Subject chapter quiz
Subject chapter quiz
No grades. The point is to push your thinking.
An alert names one user. How many subjects should the analyst usually profile?
Modern identity is plural. Behind any named user are typically several non-human identities (service accounts, cloud roles, federated SSO) that share trust paths. The Subject phase profiles all of them, not just the one the alert named.
Which of the four dimensions is most often skipped, and why does that matter?
Need a nudge?
Think about the dimension that looks fine at first glance but rewards a second look.
Authorization is the dimension where 'the action maps to the role' obscures the deeper question of whether the role itself is right and whether the permissions combine in unsafe ways. Toxic pairings and recent role changes are common gaps.
A service account suddenly logs in interactively at 02:30. Which entity type pattern does this match?
Service accounts have predictable, non-interactive behavior by design. Interactive logins on a service account almost always mean the credential is being used in a way it was not intended for, and that is a high-confidence Subject signal.
What is the difference between insider risk and insider threat?
The distinction is about intent. Most insider risk is unintentional (mistakes, workarounds, policy violations). Insider threat is intentional. The methodology takes risk seriously as a category of its own and reserves the 'threat' designation for cases where evidence supports it. That distinction shapes escalation and how the rest of the organization is engaged.
The behavioral framework's most useful question is...
Need a nudge?
A trick question. The two are not mutually exclusive.
Per-entity baselining and peer-group baselining each catch different things. An entity drifting from its own history is one signal. An entire role drifting is another. The framework uses both, and when they disagree, that disagreement is informative.
The Insider Threat Matrix organizes insider tradecraft into five phases. Which sequence is correct?
The matrix moves from why (motivation) through what makes it possible (means), how the actor sets it up (preparation), to the harmful action itself (infringement), to the cleanup that follows (anti-forensics). Each phase is a different place to look for evidence.
The marketing team converted confidential documents into image files to share externally during a deadline. 3,200 customer records were exposed. What does Subject classify this as?
Need a nudge?
The vocabulary matters. Risk and threat are not interchangeable.
Insider risk is unintentional behavior that causes harm. The marketing team's workaround was about getting work done past a slow tool, not about stealing data. The methodology calls this risk so the response is process improvement (which produced 92% compliance lift) instead of enforcement (which would have produced friction without fixing the cause).
A binary on a developer's laptop disables its sandbox at runtime, makes encrypted outbound network calls, and matches signatures used by the Empire toolkit. Subject's most likely conclusion is...
A signature match alone is not Subject's verdict. The four dimensions plus access scope plus operational risk produce the picture. A signed, vendor-installed, peer-baselined binary running in a documented configuration on a developer workstation reads very differently from the same activity from an unsigned binary in a user-writable directory. Subject's job is to record that distinction defensibly, not to react to the signature alone.
Next up
Transition to Scope
Subject produced the entity map. Scope turns that map into a formal boundary for the investigation.
Continue to transition