16.7 Containment Without Tipping Off
Containment Without Tipping Off
In external-attacker containment (M12.7), speed is everything — revoke tokens, reset password, block IP. The attacker does not need to be kept unaware because they already know they are an attacker.
In insider threat, the subject is an employee who sits in the office. Revoking their access abruptly tells them they are under investigation. The containment must reduce the risk of further exfiltration without alerting Marcus.
Covert containment actions
Action 1: Reduce SharePoint permissions silently. Remove Marcus from SharePoint sites he does not need for his current work. This is defensible as “normal offboarding preparation” if questioned — departing employees routinely have access reduced during their notice period.
Blast radius: Marcus loses access to specific SharePoint sites. He may notice if he tries to access them — but reduced access during notice period is normal. Per-site scope.
Action 2: Enable DLP monitoring on the user. If not already enabled, create a Purview DLP policy scoped to Marcus that monitors (but does not block) file transfers to USB, personal cloud, and personal email. This generates alerts without preventing Marcus’ normal work.
Blast radius: Monitoring only — no disruption to Marcus’ workflow. He cannot detect that DLP is monitoring his activity. Per-user monitoring.
Action 3: Block USB on the device (if justified). If the investigation has confirmed USB exfiltration: deploy a device configuration profile via Intune that blocks removable storage on LAPTOP-NGE027. This must be coordinated with HR — if Marcus complains about USB not working, HR needs to have a cover story (“IT is rolling out a new USB security policy across the engineering team”).
Blast radius: Marcus cannot use USB storage. This is noticeable and may prompt questions. Only deploy if: the exfiltration risk justifies the detection risk, and HR has approved the action. Per-device.
Rollback: Remove the device configuration profile. USB access restored immediately.
Action 4: Full access revocation (coordinated with HR). When HR is ready to act (meeting scheduled with Marcus), security executes full access revocation at the start of the meeting: disable the account, revoke tokens, initiate remote wipe of the device (if the device contains company data).
This is the “hard contain” — only executed at the moment HR informs Marcus. Not before.
DLP monitoring configuration
The DLP monitoring policy (Action 2) is the most valuable covert containment tool. Here is how to configure it:
Create a user-scoped DLP policy: Navigate to Purview Compliance → Data Loss Prevention → Policies → Create. Scope: specific users → m.chen@northgateeng.com. Locations: Exchange email, SharePoint sites, OneDrive, Teams chat, Devices. Rules: monitor (alert only, do not block) when: files containing sensitive information types are shared externally, files are uploaded to cloud storage services, files are copied to USB, or files are sent as email attachments to non-corporate addresses.
Blast radius: Alert-only mode generates DLP incidents in the Purview compliance dashboard. Marcus sees no warning, no block, no indication that DLP is monitoring his activity. His workflow is completely unaffected. Per-user, zero user-facing impact.
Cost impact: DLP is included in E5 licensing. No additional cost.
Rollback: Disable or delete the DLP policy. Monitoring stops immediately.
What the DLP alerts tell you: Each alert is a potential exfiltration event with: timestamp, channel (email/SharePoint/USB/cloud), file name, destination (external email address or cloud service URL), and the sensitive information types detected. These alerts build the evidence timeline in real time — complementing the historical analysis from subsections 16.3-16.4.
Livestream monitoring during active investigation
While the historical analysis proceeds, set up a Livestream to catch exfiltration in real time:
| |
If Marcus starts downloading files while you are analysing his history, the Livestream catches it immediately — providing real-time evidence and potentially accelerating the HR decision.
The hard contain procedure
When HR schedules the meeting with Marcus (the moment they inform him of the investigation findings or the termination decision), security executes full access revocation synchronised with the meeting start:
T-5 minutes (before the meeting starts):
- Prepare the disable script:
Set-AzureADUser -ObjectId "m.chen@northgateeng.com" -AccountEnabled $false - Prepare token revocation:
Revoke-MgUserSignInSession -UserId "m.chen@northgateeng.com" - Prepare Intune remote wipe command (if device contains company data)
- Confirm with HR: “Ready to execute on your signal.”
T-0 (HR confirms meeting has begun):
- Disable the account
- Revoke all tokens
- Initiate remote wipe (if approved)
- Block USB (if not already blocked)
- Verify:
SigninLogs | where UserPrincipalName == "m.chen@northgateeng.com" | where TimeGenerated > ago(10m)→ sign-in attempts should show failure (account disabled)
Post-meeting:
- Remove Marcus from all SharePoint sites and Teams
- Transfer OneDrive ownership to his manager (for business continuity)
- Remove from distribution groups and shared mailboxes
- Retain mailbox on litigation hold for evidence preservation
Subsection artifact: The covert containment action sequence and the hard contain synchronisation procedure. These are unique to insider threat — no other module requires containment that preserves the subject’s unawareness and then executes full revocation on a coordinated signal.
Knowledge check
The access revocation playbook (coordinated with HR)
When HR is ready to act, security executes the full access revocation. This must be tightly coordinated — execute at the moment HR begins the meeting with the subject.
T-0 (HR meeting starts):
- HR contacts security: “The meeting has started. Execute revocation.”
- Disable the account:
Set-AzureADUser -ObjectId "[USER]" -AccountEnabled $false - Revoke all tokens:
Revoke-MgUserSignInSession -UserId "[USER]"
T+5 minutes:
- Verify:
SigninLogs | where UserPrincipalName == "[USER]" | where TimeGenerated > ago(10m)— all sign-ins should fail (ResultType 50057) - Initiate remote wipe if the device will not be collected in person: Intune → Devices → [device] → Wipe
T+30 minutes:
- Verify wipe status (if initiated)
- Remove the subject from all SharePoint sites and Teams channels
- Remove the subject from all distribution groups and shared mailboxes
- Revoke any OAuth application consents granted by the subject
T+1 hour:
- Confirm with HR: device collected (if in-person) or wipe confirmed (if remote)
- Confirm litigation hold is active on mailbox and OneDrive
- Investigation status: evidence preserved, access revoked, monitoring active
Post-revocation monitoring (48 hours): Continue monitoring for: sign-in attempts from the subject (indicating they are trying to access the account with cached credentials or from another device), any activity from the subject’s former device (indicating the wipe did not complete), and any email forwarding or delegate access that was not discovered during investigation (catching persistence mechanisms missed in the analysis).
The timing coordination between HR and security is critical. If security revokes access before HR starts the meeting: the subject discovers their account is locked and may not attend the meeting (or may attend with hostile preparation). If security revokes too late after the meeting starts: the subject may attempt to exfiltrate additional data during the meeting window.
Practice this coordination. Before the first real execution, dry-run the timing with HR: “When you say ‘go,’ I execute these 3 commands. Confirmation in 5 minutes.” The dry run ensures both teams understand the sequence and can execute under pressure.
Check your understanding
1. HR is not ready to confront Marcus for 3 more days. USB exfiltration has been confirmed. What do you do?