
☐ Require multi-factor authentication (MFA) for all privileged accounts

STEP 2: MONITORING ENHANCEMENTS
☐ Implement [user behavior analytics ([UEBA](/glossary/user-entity-behavior-analytics))](/glossary/ueba) ([UEBA](/glossary/user-entity-behavior-analytics)) to detect anomalies
☐ Enhance [DLP](/glossary/data-loss-prevention) policies based on exfiltration methods used in incident
☐ Implement enhanced logging (capture more detailed activity logs)
☐ Reduce log retention gaps (increase retention from 30 to 90 days)

STEP 3: DATA PROTECTION IMPROVEMENTS
☐ Classify sensitive data (identify high-value data requiring extra protection)
☐ Implement data loss prevention ([DLP](/glossary/data-loss-prevention)) for unprotected data
☐ Encrypt sensitive data at rest (prevent unauthorized access)
☐ Implement database activity monitoring (DAM) for sensitive databases

STEP 4: OFFBOARDING IMPROVEMENTS
☐ Implement automated offboarding (immediate account disablement upon HR separation)
☐ Implement pre-termination monitoring (enhanced monitoring during notice period)
☐ Implement exit interviews focused on data return (verify employee returned all data)

HARDENING COMPLETE ✅
Improvements Implemented: [JIT access, [UEBA](/glossary/user-entity-behavior-analytics) deployment, enhanced [DLP](/glossary/data-loss-prevention) policies]
Timeline: [30 days for full implementation]
Ownership: [CISO for monitoring, IT Director for access controls]

4.3 Post-Incident Activities

Lessons Learned Session

Timing: Within 30 days of incident containment

Participants: ITIRT members + any other stakeholders involved in response

Agenda:

LESSONS LEARNED SESSION - [CASE ID]

DATE: [YYYY-MM-DD]
FACILITATOR: [CISO or independent facilitator]
PARTICIPANTS: [ITIRT members, legal, HR, business unit, executive sponsor]

AGENDA:

1. INCIDENT SUMMARY (15 minutes)
   - Brief recap of incident timeline
   - What happened, when, how was it detected, how was it contained
   - Business impact (financial, operational, reputational)

2. WHAT WENT WELL (15 minutes)
   - What aspects of response were effective?
   Examples:
   - Rapid detection (alert triggered within 2 hours of exfiltration)
   - Effective coordination between IT, HR, and legal
   - Successful evidence preservation (all evidence admissible)

3. WHAT WENT WRONG (30 minutes)
   - What aspects of response were ineffective or created problems?
   Examples:
   - Delayed containment (48 hours from detection to account disablement allowed additional data theft)
   - Communication breakdown (IT disabled accounts before HR notified employee's manager, causing confusion)
   - Evidence gaps (insufficient logging meant we couldn't determine full scope of exfiltration)
   - Legal compliance issues (investigation violated employee privacy law, created liability)

4. ROOT CAUSE ANALYSIS (20 minutes)
   - Why did insider threat occur? (access too broad, inadequate monitoring, employee grievance not addressed)
   - Why was detection delayed? (alert tuning issues, false positive fatigue)
   - Why was containment delayed? (unclear escalation procedures, decision-making bottlenecks)

5. ACTIONABLE RECOMMENDATIONS (30 minutes)
   - What should we change to prevent recurrence?
   - What should we change to improve detection?
   - What should we change to improve response?
   - Assign ownership and deadlines for each recommendation

6. DOCUMENTATION AND CLOSEOUT (10 minutes)
   - Document lessons learned
   - Track recommendations in project management tool
   - Schedule follow-up review (90 days) to verify recommendations implemented

LESSONS LEARNED REPORT:

INCIDENT SUMMARY:
[2-3 paragraph summary of incident]

WHAT WENT WELL:

