Risk settings reference

Updated

Overview

This article explains how individual risk indicators contribute to the overall risk severity of a file event.

Incydr's Proactive Risk Identification and Severity Model (PRISM) analyzes 250+ risk indicators about data, users, and destinations to provide weighted severity scores. This enables you to focus on events with higher risk severity and quickly identify the file activity and user behaviors that create the greatest data exfiltration risk in your environment.

How it works

PRISM score

PRISM assigns risk indicators to specific aspects of a file event. Each risk indicator has a corresponding numeric score. Higher scores denote higher risk severity. Default scores are based on how likely the activity is to increase exfiltration or exposure risk for most organizations, but you can change any score to better match your specific risk tolerance. For example, by default, video files have a score of 0 (no risk). However, if you run a production studio where video files comprise some of your most important intellectual property, you may choose to increase the score for video files.

The PRISM score is based on the sum of all risk indicators applied to an event.

Risk severity

Icons provide a quick indication of a file event's overall risk severity, based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

Risk indicators

Risks are grouped into four main types:

Within each category, there are additional sub-categories to group individual risk indicators.

For example, if a user on the Departing watchlist uploads source code to Dropbox, that file activity would generate an event with three risk indicators, each with its own score. Default scores are listed in parenthesis:

  1. A User risk indicator for being on the Departing watchlist  (+4)
  2. A Destination risk indicator for the Dropbox upload (+3)
  3. File risk indicator for source code activity (+3)

The sum of these three risk indicator scores determines the PRISM score and overall risk severity for this file event.

This context-driven approach of evaluating the combination of user, source, destination, and file attributes provides a more accurate risk assessment than simply classifying all upload activity as high risk. In this example, the combination of all three risk indicators produces a PRISM score of 10, which indicates a critical severity event that likely requires immediate follow-up action.

Risk severity only applies to untrusted file activity
File events in locations on your list of trusted activity receive a score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.

Scoring limits

There is a limit to how much each risk indicator category (File, Source, Destination, and User) contributes to the PRISM score. This helps prevent a single risk indicator from having a disproportionate effect on the PRISM score. In addition, the total PRISM score is limited to 10.

As a result of these limits, the PRISM score may be lower than the sum of all individual risk indicators.

Scoring limits started July 18, 2024
Limits did not apply to file activity before July 18, 2024, so older events may have higher scores.

Risk settings

To access risk settings:

  1. Sign in to the Incydr console. If you are already signed in, click the Incydr logo in the upper left.
    The Action Items dashboard appears.
  2. Select Risk settings.
    Risk settings slide in from the right.
  3. Click the arrow icon arrow-shaped icon to view all indicators in a category next to any risk indicator category to view all risk indicators in that category. Alternatively, enter a name or partial name in the search box to find a specific risk indicator.
  4. To change a score, click the edit icon pencil icon to change a risk score. Default values are labeled as recommended.
    The Insider Risk Admin or Insider Risk Analyst roles are required to change scores. The Insider Risk Read Only role can view risk settings, but not make changes.
  5. Click Save.
    Changes may take up to 60 minutes to take effect and only apply to future file activity. File events that occurred before the score changed retain the old value.

Risk_settings_drawer-2022-10-03-export.png

Changing scores

  • All risk indicator scoring changes are tracked in the Audit Log.
  • Use caution selecting a score higher than 7 because it causes all events with that risk indicator to be high or critical severity.
  • To help determine how file events may be affected by changing a score from 0 to a higher value, use Forensic Search to search for events with that risk indicator before changing the score. The results can help you understand how often the behavior occurs and how raising the score would affect the total score for events with multiple risk indicators.

