3.4: Insider Threats

Risk arising inside the org boundary (employees, contractors, partners, service accounts):

  • Malicious — intentional theft/sabotage (IP, customer data, fraud, sabotage).
  • Negligent — mistakes/policy violations (misdirected emails, public links, weak sharing).
  • Compromised — legitimate accounts/devices controlled by external actors (phished SSO, OAuth abuse, session hijack).

Also consider collusive (insider + outsider) and third-party/vendor insiders with privileged access.

Typical insider kill chain

  1. Trigger (grievance, financial stress, imminent departure)
  2. Recon (what exists, where it lives, who has access)
  3. Staging (local copies, archives, screenshots, exports)
  4. Exfiltration (email, cloud sync, removable media, print, covert channels)
  5. Anti-forensics (delete logs, clear browser history, rename data)
  6. Monetize/Leak (sell to competitor, publish, extort)

Motivations & behaviors

  • Motivations: financial gain, revenge, ideological, career advancement, coercion/blackmail; negligence stems from haste or poor security understanding.

  • Behavioral patterns:

    • Data hoarding: sudden bulk access to repositories (source code, research, client lists) outside normal role.
    • Exfil routes: personal cloud (Drive/Dropbox/Box), personal email, webmail, messaging apps, paste sites, Git for IP, unsanctioned OAuth apps.
    • Physical: tailgating, badge sharing, printing spikes, photographs/screenshots of screens, BYOD storage.
    • Privilege misuse: using break-glass creds, abusing service accounts, creating backdoor accounts.
    • Anti-forensics: mailbox rule changes, log deletion, wiping endpoints, disabling EDR.

Common targets: Finance/ERP, HR/PII, CRM exports, data warehouses, source repos (Git), designs, models (ML), keys/tokens, backup vaults. High-risk cohorts: departing employees/contractors, privileged admins, researchers/engineers with broad repo access, sales ops with export rights.

Detections & signals (UEBA-focused)

Identity & Access

  • Role misalignment: access to systems outside job function; sudden addition to powerful groups.
  • Volume anomalies:10× normal reads/exports; large one-time share creations.
  • Session risk: unusual device/browser, impossible travel, atypical ASN/ISP.
  • OAuth/app grants: new high-scope app consents (read/write all mail/drive), legacy protocols enabled.

Useful telemetry

  • IdP: sign-in logs, conditional access results, token minting, consent events (e.g., Azure AD, Okta).
  • SaaS: audit logs (M365, Google Workspace, Box, GitHub), sharing/permission changes, export/download events.

Endpoint & Data

  • Staging indicators: creation of large .zip/.7z/.rar archives; bulk file copies to %USERPROFILE%\Downloads / ~/Downloads.
  • Exfil tools: unapproved sync clients; CLI tools hitting cloud APIs; clipboard/screen capture utilities.
  • Removable media: USB insert + high write throughput; mounting external drives; phone tethering used as storage.
  • Printer activity: sudden spikes; printing sensitive doc types (PII, contracts, code).

Useful telemetry

  • EDR: process lineage (excel.exe → powershell.exe → 7z.exe), file ops, removable media, screen capture APIs.
  • FIM/DLP: content classification hits, exact data match (EDM), vector DB fingerprints for IP.

Network & Egress

  • New destinations: first-time connections to personal cloud domains; TOR/VPN use from corp endpoints.
  • Throughput anomalies: large egress outside business hours; long-lived TLS sessions to storage providers.
  • Covert: DNS tunneling patterns (high entropy subdomains), steganographic exfil via images/paste sites.

Useful telemetry

  • Proxy/firewall: URL categories, TLS SNI, JA3/JA3S fingerprints, upload volume per host.
  • DNS logs: query volume, subdomain entropy, NXDomain spikes.
  • CASB: unsanctioned app discovery, shadow IT scoring.

Preventive controls

Access & Identity

  • Least privilege by design: RBAC/ABAC; minimize standing privileges; JIT/PIM for admin roles.
  • JML rigor: Joiner–Mover–Leaver automation with immediate de-provisioning on exit; timed access expiration.
  • Segregation of Duties (SoD): 4-eyes for sensitive actions; dual control on key vaults and prod data exports.
  • Strong auth: MFA (phish-resistant where possible), session protection, device posture checks.

Data-centric controls

  • Classification & labeling: automatic sensitivity labels (DLP/ML), watermarks.
  • DLP (endpoint + network + SaaS): exact data match (EDM), document fingerprints, vector similarity for IP, OCR for screenshots.
  • Egress governance: proxy allowlists, CASB with sanction/unsanction controls, block personal webmail uploads, throttle uploads.
  • USB & peripherals: block by default or allow hardware-ID allowlists; encrypt portable media; log all transfers.
  • IRM/DRM: persistent encryption + policy (no print/screen/forward) for crown jewels.

Platform & Ops

  • Immutable logs & evidence safety: WORM/retention locks (e.g., S3 Object Lock), centralized logging.
  • EDR hardening: tamper protection, kernel-level device control, screen capture detection.
  • VDI for high-risk data: no copy/paste/print; server-side rendering.
  • Source control controls: branch protections, code owners, secret scanning, repo-level DLP, egress scanning on git clone.
  • Clear AUP & privacy-aware monitoring with user notice and consent where applicable.
  • Security training tailored to roles (engineers, sales ops, finance).
  • Whistleblower & ethics channels to surface issues early.
  • Labor law & privacy: coordinate with Legal/HR; minimize data collection; role-based views of sensitive telemetry.

