Module 16 — Check My Knowledge (20 questions)
1. How does insider threat investigation differ from external attacker investigation?
Three key differences: the user has legitimate access (no "unauthorised access" to detect), the evidence standard is higher (may support termination or prosecution), and HR/legal are involved from the start (not after containment). Additionally, the investigation must be conducted covertly — the subject cannot know they are being investigated.
No difference — same investigation process
Insider threat is easier to investigate
Only the detection rules differ
Legitimate access, higher evidence standard, HR/legal from the start, covert investigation. Fundamentally different from external attacker investigation.
2. HR asks you to "catch Marcus stealing data." How do you respond?
Reframe: "We will analyse Marcus' recent activity to determine whether any data transfer outside normal work patterns has occurred and preserve relevant evidence." Do not assume guilt. The investigation assesses whether exfiltration occurred — it does not presume the answer. Factual, proportionate framing that is legally defensible.
Agree — HR is the client
Refuse the investigation
Disable Marcus' account immediately
Reframe factually. Assess, do not assume. Proportionate and legally defensible.
3. Marcus' baseline is 8 files/day. The past week shows 45 files/day. Is this proof of exfiltration?
No. It is a significant anomaly that warrants investigation. There may be a legitimate explanation (project deadline, handover preparation). The specific files accessed and the transfer channels used (USB, personal email, cloud) determine whether this is exfiltration or legitimate work. Present the anomaly and details to HR and legal for assessment.
Yes — 5x deviation is conclusive
No — volume is never relevant
Only if a DLP alert fired
Anomaly, not proof. Files and channels determine intent. Present to HR and legal.
4. USB mounted at 22:00, 450MB of CAD drawings copied. What does the timing indicate?
After-hours USB transfer of proprietary files is a strong exfiltration indicator. The timing suggests avoidance of observation. Combined with the resignation context and the bulk downloads earlier in the week: download → staging → after-hours USB transfer is consistent with deliberate data theft.
Working late is normal
USB is always suspicious
Timing is irrelevant
After-hours + USB + proprietary files + resignation = strong indicator. Pattern tells the story.
5. Why is covert evidence preservation (eDiscovery hold) preferred over litigation hold during an active investigation?
Both are invisible to the user. eDiscovery hold is scoped to a case and can target specific date ranges. Litigation hold preserves everything indefinitely. Either works for covert preservation — the key requirement is that neither notifies the user nor changes their access. eDiscovery hold is preferred for scoped investigations; litigation hold for comprehensive preservation.
Litigation hold notifies the user
eDiscovery is faster
Only litigation hold is legally valid
Both invisible. eDiscovery = scoped. Litigation = comprehensive. Both valid for covert investigation.
6. Your investigation finds evidence of exfiltration. Do you confront Marcus?
No. Present findings to HR and legal. They determine the response (continued monitoring, confrontation meeting, accelerated departure, law enforcement referral). Security does not confront employees — that is HR's role. Confronting directly could compromise evidence, create legal liability, and undermine the employment process.
Yes — he needs to explain
Yes — with his manager present
Wait until his last day
HR and legal decide. Security presents facts. Does not confront.
7. HR wants to revoke Marcus' access in 3 days. USB exfiltration continues. What do you recommend?
Block USB on Marcus' device via Intune profile with a cover story ("IT security policy rollout for engineering team"). This stops the active exfiltration channel without revealing the investigation. Present options and risks to HR — they decide. If HR rejects: accept the risk and continue monitoring. The decision is HR's, not security's.
Disable his account now
Let the exfiltration continue
Confront Marcus about the USB
USB block with cover story if HR approves. Continue monitoring if HR rejects. HR decides.
8. What is the DepartingEmployees watchlist and why is it operationally powerful?
A Sentinel watchlist containing UPNs of employees who have resigned or been given notice. Detection rules correlate this watchlist with activity baselines — applying a lower anomaly threshold (3x baseline vs 5x for general population) to departing employees. This turns the HR offboarding process into a detection signal. Any departing employee who deviates from their baseline triggers an alert. The watchlist is maintained by HR as part of the offboarding process.
A list of all employees
A list of suspended accounts
A list of blocked IPs
HR offboarding → detection signal. Lower threshold for departing employees. HR maintains the watchlist.
9. Which exfiltration channel has the lowest detectability in M365?
Physical photography of the screen with a personal phone. No M365 telemetry exists for this channel. Screen capture tools may appear in DeviceProcessEvents, but a phone camera leaves no digital trace. This is why preventive controls (DLP, USB blocking) and deterrent controls (acceptable use policy) are essential — because detection after the fact may be impossible for some channels.
USB file copy
Personal email with attachments
Cloud storage upload
Phone photography. No telemetry. This is why preventive and deterrent controls matter — some channels cannot be detected after the fact.
10. What information do you share with HR from the investigation?
Factual findings: file download volumes, file names, transfer channels, timestamps, and deviation from baseline. Do NOT share raw KQL queries, technical log details, or speculation about intent. Do NOT share with Marcus' manager unless HR decides to involve them.
Everything including raw logs
Only a yes/no answer
Share with Marcus' manager first
Factual findings only. No raw logs, no speculation. Not shared beyond security, HR, and legal.