User risk indicators

User risk indicators apply to file events based on:

  • User behavior automatically detected by Incydr
  • Users included on a watchlist
Item Description
User behavior

Applies to risky file activity automatically detected by Incydr, including:

  • File mismatch: Files with extensions that do not match the file contents (for example, a file with the .jpg extension that contains source code content). This may indicate an attempt to disguise and exfiltrate data. Learn more about file mismatch.
  • First use of destination: The first time this user was observed sending files to this destination since Incydr monitoring was enabled. If multiple files are sent to this destination around the same time, the risk indicator is applied to all related events.
  • Likely user's personal account: Indicates the user likely emailed or shared a file from their corporate email or cloud service to their personal account. The sender and recipient addresses are evaluated for similarity, and if they are a close match, the risk indicator is applied.
    • For example, a file sent from johnsmith@corp.example.com to jsmith@example.com likely indicates the user sent an attachment to their personal email.
    • When combined with other risk indicators on the event, this detail can provide valuable context.
    • Only applies to email and cloud sharing events monitored by an Incydr data connection.
  • Rare use of destination: The first time this user sent files to this destination in the past 90 days. If multiple files are sent to this destination around the same time, the risk indicator is applied to all related events.
    This does not include the first time the user uploaded to this destination. First time use is captured by the First use of destination risk indicator. 
  • Remote: File activity on IP addresses not included in your list of in-network IP addresses.
Watchlists Applies to file events for users on a watchlist. Custom watchlists automatically create a corresponding custom risk indicator.

Destination risk indicators

Destination risk indicators apply to file events based on where a file is moved or uploaded.

Item Description
AI tools Applies to files uploaded or data pasted via a web browser to common artificial intelligence (AI) tools. For example, ChatGPT, Claude, and Gemini. 
Cloud storage uploads Applies to files uploaded to cloud services via a web browser, and for some cloud services, via the installed desktop app. For example, Box, Dropbox, and Google Drive.
Email domains Applies to files uploaded to web-based email services via a browser and files shared with an email address from a cloud service. For example, Gmail, Outlook, Comcast, and many others.
External devices

Applies to file events on external devices, including file activity on removable media and files sent to other Apple devices via AirDrop.

 
File conversion tool uploads Applies to files uploaded to web-based file conversion tools. For example, CloudConvert and TinyPNG.
File transfer tool uploads Applies to files uploaded to file transfer tools. For example, curl, Filezilla, and SFTP.
Messaging uploads Applies to files uploaded to messaging services. For example, Facebook messenger, Microsoft Teams, and Slack.
PDF manager uploads Applies to files uploaded to web-based tools for creating and managing PDFs. For example, Adobe Acrobat and SmallPDF.
Productivity tool uploads Applies to files uploaded to web-based productivity tools. For example, Evernote, Google Keep, and Trello.
Social media uploads Applies to files uploaded via a web browser to social media websites. For example, Facebook, LinkedIn, and Twitter.
Source code repository uploads Applies to files uploaded via a web browser to code repositories. For example, Bitbucket and Github.
Web hosting uploads Applies to files uploaded to web-hosting services. For example, Google Sites and WordPress. 
Other uploads

Other destination applies to files where: 

  • The destination does not belong to a pre-defined category, but the file event details include metadata (such as the tab title or URL) to help you identify the destination.
  • The event has multiple tab titles or URLs. 
  • The event doesn't match an existing risk indicator.

Unknown destination applies to files where destination information is not available. On Macs, this may indicate Incydr does not have the required permissions to collect the destination details.

Custom destination risk indicators

Enables you to define specific domain destinations that represent risk in your environment.

Applies to files sent to these destinations via:

Source risk indicators

Source risk indicators apply to file events based on where the file was acquired from. For example, if a file is downloaded to an endpoint from an HR source (such as ADP or Workday), future exfiltration events from that endpoint for the file apply a risk indicator based on the HR source.

Item Description
Business intelligence sources

Applies to files acquired from business intelligence tools. For example, Splunk and Tableau.

Cloud storage sources Applies to files acquired from cloud storage services. For example, Google Drive and OneDrive.
Coding tool sources Applies to files acquired from coding tool sources. For example, Jenkins.
Contract management sources Applies to files acquired from contract management systems. For example, Acrobat Sign and IronClad.
CRM sources Applies to files acquired from CRM tools. For example, Salesforce and Zendesk.
Email sources Applies to files acquired from email sources. For example, Gmail and Outlook.
External sharing

Applies to files shared with:

  • A public link from your corporate cloud service 
  • A user outside your trusted domains via your corporate cloud service
  • An email recipient outside your trusted domains via your corporate email

Also applies to files downloaded from corporate cloud tools to endpoints not monitored by Incydr.