1. [Example: Rapid detection via [UEBA](/glossary/user-entity-behavior-analytics) alert reduced attacker dwell time to 2 hours]
2. [Example: Coordinated ITIRT response with clear roles and responsibilities]
3. [Example: Legal counsel involvement from day 1 ensured evidence admissibility]

WHAT WENT WRONG:

1. [Example: Insufficient logging meant full scope of exfiltration could not be determined]
2. [Example: Delayed containment (48 hours) allowed insider to exfiltrate additional data]
3. [Example: Communication breakdown between IT and HR caused confusion during termination]

ROOT CAUSES:

1. [Example: Employee had excessive access (privileged account not required for role)]
2. [Example: No pre-termination monitoring (employee announced resignation 2 weeks before incident)]
3. [Example: Alert fatigue (security team dismissed early alerts as false positives)]

RECOMMENDATIONS:

1. Implement just-in-time privileged access (reduce standing admin accounts)
   - Owner: [CISO]
   - Deadline: [DATE]
   - Status: [Not Started / In Progress / Complete]

2. Implement pre-termination monitoring (enhanced monitoring for employees with notice period)
   - Owner: [HR Director + Security Manager]
   - Deadline: [DATE]
   - Status: [Not Started / In Progress / Complete]

3. Tune [UEBA](/glossary/user-entity-behavior-analytics) alerts to reduce false positives (improve signal-to-noise ratio)
   - Owner: [Security Analyst]
   - Deadline: [DATE]
   - Status: [Not Started / In Progress / Complete]

4. Document clear escalation procedures for insider threat incidents (reduce containment delays)
   - Owner: [CISO]
   - Deadline: [DATE]
   - Status: [Not Started / In Progress / Complete]

5. Enhance logging for database access (capture full audit trail for sensitive data access)
   - Owner: [Database Administrator]
   - Deadline: [DATE]
   - Status: [Not Started / In Progress / Complete]

FOLLOW-UP:
- 90-day review meeting scheduled: [DATE]
- Responsible: [CISO]
- Agenda: Verify recommendations implemented, assess effectiveness

Regulatory Notification

GDPR (EU/UK) - 72-Hour Breach Notification:

When Required:

• Personal data breach (unauthorized access, disclosure, alteration, or destruction of personal data)
• Likely to result in risk to rights and freedoms of individuals

Notification Deadline:

• 72 hours from becoming aware of breach
• "Becoming aware" = when organization has reasonable degree of certainty that breach occurred

Who to Notify:

• Supervisory Authority: Data protection authority in primary establishment (ICO for UK, CNIL for France, etc.)
• Data Subjects: Individuals affected by breach (if high risk to rights and freedoms)

Notification Template:

GDPR BREACH NOTIFICATION TO SUPERVISORY AUTHORITY

TO: [Information Commissioner's Office (ICO) / Relevant DPA]
FROM: [Company Name, Data Protection Officer]
DATE: [YYYY-MM-DD]
RE: Personal Data Breach Notification (Article 33 GDPR)

1. DESCRIPTION OF BREACH:
On [DATE], we discovered that a former employee (database administrator) exfiltrated personal data of approximately 50,000 customers. The breach occurred between [START DATE] and [END DATE].

The employee accessed customer database and exported records containing:
- Names
- Email addresses
- Phone numbers
- Mailing addresses
- Purchase history

The employee transferred data to personal cloud storage account and personal email address.

2. CATEGORIES AND APPROXIMATE NUMBER OF DATA SUBJECTS:
- Approximately 50,000 customers (UK and EU residents)
- No special category data (health, biometric, etc.) involved

3. CATEGORIES AND APPROXIMATE NUMBER OF PERSONAL DATA RECORDS:
- Approximately 50,000 customer records
- Each record contains: name, contact information, purchase history

4. LIKELY CONSEQUENCES:
- Risk of spam, phishing, or marketing contact (contact information exposed)
- Risk of social engineering or fraud (employee may impersonate company using customer data)
- No risk of identity theft (no SSNs, financial data, or authentication credentials exposed)
- Overall risk assessment: **Medium risk to data subject rights and freedoms**

