Back to All Scenarios
PASSEDsecurity / insider_threat_data_exfiltration
Insider Threat — Systematic Data Exfiltration by Departing Employee
A senior database administrator who submitted their resignation 2 weeks ago is systematically exfiltrating customer data. The DBA is running bulk SELECT queries during off-hours, compressing the results, and uploading them to a personal cloud storage account via HTTPS. DLP sensors detect the anomalous data transfer patterns.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 47 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
DBA with production database access. Resignation submitted 14 days ago. Bulk queries during 1AM-4AM window. Data compressed and uploaded to personal Google Drive. 47GB of customer PII exported over 5 nights. DLP alert triggered on volume anomaly. No data classification labels on PII tables.
Injected Error Messages (3)
Symantec DLP: high-confidence insider threat detected — user 'jsmith_dba' (notice period: departing in 14 days) transferring large encrypted archives to drive.google.com, 5 incidents over 5 consecutive nights between 01:00-04:00 UTC, total data volume: 47GB, content inspection: encrypted ZIP files containing CSV exports matching customer PII patterns (SSN, credit card, email, address), DLP policy 'PII Bulk Transfer' triggered 23 times
Oracle Audit Vault anomaly — DBA account 'jsmith_dba' executing bulk SELECT * queries on tables: CUSTOMERS, ORDERS, PAYMENT_METHODS, CREDIT_APPLICATIONS during off-hours (01:00-04:00), query pattern: 'SELECT * FROM customers WHERE rownum BETWEEN X AND X+1000000', 47 million rows extracted over 5 sessions, data export via sqlplus spool to /tmp/export_*.csv, files compressed with 'gzip -9' and deleted after transfer, normal DBA activity baseline: zero bulk exports
Netskope CASB: unauthorized cloud upload by privileged user — user 'jsmith@acmecorp.com' uploading files to personal Google Drive (not corporate tenant), 5 upload sessions totaling 47GB, file names: 'backup_customers_20260324.gz', 'backup_payments_20260325.gz', uploading from corporate VPN IP, activity outside normal working hours, user is on HR departing employees watchlist, data residency violation: customer PII leaving corporate boundary
Neural Engine Root Cause Analysis
This is not a technical system failure but a security incident where the DLP Gateway has detected a high-confidence insider threat. User 'jsmith_dba' (departing in 14 days) has been systematically exfiltrating 47GB of customer PII data via encrypted ZIP files to Google Drive over 5 consecutive nights during off-hours (01:00-04:00 UTC). The DLP system is functioning correctly by blocking these transfers and triggering 23 policy violations, but the 'down' status likely indicates the gateway has entered a protective lockdown mode due to the severity and persistence of the threat.
Remediation Plan
1. Immediately escalate to Security Operations Center and Legal/HR teams 2. Disable user account 'jsmith_dba' and revoke all access credentials 3. Preserve all logs and evidence for forensic investigation 4. Conduct emergency access review for all database administrators 5. Reset DLP Gateway to operational mode after security team confirms threat containment 6. Implement additional monitoring for the remaining 14 days of user's notice period 7. Review and strengthen data access controls for departing employees
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjx3la05j0obqej88qx0td