This article explains how individual risk indicators contribute to the overall risk severity of a file event.
Focusing on events with higher risk severity helps you quickly identify the file activity and user behaviors that create the greatest exposure and exfiltration risk potential in your environment.
How it works
Incydr assigns a numerical risk score to specific aspects of a file event. Higher scores denote higher risk severity. Default scores are based on how likely the activity is to increase exfiltration or exposure risk, but you can change any score to better match your specific risk tolerance. For example, by default, Incydr assigns a risk score of 0 to video files (no risk). However, if you run a production studio where video files comprise some of your most important intellectual property, you would likely choose to increase the risk score for video files.
Icons provide a quick indication of a file event's overall risk severity, which is based on the following scoring ranges:
- 9+: Critical
- 7-8: High
- 4-6: Moderate
- 1-3: Low
- 0: No risk indicated
Risk settings are categorized into several key risk indicator types:
Within each category, there are additional sub-categories to group individual risk indicators.
For example, if a user uploads source code to Dropbox outside their normal hours, that file activity would generate an event with three risk indicators, each with its own risk score. Default scores are listed in parenthesis:
- A User risk indicator for the off hours file activity (+1)
- A Destination risk indicator for the Dropbox upload (+5)
- A File risk indicator for the heightened risk of source code file activity (+3)
The sum of these three risk indicator scores determines the overall risk severity for this file event.
This context-driven approach of evaluating the combination of user, destination (vector), and file attributes provides a more accurate risk assessment than simply classifying all upload activity as high risk. In this example, the combination of all three risk indicators produces a risk score of 9, which indicates a critical severity event that likely requires immediate follow-up action.
File events in locations on your list of trusted activity receive a risk score of 0, even if something that would be considered a risk indicator in a different context is present. For example, uploading a source code file to a trusted location like your corporate domain is not considered an exfiltration or exposure risk.
To access risk settings:
- Sign in to the Code42 console. If you are already signed in, click the Incydr logo in the upper left.
The Risk Exposure dashboard appears.
- Select Risk settings.
Risk settings slide in from the right.
- Scroll to view the score for each risk indicator.
- To change a risk score, click the corresponding edit icon .
The Insider Risk Admin or Insider Risk Analyst roles are required to change scores. The Insider Risk Read Only role can view risk settings, but not make changes.
- Select new values. Default values are marked with an asterisk (*).
- Click Save.
Changes may take up to 60 minutes to take effect and only apply to future file activity. File events that occurred before the score changed retain the old value.
- All risk indicator scoring changes are tracked in the Audit Log.
- Use caution selecting a score higher than 7 because it causes all events with that risk indicator to be high or critical severity.
- To help determine how file events may be affected by changing a score from 0 to a higher value, use Forensic Search to search for events with that risk indicator before changing the score. The results can help you understand how often the behavior occurs and how raising the score would affect the total score for events with multiple risk indicators.
User risk indicators
User risk indicators apply risk scores to file events based on user behavior automatically detected by Incydr, and based on inclusion in the Departing watchlist.
|Watchlists||Applies to file events for users on the Departing watchlist.|
Applies to risky file activity automatically detected by Incydr, including:
Destination risk indicators
Destination risk indicators apply risk scores to file events based on where a file is moved or uploaded.
|External devices||Applies to file events on external devices, including file activity on removable media and files sent to other Apple devices via AirDrop.|
|Cloud data connections||
Applies to files shared with:
Also applies to files downloaded from corporate cloud tools to endpoints not monitored by Incydr.
Requires configuration of data connections within Incydr.
|Cloud storage uploads||Applies to files uploaded to cloud services via a web browser, and for some cloud services, via the installed desktop app. For example, Box, Dropbox, and Google Drive.|
|Code repository uploads||Applies to files uploaded via a web browser to code repositories. For example, Bitbucket and Github.|
|Email service uploads||Applies to files uploaded to web-based email services via a browser. For example, Gmail, Outlook, Comcast, and many others.|
|Messaging service uploads||Applies to files uploaded to messaging services. For example, Facebook messenger, Microsoft Teams, and Slack.|
|Social media uploads||Applies to files uploaded via a web browser to social media websites. For example, Facebook, LinkedIn, and Twitter.|
Applies to files where:
Destination information is not available.
File risk indicators
File risk indicators apply risk scores to file events based on the type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. Other file categories include Source code, Spreadsheet, and Zip files. For a complete list of file categories and examples of the specific file types in each category, see Incydr file categories.
- File events with a total risk score of 0 are searchable in Forensic Search, but since no risk is identified, they do not appear on the Risk Exposure dashboard.
- File events started being evaluated for risk severity on May 13, 2021. File events that occurred before that have a Risk score of 0 and display a risk severity of Risk undefined.
File mismatch details
The file mismatch risk indicator highlights files with extensions that do not match the file contents, particularly when a high-value file is given a low-value extension. Detection focuses on high-risk file mismatches that may indicate a file with an unexpected extension was renamed, downloaded, or shared.
- For example, a ZIP file with a JPG extension is considered a file mismatch.
- See below for examples that are not considered a file mismatch.
Code42 analyzes files for mismatches when it detects activity involving the file, such as when it is moved to removable media or cloud sync folders, read by a browser or app, or shared publicly via direct link or with specific users outside your trusted domains. Code42 does not actively scan or monitor files for mismatches outside of those actions.
Not all mismatches are considered risky. The following types of mismatches do not trigger alerts or get a file mismatch risk indicator:
- Files where Code42 cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
- Files that have two high-value file extensions, such as a PPT file renamed to have a TXT extension.
- Files with closely related file types and file extensions. For example, the file’s contents indicate that it is a PNG file, but the file has a GIF extension.
- Mismatches generated by software applications to control the application used to open the file. For example, Salesforce may change the extension of a CSV file so that it opens within that application.
- Files that generally don’t have extensions, such as application or system files.
File extension mismatch alert rule
In addition to the file mismatch risk indicator, you can create an alert to notify you whenever a file mismatch occurs on exfiltrated files. For more information about how to create a file mismatch alert, see Create and manage alerts.
Off hours details
Not available for Incydr Basic and Incydr Professional product plans
The off hours risk indicator identifies file activity that occurred outside the hours an employee is typically active. Incydr monitors a user's file activity and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours).
The off hours risk indicator does not:
- Use a static or pre-populated schedule of “working” hours (for example, 9am-5pm). It is based on dynamic observation of each user's file activity.
- Measure keyboard and mouse activity or window focus.
- Track user “clock-ins” or “clock-outs” or otherwise measure or report on user productivity, focus, or attention.
It takes several weeks of data to start identifying patterns, so the off hours indicator does not appear right away for new users.
Because employees aren’t active at the exact same times every day, Incydr continually adjusts what is considered “off hours activity” based on the observed file activity patterns each day. However, in some cases, if the user’s activity is too variable (for example, consistently changing from overnight activity to daytime activity on back-to-back weeks), we may not be able to observe a strong enough pattern of activity to determine typical active or off hours. In these cases, the off hours risk indicator is not applied.