5. MEASURES TAKEN OR PROPOSED:
Immediate measures:
- Terminated employee's access to all systems on [DATE]
- Forensically imaged employee's devices and preserved evidence
- Demanded return of exfiltrated data from former employee (legal demand sent [DATE])
- Reported incident to law enforcement (police report [NUMBER])

Notification measures:
- Notifying affected data subjects via email on [DATE] (within 7 days of discovery)
- Providing guidance to data subjects (be alert for phishing, verify company communications)

Preventive measures:
- Implemented enhanced monitoring for privileged accounts
- Implementing just-in-time privileged access (eliminate standing admin accounts)
- Implementing data loss prevention ([DLP](/glossary/data-loss-prevention)) for database exports

6. CONTACT POINT:
Data Protection Officer: [Name]
Email: [[email protected]]
Phone: [+XX-XXX-XXX-XXXX]

7. PROGRESSIVE NOTIFICATION:
This is our initial notification submitted within 72 hours of breach discovery. We will provide additional information as investigation continues.

Expected updates:
- Final determination of exact number of affected data subjects (within 7 days)
- Confirmation of data recovery or destruction (within 30 days)
- Completion of forensic investigation (within 30 days)

We are available to provide any additional information or clarification as needed.

Respectfully submitted,

[Data Protection Officer Name]
[Company Name]
[Date]

US State Breach Notification Laws:

Varies by state; generally requires notification if:

• Personal information breached (name + SSN, driver's license, financial account)
• Breach affects residents of state

Notification Timing:

• "Without unreasonable delay" (most states)
• Specific timeframes: California (most expedient time possible), Colorado (30 days), Florida (30 days)

Who to Notify:

• Affected Individuals: All residents affected by breach
• State Attorney General: If threshold met (500-1,000 residents depending on state)
• Consumer Reporting Agencies: If >1,000 residents affected (Equifax, Experian, TransUnion)

Legal and Insurance Actions

Criminal Prosecution:

When to Consider:

• Insider committed crime (theft, fraud, computer fraud, sabotage)
• Evidence sufficient for prosecution (beyond reasonable doubt standard)
• Business interest in deterrence (send message to other potential insiders)

Procedure:

• Consult with legal counsel and law enforcement (FBI Cyber Division, US Attorney, state/local police)
• Provide evidence to law enforcement (forensic reports, financial loss calculations)
• Cooperate with prosecution (testimony, additional evidence as requested)

Criminal Statutes:

• Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030 (unauthorized access, exceeding authorized access)
• Economic Espionage Act (EEA) - 18 U.S.C. § 1831-1839 (trade secret theft)
• Wire Fraud - 18 U.S.C. § 1343 (fraud via electronic communications)
• Identity Theft - 18 U.S.C. § 1028 (misuse of personal identifying information)

Civil Lawsuit:

When to Consider:

• Seeking monetary damages or injunctive relief
• Criminal prosecution not viable (insufficient evidence for criminal charges)
• Insider working for competitor (trade secret misappropriation, breach of non-compete)

Claims:

• Breach of Fiduciary Duty: Employee violated duty of loyalty to employer
• Trade Secret Misappropriation: Employee stole trade secrets (Defend Trade Secrets Act, state UTSA)
• Breach of Contract: Employee violated employment agreement, confidentiality agreement, non-compete
• Conversion: Employee unlawfully took company property (data, devices)
• Computer Fraud (state law): State computer crime statutes (California Penal Code § 502)

Cyber Insurance Claim:

Coverage:

• First-Party Coverage: Organization's own losses (forensic investigation, notification costs, business interruption, data restoration, crisis management, regulatory fines)
• Third-Party Coverage: Liability to others (lawsuits from customers, regulatory penalties, PCI DSS fines)

Claim Procedure:

• Notify insurer immediately (within 24-48 hours per policy)
• Provide incident details and estimated losses
• Use insurer's breach coach or approved forensics vendors (pre-approved to ensure coverage)
• Document all costs for claim (forensics invoices, legal fees, notification costs, business interruption)

---

Part 5: Insider Threat Scenario Playbooks

Scenario 1: Data Exfiltration by Departing Employee

Scenario: Employee announces resignation and 2-week notice period. During notice period, monitoring alerts detect large file downloads and transfers to personal cloud storage.

