Skill

performing-insider-threat-investigation

Investigates insider threats from employees or contractors via digital forensics, user behavior analytics, and HR/legal coordination for data theft or sabotage cases.

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Performing Insider Threat Investigation

When to Use

DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices
User behavior analytics (UBA) detects anomalous access patterns for a user account
HR reports a departing employee suspected of taking proprietary information
A privileged user is observed accessing systems outside their job function
Whistleblower or coworker report alleges policy violations or data theft

Do not use for external attacker investigations where compromised credentials are used without insider collusion; use standard incident response procedures instead.

Prerequisites

Legal counsel approval before initiating any monitoring or investigation of an employee
HR partnership with defined investigation procedures and employee privacy guidelines
DLP platform with content inspection and policy enforcement (Symantec DLP, Microsoft Purview, Digital Guardian)
User behavior analytics platform (Microsoft Sentinel UEBA, Exabeam, Securonix)
Forensic imaging capability for endpoint examination
Chain of custody procedures for evidence that may be used in legal proceedings
Clear authority and scope documentation approved by legal and HR

Workflow

Step 1: Receive and Validate the Allegation

Document the initial report and validate before proceeding:

Record the source of the allegation (DLP alert, UBA detection, HR referral, manager report)
Confirm with legal counsel that the investigation is authorized
Define the investigation scope: what activity is being investigated, time period, systems involved
Establish the investigation team: security, legal, HR (never investigate alone)
Create a restricted case file accessible only to the investigation team

Investigation Authorization:
━━━━━━━━━━━━━━━━━━━━━━━━━━━
Case ID:           INV-2025-042
Subject:           [Employee Name] - [Title] - [Department]
Allegation:        Unauthorized transfer of proprietary data to personal cloud storage
Reported By:       DLP system alert + manager concern
Legal Approval:    [Counsel Name] - 2025-11-15
HR Liaison:        [HR Name]
Scope:             File access and transfer activity from 2025-10-01 to present
Systems in Scope:  Workstation, email, cloud storage, VPN, DLP logs

Step 2: Collect Evidence Covertly

Gather evidence without alerting the subject to the investigation:

Log-Based Evidence (non-intrusive):

DLP logs: file transfers, policy violations, content matches
Cloud access logs: SharePoint, OneDrive, Google Drive activity
Email logs: messages to personal accounts, large attachments, forwarding rules
VPN and authentication logs: access times, locations, devices
Badge access logs: physical access patterns
Print logs: large print jobs of sensitive documents
USB device connection logs: device type, serial number, connection times

User Activity Monitoring (requires legal approval):

Screen capture or session recording (only if legally authorized and documented)
Keystroke logging (jurisdiction-dependent, requires explicit legal approval)
Network traffic capture for the subject's workstation

Endpoint Forensics (if warranted by evidence):

Create forensic image of the subject's workstation
Analyze browser history, download history, and installed applications
Examine deleted files and Recycle Bin contents
Review cloud sync application logs (Dropbox, Google Drive desktop client)

Step 3: Analyze User Behavior Patterns

Build a behavioral profile comparing normal vs. anomalous activity:

Behavioral Analysis:
━━━━━━━━━━━━━━━━━━
Normal Baseline (6-month average):
- Login time: 08:30-09:00 weekdays
- Files accessed: 15-25 per day (marketing department files)
- Email volume: 45 sent, 80 received per day
- Data transferred: 50MB per day average
- USB usage: None

Investigation Period (last 30 days):
- Login time: 22:00-02:00 (after hours, multiple occasions)
- Files accessed: 200+ per day (finance, engineering, executive files)
- Email volume: 120 sent per day (30% to personal gmail)
- Data transferred: 2.5GB per day average
- USB usage: 3 unique devices connected (Kingston DataTraveler)
- Print jobs: 847 pages (competitor analysis, customer lists, source code)

Anomaly Score: 94/100 (Critical)

Step 4: Reconstruct the Activity Timeline

Build a chronological timeline of the subject's actions:

Timeline of Activity:
2025-10-15  Subject submits resignation (2-week notice)
2025-10-16  First after-hours login at 23:15, accessed engineering Git repository
2025-10-17  USB device (Kingston DT 64GB) first connected at 23:30
2025-10-18  DLP alert: 450 files copied to USB, including CAD drawings
2025-10-19  200+ emails forwarded to personal Gmail account
2025-10-20  Google Drive desktop client installed, syncing corporate SharePoint
2025-10-22  Accessed executive SharePoint site (not normally accessed)
2025-10-25  Second USB device connected, 2.1GB transferred
2025-10-28  Print job: 847 pages including customer contact database