11. The investigation finds normal activity — no anomalies. Is this a failure?
No. "No anomalies detected" is a valid and valuable finding. It means the precautionary investigation did not find evidence of exfiltration. Report to HR: "Analysis of Marcus' M365 and endpoint activity over the past 30 days shows no deviation from baseline and no evidence of data transfer to personal channels." Investigation closed. This is a positive outcome — not a failure.
Yes — the investigation should always find something
Expand the investigation to find something
The investigation methods were wrong
"No anomalies" is a valid finding. Positive outcome. Report and close.
12. Under UK GDPR, is covert monitoring of a departing employee lawful?
It can be, if proportionate and justified. The lawful basis is legitimate interest (protecting organisational IP). The ICO's Employment Practices Code acknowledges covert monitoring may be justified for suspected criminal activity or serious misconduct. Data theft of proprietary IP qualifies. Confirm with legal counsel before proceeding. Document the legal basis and the proportionality assessment.
Never — all monitoring must be overt
Always — employers can monitor anything
Only with the employee's consent
Lawful if proportionate and justified. Legitimate interest basis. Confirm with legal. Document.
13. What artifacts should you have after completing this module?
Four artifacts: (1) Insider threat investigation playbook — from HR referral through activity reconstruction, exfiltration channel analysis, evidence preservation, and HR/legal handover. (2) 5 detection rules — bulk download baseline, cloud storage, USB, personal email, departing employee watchlist. (3) Evidence preservation checklist — litigation hold, eDiscovery, chain of custody. (4) HR/legal coordination guide — what to share, when, with whom.
A certificate
Study notes
A list of queries
4 deployable artifacts: playbook, detection rules, evidence checklist, HR/legal guide.
14. The complete M11-M15 detection rule library contains:
29 rules. M11: 8 AiTM. M12: 6 BEC. M13: 5 token replay. M14: 5 consent phishing. M15: 5 insider threat. Together they cover the complete M365 threat landscape: external credential theft, financial fraud, session persistence, application persistence, and insider data theft.
8 rules
15 rules
50 rules
29 rules: 8+6+5+5+5. Complete M365 threat coverage from external attacks through insider threat.
15. How does M15 connect to the M11-14 narrative?
M11-14 investigated external attacks. M15 investigates internal threats. Together they cover the complete threat landscape. Marcus Chen was a Northgate Engineering employee throughout Modules 11-14 — he saw the AiTM incident, the BEC attempt, and the containment response. His decision to exfiltrate data on departure is a separate threat vector that requires fundamentally different investigation skills: covert analysis, HR coordination, evidence preservation to employment law standards, and containment that preserves unawareness.
M15 is unrelated to M11-14
M15 replaces M11-14
Only the Northgate Engineering setting connects them
External + internal = complete threat coverage. Same environment, different threat type, fundamentally different investigation skills.
16. Rule 5 uses a lower anomaly threshold (3x) for departing employees vs 5x for general population. Why?
Higher risk profile during notice period. A departing employee who downloads 3x their normal volume has a higher probability of exfiltrating than a tenured employee with the same deviation. The risk context (resignation + competitor move) justifies increased sensitivity. The watchlist correlation provides the context that lowers the threshold.
Departing employees always exfiltrate
5x is too high for anyone
The thresholds should be equal
Higher risk during notice period justifies lower threshold. Watchlist provides the risk context.
17. What is the complete artifact inventory across Modules 11-15?
5 investigation playbooks (AiTM, BEC, Token, OAuth, Insider). 29 detection rules. 5 hardening/response checklists. 5 deployment/governance guides (including IR template, financial fraud checklist, CAE guide, governance guide, HR/legal guide). All deployable and production-ready. This is the BYOT artifact repository the homepage promises.
A collection of notes
8 detection rules
One playbook
5 playbooks + 29 rules + 5 checklists + 5 guides. The complete BYOT artifact repository.
18. You are not law enforcement. What is your role in an insider threat investigation?
Determine whether data exfiltration occurred and preserve the evidence. Present factual findings to HR and legal. Do not determine guilt, impose consequences, or confront the employee. Your investigation report is a factual account of technical findings — not an accusation. HR and legal make the decisions.
Determine guilt and recommend termination
Confront the employee with evidence
Report directly to the police
Assess and preserve. Present facts. HR and legal decide. You are the technical investigator, not the decision-maker.
19. Chain of custody documentation must include:
Who collected the evidence, when (date/time UTC), how (tool/method used), where it is stored, and a hash verification (SHA256) of the exported file. Every piece of evidence must be traceable from collection to presentation. Gaps in the chain of custody can invalidate evidence at employment tribunal or in court.
Just the file name and date
Only needed for criminal cases
Chain of custody is not relevant to digital evidence
Who, when, how, where, hash. Every piece traceable. Gaps invalidate evidence.
20. What is the complete operational cycle demonstrated across Modules 11-15?
M11: Detect → Investigate → Contain → Eradicate → Report → Harden → Detect (external attacker, credential theft). M12: Financial fraud investigation + law enforcement + banking coordination. M13: Token persistence investigation + CAE/token protection deployment. M14: Application persistence investigation + OAuth governance. M15: Insider threat investigation + HR/legal coordination + covert containment. Together: the complete SOC operational capability for M365 environments — every major investigation type, every persistence mechanism, every stakeholder coordination model.
Detect → Contain → Close
Only M11 demonstrates the full cycle
Each module is standalone
Complete SOC operational capability. Every investigation type. Every persistence mechanism. Every stakeholder model. M365 coverage from external attack through insider threat.