Playbook:

DATA EXFILTRATION BY DEPARTING EMPLOYEE - RESPONSE PLAYBOOK

DETECTION:
☐ Alert triggered: [Employee "Jane Smith" uploaded 2,500 files (5.2 GB) to personal Dropbox]
☐ Context: Employee submitted resignation on [DATE], last day is [DATE + 14 days]

IMMEDIATE ACTIONS (Within 1 Hour):
☐ Verify alert (rule out false positive - check if files are personal or company-confidential)
☐ Identify files transferred (file names, classifications, sensitivity)
☐ Consult legal counsel (brief on findings, obtain authorization to investigate)
☐ DO NOT alert suspect yet (preserve evidence first)

EVIDENCE PRESERVATION (Hours 1-4):
☐ Preserve volatile evidence:
   ☐ Remote RAM dump of employee's laptop (capture running processes, open files)
   ☐ Network traffic capture (capture ongoing exfiltration if still occurring)
   ☐ Export recent file access logs (past 30 days)
   ☐ Export email sent to personal addresses (past 30 days)
☐ Preserve non-volatile evidence:
   ☐ Full forensic image of employee's laptop (schedule during lunch break or after hours)
   ☐ Export employee's Dropbox/cloud storage logs (if company has visibility)
   ☐ Export employee's email (PST export or journaling)

ANALYSIS (Hours 4-24):
☐ Review exfiltrated files:
   ☐ Are files confidential/trade secret? (customer lists, pricing, product roadmaps, source code)
   ☐ Are files personal? (employee's own documents, non-sensitive materials)
☐ Assess business impact:
   ☐ Value of data: $ [estimate]
   ☐ Competitive harm if disclosed: [None / Low / Medium / High]
   ☐ Regulatory impact: [GDPR/CCPA breach notification required?]
☐ Determine intent:
   ☐ Malicious (steal data for new employer)
   ☐ Negligent (employee backing up work to personal cloud out of habit)

DECISION (Hour 24):
☐ If files are confidential and intent appears malicious:
   → Activate ITIRT, proceed with containment and termination
☐ If files are non-confidential or intent is negligent:
   → Issue warning, require deletion, allow employee to complete notice period with enhanced monitoring

CONTAINMENT (If Proceeding with Termination):
☐ Disable employee accounts (all systems, immediately)
☐ Revoke physical access (badge, keys)
☐ Suspend employee (paid administrative leave pending investigation)
☐ Demand return of data:
   - Send legal demand letter to employee (cease and desist)
   - Demand deletion of exfiltrated data from personal storage
   - Demand return of any company property (laptop, documents, devices)

HR AND LEGAL ACTIONS:
☐ Coordinate with HR for termination (if evidence supports termination for cause)
☐ Termination meeting (collect company property, escort from building)
☐ Legal demand letter (cease and desist, return data, reminder of confidentiality obligations)
☐ Consider legal remedies:
   ☐ Civil lawsuit (trade secret misappropriation, breach of contract)
   ☐ Criminal referral (Computer Fraud and Abuse Act, Economic Espionage Act)
   ☐ Injunction (court order preventing use or disclosure of trade secrets)

NOTIFICATION (If Breach Notification Required):
☐ Notify regulators (GDPR 72 hours, state breach laws)
☐ Notify affected individuals (customers, partners)
☐ Notify cyber insurance carrier