Step 5: Assess Impact and Determine Response

Evaluate the severity and coordinate the response with HR and legal:

Impact Assessment:

What data was accessed or exfiltrated (classification level, business impact)
Was the data shared externally (competitors, public, personal storage)
Regulatory implications (PII, PHI, financial data, export-controlled)
Contractual implications (NDA violations, IP assignment agreements)
Potential financial damage to the organization

Response Options (determined by legal and HR):

Confront the subject with evidence during an interview (HR-led)
Terminate employment and revoke all access immediately
Pursue civil litigation for breach of NDA or trade secret theft
Refer to law enforcement for criminal prosecution (theft of trade secrets, CFAA violation)
Negotiate a settlement with return/destruction of data

Step 6: Preserve Evidence for Legal Proceedings

Ensure all evidence meets legal admissibility standards:

Maintain strict chain of custody for all physical and digital evidence
Document all analysis steps in detail (reproducible by another examiner)
Hash all evidence files and maintain an integrity log
Store evidence in a secure, access-controlled repository with audit logging
Retain evidence per legal hold requirements (do not destroy during active investigation or litigation)

Key Concepts

Term	Definition
Insider Threat	Risk posed by individuals with authorized access who intentionally or unintentionally cause harm to the organization
User Behavior Analytics (UBA)	Technology that analyzes user activity patterns to detect anomalies indicating potential insider threats
Data Loss Prevention (DLP)	Technology that monitors, detects, and blocks unauthorized transfer of sensitive data outside the organization
Legal Hold	Directive to preserve all relevant evidence and suspend normal document destruction policies during an investigation
Need to Know	Information access principle restricting insider threat investigation details to only authorized team members
Exfiltration Vector	Method used to move data outside the organization: USB, email, cloud storage, print, screen capture, photography

Tools & Systems

Microsoft Purview (formerly Compliance Center): Insider risk management, DLP, eDiscovery, and content search
Exabeam / Securonix: User and entity behavior analytics (UEBA) platforms for anomaly detection
Digital Guardian: DLP and insider threat detection platform with endpoint agent
Magnet AXIOM: Digital forensics platform supporting endpoint, cloud, and mobile evidence analysis
Relativity: eDiscovery platform for legal review of collected evidence in insider threat cases

Common Scenarios

Scenario: Departing Engineer Exfiltrating Source Code

Context: A senior software engineer with access to critical repositories submits a two-week resignation notice. The engineering manager reports that the engineer has been working unusual hours and downloading large amounts of code.

Approach:

Obtain legal authorization to investigate before taking any action
Pull Git access logs showing repository clones and downloads for the past 60 days
Review DLP logs for USB device connections and large file transfers
Check email gateway for messages with code attachments sent to personal accounts
Analyze browser history for personal cloud storage uploads
Image the workstation forensically before the employee's last day
Present findings to legal and HR for determination of next steps

Pitfalls:

Investigating without legal counsel authorization (may violate employee privacy rights)
Alerting the subject to the investigation before evidence is preserved
Not preserving the workstation before the employee's departure date
Assuming all after-hours access is malicious without comparing to the employee's historical baseline
Failing to check personal mobile devices that may have accessed corporate cloud services

Output Format

INSIDER THREAT INVESTIGATION REPORT
=====================================
Case ID:          INV-2025-042
Classification:   CONFIDENTIAL - Need to Know Only
Subject:          [Name Redacted] - Senior Engineer
Investigation Period: 2025-10-01 to 2025-10-28
Investigator:     [Name]
Legal Counsel:    [Name]
HR Liaison:       [Name]

ALLEGATION
Unauthorized exfiltration of proprietary source code and customer
data following resignation submission.

EVIDENCE SUMMARY
1. Git logs: 47 repositories cloned (vs. baseline of 3)
2. USB transfers: 4.6 GB across 3 unique devices over 12 sessions
3. Email: 200+ emails with attachments forwarded to personal Gmail
4. Cloud: Google Drive sync client installed, syncing corporate files
5. Print: 847 pages including customer contact database
6. Physical access: After-hours badge access on 8 of 12 workdays

BEHAVIORAL ANALYSIS
[Baseline vs. anomalous activity comparison]

IMPACT ASSESSMENT
Data Classification:  Confidential (source code, customer PII)
Estimated Volume:     7.2 GB exfiltrated
Regulatory Impact:    Potential GDPR notification (customer PII)
Business Impact:      Competitive advantage at risk

TIMELINE
[Chronological event listing]

RECOMMENDATIONS
1. [Legal/HR decision on employment action]
2. [Evidence preservation actions]
3. [Regulatory notification assessment]
4. [Access control improvements]