Response (coordinated with HR/Legal/SecOps)

  1. Triage & containment

    • JIT revoke or suspend accounts; isolate endpoint via EDR; disable OAuth grants; preserve mailbox.
    • If compromised: reset creds, revoke tokens/sessions, invalidate device trust.

  2. Preserve evidence

    • Snapshot VMs, collect volatile data (where policy allows), acquire disk images via authorized forensics, export SaaS/IdP audit logs, lock logs immutably.
    • Maintain chain of custody.

  3. Investigate

    • Timeline: access → staging → exfil → anti-forensics.
    • Quantify scope: what data, how much, where sent, onward sharing.
    • Distinguish malicious vs negligent vs compromised (changes legal path).

  4. Remediate

    • Remove persistence (mail rules, tokens, SSH keys, API keys).
    • Rotate credentials and secrets (human + service accounts).
    • Notify stakeholders/customers/regulators as required; start takedowns (paste sites, cloud links).

  5. Eradicate & recover

    • Rebuild affected hosts; restore integrity of controls (DLP, CASB, EDR).
    • Re-educate user if negligent; proceed with HR/legal if malicious.

  6. Lessons learned

    • Tighten access boundaries; add detections for missed precursors; update training & playbooks; feed indicators to SIEM.

Concrete detections (examples)

Microsoft 365 / Entra ID (KQL) 

// Excessive downloads from SharePoint/OneDrive by a single user in 24h vs peer baseline
let window = 24h;
let threshold = 10.0; // times peer avg
let downloads = OfficeActivity
| where TimeGenerated > ago(window)
| where Operation in ("FileDownloaded", "FilePreviewed")
| summarize count() by UserId;
let peer_avg = OfficeActivity
| where TimeGenerated > ago(14d)
| where Operation in ("FileDownloaded", "FilePreviewed")
| summarize avg_count=avg(count()) by UserId;
downloads
| join kind=inner peer_avg on UserId
| where toreal(count_) > threshold * toreal(avg_count)

Exchange Online — new forwarding rules 

AuditLogs
| where Operation == "New-InboxRule"
| extend Details = tostring(TargetResources[0].modifiedProperties)
| where Details contains "ForwardTo" or Details contains "RedirectTo"

Splunk — large outbound uploads to personal cloud 

index=proxy sourcetype=bluecoat:proxysg
cs_host IN ("drive.google.com","dropbox.com","box.com","wetransfer.com")
cs_method=POST OR sc_bytes>104857600
| stats sum(sc_bytes) as bytes by cs_username, cs_host, src_ip
| where bytes > 1073741824  # 1 GB in the window

Windows endpoint — archive creation before exfil (Sysmon) 

index=sysmon EventCode=1 Image="*7z.exe" OR Image="*winrar.exe" OR Image="*zip.exe"
| stats count by User, CommandLine, ParentImage, host

DNS exfil — high entropy subdomains 

index=dns sourcetype=infoblox:dns
| eval label_len=len(qname)-len(replace(qname,"\.",""))
| eval entropy = entropy(subdomain(qname))
| where entropy > 4.0 AND label_len > 30

Tune thresholds by peer group and seasonality; combine multiple weak signals into a risk score.

UEBA design tips (risk scoring)

  • Features: data volume (z-score), new resource novelty, time-of-day deviation, device trust changes, OAuth consent events, USB writes, print volume, screen-capture API calls, VPN/IP reputation shifts, HR signals (role change, performance warnings) where legally permissible.
  • Context: role, org unit, tenure, manager, current projects, normal repo sets.
  • Scoring: decay over time; cap risk from single dimension to reduce bias; require multi-signal corroboration before high-severity alerts.

MITRE ATT&CK techniques commonly seen in insider cases

  • T1078 Valid Accounts (compromised/abused).
  • T1114 Email Collection; T1600 Exfil via Transfer from Device.
  • T1005 Data from Local System; T1025 Data from Removable Media.
  • T1074 Data Staged; T1560 Archive Collected Data.
  • T1567 Exfiltration over Web Services; T1048 Exfil over Alternative Protocol.
  • T1070 Indicator Removal (clear logs); T1036 Masquerading.

KPIs & governance

  • MTTD/MTTR for insider incidents.
  • % of high-risk users with no standing admin privileges.
  • JML SLA adherence (deprovision within hours).
  • DLP coverage: % endpoints + SaaS apps under policy.
  • False-positive rate on UEBA alerts; analyst time per alert.
  • Retention: audit logs WORM-protected for regulatory periods.

Edge cases & false positives

  • Data scientists/engineers legitimately moving large datasets.
  • Quarterly finance exports; onboarding migrations; incident response bulk collections.
  • Mitigate with peer grouping, approval workflows, temporary access windows, and annotating benign events to train models.

Quick checklists

Before an incident

  • JML automation; PIM/JIT for admins
  • DLP+CASB on endpoints and SaaS
  • Immutable logging (centralized + WORM)
  • USB policy (blocked or allowlist)
  • Source code protections (branch rules, token scanning)
  • Clear AUP + training + monitoring notices

During an incident

  • Isolate account/device; revoke sessions/tokens/OAuth
  • Snapshot & collect logs; chain of custody
  • Quantify data scope; notify stakeholders
  • Coordinate with HR/Legal; document decisions

After an incident

  • Rotate secrets/keys; remove persistence
  • Update detections/policies; close access gaps
  • Communicate lessons learned; refine training
← 3.3: Denial of Service (DoS/DDoS)
3.5: Supply Chain Attacks →