RECOVERY:
☐ Assess whether data is recoverable (negotiate return with employee or attorney)
☐ Implement preventive measures:
   ☐ Pre-termination monitoring (enhanced monitoring during notice periods)
   ☐ Accelerated offboarding (eliminate notice period for high-risk roles)
   ☐ Enhanced [DLP](/glossary/data-loss-prevention) (block cloud storage uploads for departing employees)

LESSONS LEARNED:
☐ Conduct lessons learned session (30 days post-incident)
☐ Update [incident response procedures](/research/insider-threat-incident-response-playbook-2025) based on findings

Scenario 2: Privileged User Abuse (Sys Admin Data Theft)

Scenario: Database administrator with broad access to customer data is detected accessing large volumes of customer records outside normal job duties.

Playbook:

PRIVILEGED USER ABUSE - RESPONSE PLAYBOOK

DETECTION:
☐ Alert triggered: [Sys admin "Bob Johnson" executed bulk database export of 100,000 customer records]
☐ Context: Sys admin has legitimate access to database but export is unusual (no corresponding help desk ticket or project)

IMMEDIATE ACTIONS (Within 1 Hour):
☐ Verify alert (check if export is legitimate - consult with database team lead)
☐ Assess scope (how many records? what data fields? where exported to?)
☐ Consult legal counsel (brief on findings, obtain authorization for covert investigation)
☐ DO NOT alert suspect (sys admin has skills to cover tracks - preserve evidence covertly)

COVERT EVIDENCE PRESERVATION (Hours 1-24):
☐ Enable enhanced logging (capture all sys admin activities without alerting suspect)
☐ Network traffic monitoring (capture outbound data transfers)
☐ Remote forensic collection (RAM dump, file system snapshot - during off hours while suspect not logged in)
☐ Database audit log review (analyze sys admin's database queries for past 90 days)

ANALYSIS (Days 1-3):
☐ Determine if data was exfiltrated:
   ☐ Was data exported to file? (search for export files on sys admin's laptop, file servers)
   ☐ Was data transferred externally? (email, cloud upload, USB drive)
☐ Assess business justification:
   ☐ Consult with sys admin's manager (was export authorized for project?)
   ☐ Review change control records (was database maintenance scheduled?)
☐ Determine pattern:
   ☐ Is this first occurrence or pattern? (review historical logs)
   ☐ Has sys admin accessed data outside job role repeatedly?

DECISION (Day 3):
☐ If export was authorized and legitimate:
   → False positive - document and close
☐ If export was unauthorized:
   → Activate ITIRT, proceed with containment

CONTAINMENT:
☐ Timing: After-hours containment (disable accounts while sys admin not working to prevent sabotage)
☐ Disable sys admin's accounts (all privileged accounts, immediately)
☐ Reset passwords on service accounts sys admin had access to (prevent backdoor access)
☐ Audit for rogue accounts (search for accounts created by sys admin)
☐ Audit for scheduled tasks or logic bombs (search for malicious scheduled jobs)
☐ Network isolation (if sys admin has remote access, block network access)

EVIDENCE COLLECTION (Day 4):
☐ Forensic imaging of sys admin's laptop (after disablement)
☐ Forensic imaging of sys admin's desktop (if applicable)
☐ Export complete database audit logs (past 12 months for investigation)
☐ Export file server logs (determine if exported data stored on file servers)

HR AND LEGAL ACTIONS:
☐ Suspend sys admin (paid administrative leave pending investigation)
☐ Demand return of data (legal demand letter)
☐ Conduct forensic analysis (determine full extent of data access and exfiltration)
☐ Termination for cause (if evidence supports)
☐ Legal remedies:
   ☐ Civil lawsuit (Computer Fraud and Abuse Act, trade secret misappropriation)
   ☐ Criminal referral (CFAA, Economic Espionage Act)

