These are primarily my course notes from Slacking on insider threat by Magnet Forensics. Thank you, guys, for sharing! I will put a quote paragraph with a π‘at the beginning whenever I have some ideas or thoughts along the way.
Instant messaging with channels and file sharing. Also, provides logs and eDiscovery.
Cloud-based, collection is not enough (non reviewable format), your plan matters, tons of functionality.
- Workspaces
- Channels
- DMs
With certain settings users of workspace can override retention settings. Itβs recommended to turn this feature off, so that all logs are preserved.
Best practices:
- eDiscovery mechanism before the incident
- Have a plan for Review
- Know you Slack plan and understand different export plans
- Check data retention settings
Basic shifts in security is towards cload-based services, how much people are sharing and also that insider threats are becoming more dangerous because of this.
Slack Plan Explorts
- Standart (Public channels content only, including deleted data)
- Corporate (DM + groups + private channels + links to files)
- eDiscovery and DLP (all of the above)
Worspace owner can apply for corporate export if needed. Export on monthly basis -> S3 bucket
Retention
- Message
- Let members override settings
- Delete messages/edits/deletes
- Keep messages - don’t track edits or deletes
- Keep all
- File
- Keep for N days
- Keep all
Autdit API
eDiscovery API -> Audit API.
Only available for Enterprise plan. RESTful API -> JSON. Can be incorporated into SIEM. Actions monitored:
- Logins
- Exports (channels, files)
- Changing retention policies
- Users joining, leaving channels etc
- Channels created/deleted/privielges changed
- Guest behaviour
βοΈ Does not track message content. For this use eDiscovery solution. For inappropriately used info (credit cards, SSN etc) -> DLP.
βοΈ max 9999 event per request.
Threat Modelling
You can process it with some third party of custom scripts.
- Insider threats
- channel created (
public_channel_created
orprivate_channel_created
) - user added to channel (
user_channel_join
) - file downloaded (
file_downloaded
) - User account reactivated (
user_reactivated
)
- channel created (
- External threats
- guest added (
guest_created
) - guest added to channel (
guest_channel_join
) - file uploaded (
file_uploaded
) - userβs role changed to admin (
role_changed_to_admin
)
- guest added (
user_login
and user_logout
, user_channel_join
and `user_channel_leave
Accounts:
- Account created
user_created
orguest_created
- Account deleted
user_deactivated
orguest_deactivated
- Reactivation
user_reactivated
orguest_reactivated
Links:
- Audit API logger https://github.com/eoghanmckee/slack-auditapi-logger
- Docs https://api.slack.com/admins/audit-logs
- Slack JSON viewer https://github.com/hfaran/slack-export-viewer
β API tracks user actions, not message content!!! 9999 request max. Only for Enterprise users. No review of message or file content. Canβt prevent problems.Cannot categorize suspect acrivity. Limited support for events related to private messaging. Used as a part of investigatin Slack, not the whole.
If the target of inquire is exporting data (messages, files) -> eDeiscovery API
If there are concerns that the target has leaked some info -> DLP
Identifying Key Actors
- Log in/out times (
user_login
,user_logout
) - Join/leave channel (
user_channel_join
anduser_channel_leave
) - Account management
- Created (
user_created
guest_created
) - Deleted (
user_deactivated
,guest_deactivated
) - Reactivation (
user_reactivated
,guest_reactivated
)
- Created (
Slack Investigative Framework
- Retrieve the audit data
- Identify key actors
- Identify communication methods
- public channels
- private channels
- relevant files
- individual and group chats
- Aquire content
- Audit events related to identified communication methods
- Diff between legitimate and illegitimate behavior
- creation of new or unusual private channels
- adding new or unneeded people to restricted channels
- downloading of files
- unusual logons
Live Acquisitions vs Export
You need user creds to pull data, and creds to each acc in question. With exporting - multi-user context.
π‘ Exporting everything is too much. Go from the smallest amount of data and if nothing is found there, widen the circle.
βοΈExports are available only for 10 days after they are intitally downloaded and they donβt include attachments. For downloading attachments you need corresponsing tokens that were generated when the export took place. However, if those have been revoked (after 10 days), oops, no way to download the files.