Requires configuration of data connections within Incydr.

Financial service sources Applies to files acquired from financial services. For example, Intacct and Shareworks.
Healthcare & Insurance sources Applies to files acquired from healthcare and insurance systems. For example, Epic and Oracle Cerner - EMR.
HR sources Applies to files acquired from HR tools. For example, ADP and Workday.
Marketing sources Applies to files acquired from marketing tools. For example, Marketo.
Messaging sources Applies to files acquired from messaging services. For example, Microsoft Teams and Slack.
Productivity tool sources Applies to files acquired from productivity tools. For example, Jira and ServiceNow.
Source code repository sources Applies to files acquired from source code repositories. For example, Bitbucket and GitHub.
Trusted sources Applies to files acquired from domains or URL paths on your list of trusted activity.
Custom source risk indicators Applies to files acquired from a source you specify. Sources can include URLs, source code repositories, and network storage.

Determining risk for multiple sources
In some cases, a file event may have more than one source risk indicator (for example, if the same file is downloaded from two different locations):

  • Only the source risk indicator with the highest score is applied.
  • If the scores are the same, the first source risk indicator observed is applied.
  • All sources are visible in the File acquired from event details.

File risk indicators

File risk indicators apply to file events based on properties of the file.

Item Description
Classification and sensitivity labels

Applies to files containing classification tags sourced from Microsoft Information Protection (MIP) or filenames with specific keywords.

Credentials and tokens

Applies to events where sensitive credentials or tokens are identified in exfiltrated files. For example, SAML tokens and AWS session keys.

Requires content inspection add-on.

File categories Applies to file events based on the type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. Other file categories include Screen captureSource code, Spreadsheet, and Zip. For a complete list of file categories and examples of the specific file types in each category, see Incydr file categories.
Filename keywords Applies to events where the name of the file indicates it likely contains resume, password, or other corporate or internal data.
Personally identifiable information (PII)

Applies to events where personally identifiable information is identified in exfiltrated files. For example, credit card and social security numbers.

Requires content inspection add-on.

Custom classification and sensitivity labels

Applies to files containing classification tags you define. Sourced from Microsoft Information Protection (MIP).

Custom file content keywords

Applies to events where a content pattern you specify is identified in exfiltrated files. Custom file content risk indicators support both plain text and regular expression (regex) pattern matching.

Requires content inspection add-on.

Custom filename keywords Applies to files based on filename and extension patterns you define. 

Other considerations

  • File events with a PRISM score of 0 are searchable in Forensic Search, but since no risk is identified, they do not appear on the Exfiltration dashboard.

File mismatch details

The file mismatch risk indicator highlights files with extensions that do not match the file contents, particularly when a high-value file is given a low-value extension. Detection focuses on high-risk file mismatches that may indicate a file with an unexpected extension was renamed, downloaded, or shared. 

  • For example, a ZIP file with a JPG extension is considered a file mismatch.
  • See below for examples that are not considered a file mismatch.

Incydr analyzes files for mismatches when it detects activity involving the file, such as when it is moved to removable media or cloud sync folders, read by a browser or app, or shared publicly via direct link or with specific users outside your trusted domains. Incydr does not actively scan or monitor files for mismatches outside of those actions.

Not all mismatches are considered risky. The following types of mismatches do not trigger alerts or get a file mismatch risk indicator:

  • Files where Incydr cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
  • Files that have two high-value file extensions, such as a PPT file renamed to have a TXT extension.
  • Files with closely related file types and file extensions. For example, the file’s contents indicate that it is a PNG file, but the file has a GIF extension.
  • Mismatches generated by software applications to control the application used to open the file. For example, Salesforce may change the extension of a CSV file so that it opens within that application.
  • Files that generally don’t have extensions, such as application or system files.

To reduce noise, User profiles only show file mismatches for exfiltrated files. However, you can find all file mismatches in Forensic Search, even if the file was not exfiltrated.

File extension mismatch alert rule

In addition to the file mismatch risk indicator, you can create an alert to notify you whenever a file mismatch occurs on exfiltrated files. For more information about how to create a file mismatch alert, see Create and manage alerts.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.