ERADICATION:
☐ Remove sys admin's privileged access (verify all admin accounts disabled)
☐ Audit for backdoors (rogue accounts, remote access tools, scheduled tasks)
☐ Change all privileged account passwords (sys admin may have documented credentials)
☐ Review firewall rules (sys admin may have created unauthorized access rules)

RECOVERY:
☐ Implement just-in-time (JIT) privileged access (eliminate standing admin accounts)
☐ Implement [privileged access management (PAM)](/glossary/privileged-access-management) (PAM) solution (CyberArk, BeyondTrust)
☐ Require multi-factor authentication (MFA) for all privileged accounts
☐ Implement database activity monitoring (DAM) with real-time alerts
☐ Implement separation of duties (no single admin has complete access)

LESSONS LEARNED:
☐ Conduct lessons learned session
☐ Update privileged access controls based on findings

Scenario 3: Sabotage by Disgruntled Employee

Scenario: Employee recently received negative performance review and is suspected of planning sabotage. Employee has access to critical production systems.

Playbook:

SABOTAGE BY DISGRUNTLED EMPLOYEE - RESPONSE PLAYBOOK

DETECTION:
☐ HR alerts security team: [Employee "Alice Brown" received negative performance review and made threatening statements]
☐ Threat: "I'll make them regret this" (statement to coworker)
☐ Context: Employee has access to production application servers

IMMEDIATE ACTIONS (Within Hours):
☐ Threat assessment:
   ☐ Is threat credible? (based on employee's statements, access, technical skills)
   ☐ Is there imminent risk? (employee has opportunity and means to sabotage)
☐ Consult legal counsel (brief on threat, obtain authorization for enhanced monitoring)
☐ Coordinate with HR (discuss employment status - is termination planned?)

ENHANCED MONITORING (If Termination Not Imminent):
☐ Implement real-time monitoring of employee's activities:
   ☐ Alert on bulk file deletion
   ☐ Alert on administrative commands (shutdown, delete, disable)
   ☐ Alert on access to backup systems
   ☐ Alert on access to security tools (antivirus, EDR, [DLP](/glossary/data-loss-prevention))
   ☐ Alert on code commits or deployments to production
☐ Review access permissions:
   ☐ Can employee delete critical data? (if yes, reduce permissions)
   ☐ Can employee disable security tools? (if yes, reduce permissions)
   ☐ Can employee access backups? (if yes, reduce permissions)
☐ Backup critical data (ensure clean backups exist in case of sabotage)

PREEMPTIVE CONTAINMENT (If Threat is Imminent):
☐ Reduce employee's access:
   ☐ Remove administrative privileges (demote to standard user)
   ☐ Remove access to production systems (transfer responsibilities to other staff)
   ☐ Remove access to backups and security tools
☐ Justification: "Organizational restructuring" (do not disclose sabotage concerns to employee)
☐ Coordinate with manager: Reassign employee to non-critical tasks
☐ Prepare for termination: Conduct investigation to support termination if behavior continues

INCIDENT RESPONSE (If Sabotage Occurs):
☐ Detection: Alert triggered (bulk file deletion, system shutdown, unauthorized code deployment)
☐ Immediate containment:
   ☐ Disable employee's accounts (immediately)
   ☐ Isolate affected systems (prevent spread of sabotage)
   ☐ Assess damage (what systems/data affected? can it be restored?)
☐ Evidence preservation:
   ☐ Forensic imaging of employee's devices
   ☐ Export logs showing sabotage activities
   ☐ Preserve any threatening communications (emails, chats, voice recordings if legally obtained)

DATA RESTORATION:
☐ Identify clean backups (pre-sabotage)
☐ Restore from backup to test environment (verify integrity)
☐ Restore to production (after validation)
☐ Verify restoration (user acceptance testing, reconciliation)

HR AND LEGAL ACTIONS:
☐ Immediate termination for cause (gross misconduct - sabotage)
☐ Escort employee from premises (security escort, collect company property)
☐ Legal demand letter (cease malicious activity, return property)
☐ Legal remedies:
   ☐ Civil lawsuit (damages for sabotage, breach of duty)
   ☐ Criminal referral (Computer Fraud and Abuse Act 18 U.S.C. § 1030(a)(5) - intentional damage)

PREVENTION:
☐ Threat assessment process (proactive identification of at-risk employees)
☐ Enhanced monitoring for at-risk employees (performance issues, grievances, termination pending)
☐ Privileged access governance (least privilege, separation of duties)
☐ Immutable backups (prevent insider from deleting backups)

LESSONS LEARNED:
☐ Conduct lessons learned session
☐ Update threat assessment and monitoring procedures

---

Conclusion: Building Resilient Insider Threat Response Capability

The 81-Day Problem Solved: Organizations with documented insider threat incident response procedures contain incidents 57% faster than those with ad-hoc response. Reducing containment time from 81 days to 35 days saves an average of $8.4 million per incident (Ponemon 2025).

Critical Success Factors:

1. Preparation is Everything

• Establish ITIRT with defined roles before incident occurs
• Document legal authorities and privacy compliance requirements
• Implement detection capabilities and evidence preservation procedures
• Conduct tabletop exercises (simulate incidents quarterly)

2. Speed and Stealth Balance

• Preserve volatile evidence immediately (RAM, network traffic, temporary files)
• Contain without alerting suspect until evidence secured (especially for sophisticated insiders)
• Activate ITIRT within hours, not days

3. Legal Defensibility

• Engage legal counsel from day one (attorney-client privilege protects investigation)
• Follow employment law, privacy law, and evidence rules
• Document every step (chain of custody, investigation procedures, decisions)
• Avoid privacy violations that create liability

4. Coordinate Across Functions

• IT/Security (technical containment and evidence collection)
• Legal (compliance and defensibility)
• HR (employment actions and personnel management)
• Business Units (operational impact and business continuity)

5. Learn and Improve

• Conduct lessons learned after every incident
• Implement recommendations systematically
• Update playbooks based on real-world experience
• Share lessons with broader organization (anonymized)

Next Steps:

Organizations seeking to build or improve insider threat incident response capability should:

1. Assess Current Maturity: Take the Insider Risk Index assessment to evaluate detection, response, and recovery capabilities

2. Document Procedures: Use this playbook as template for organization-specific procedures (adapt to legal jurisdiction, industry regulations, organizational structure)

3. Build ITIRT: Establish core team with representatives from security, legal, HR, and business units

4. Train and Exercise: Conduct tabletop exercises simulating insider threat scenarios (data exfiltration, sabotage, fraud)

5. Implement Technologies: Deploy detection capabilities ([UEBA](/glossary/ueba), [DLP](/glossary/dlp), EDR), evidence preservation tools (forensic workstations, write blockers), and containment automation

6. Establish Legal Frameworks: Work with legal counsel to document monitoring authorities, privacy compliance, and evidence procedures

7. Continuous Improvement: Review and update playbook after each incident and annually

Additional Resources:

• CISO Board Reporting Guide - Communicate insider threat risks and incidents to executive leadership
• Employee Privacy & Monitoring Laws - Navigate global privacy compliance during investigations
• Third-Party Insider Risk Management - Extend incident response to vendor and contractor threats
• Insider Threat Matrix - Comprehensive threat technique taxonomy and detective/preventive controls
• Implementation Playbooks - Step-by-step guides for building insider threat program

---

About This Research

This playbook was developed by the Insider Risk Index Research Team based on incident response best practices from NIST SP 800-61 (Computer Security Incident Handling Guide), SANS Institute incident response proceduress, real-world insider threat incidents analyzed in Ponemon Institute 2025 Cost of Insider Threats Report, and legal compliance requirements from GDPR, CCPA, PIPEDA, and US federal/state laws.

For incident response consulting or questions about implementing these procedures in your organization, contact our team or assess your current incident response maturity.

Last updated: January 2025.