Skip to content

Chapter 26: Insider Threats

Overview

Insider threats — malicious actions by employees, contractors, or business partners with authorized access — represent some of the most damaging and hardest-to-detect security incidents. Unlike external attackers who must bypass controls, insiders start with legitimate access, organizational knowledge, and trust. This chapter covers the taxonomy of insider threats, behavioral indicators, technical detection using UEBA, program design, and the legal and HR frameworks necessary to investigate and respond to insider incidents appropriately.

Learning Objectives

By the end of this chapter, students SHALL be able to:

  1. Classify insider threats by type, motivation, and capability
  2. Identify behavioral and technical indicators of insider threat activity
  3. Deploy User and Entity Behavior Analytics (UEBA) for insider threat detection
  4. Design an insider threat program balancing security with privacy and legal requirements
  5. Conduct an insider threat investigation following legal and HR protocols
  6. Implement technical controls that limit damage from insider actions

Prerequisites

  • Chapter 6 (Triage, Investigation & Enrichment)
  • Chapter 9 (Incident Response Lifecycle)
  • Basic understanding of DLP (Data Loss Prevention) concepts

Why This Matters

The 2023 Verizon DBIR reports that insider threats account for 19% of all breaches. The average insider incident costs $15.4M (Ponemon Institute 2022). Edward Snowden extracted 1.5 million classified NSA documents using authorized access. A Boeing engineer stole 100,000+ files over 21 years. A Tesla employee stole proprietary Autopilot data. The US Army National Guard member who leaked classified documents to Discord. These are not just historical examples — insider threats are detected every day across every sector. Technical controls alone cannot stop an authorized user. Behavioral analysis, least privilege, and a culture of accountability are the true defenses.

26.1 Insider Threat Taxonomy

graph TD
    A[Insider Threats] --> B[Malicious\nInsiders]
    A --> C[Negligent\nInsiders]
    A --> D[Compromised\nInsiders]

    B --> B1[Malicious Employee\nData Theft / Sabotage]
    B --> B2[Disgruntled\nEmployee Revenge]
    B --> B3[Espionage Agent\nNation-State Plant]
    B --> B4[Fraud\nFinancial Gain]

    C --> C1[Lost/Stolen Device\nUnencrypted Data]
    C --> C2[Misuse of\nCloud Storage]
    C --> C3[Shadow IT\nUnapproved Tools]
    C --> C4[Misconfiguration\nAccidental Exposure]

    D --> D1[Phished Employee\nCredentials Stolen]
    D --> D2[Malware on\nPersonal Device]
    D --> D3[Coerced Employee\nExtortion]

    style B1 fill:#e63946,color:#fff
    style B3 fill:#780000,color:#fff
    style D1 fill:#f4a261,color:#000

26.2 Behavioral Indicators

The CERT Insider Threat Center has identified consistent behavioral patterns preceding malicious insider incidents. These are not individually conclusive — they must be correlated with technical indicators.

26.2.1 Pre-Employment and Onboarding Indicators

- Gaps in employment history not explained
- Previous incidents at other employers (background check)
- Excessive interest in security controls, monitoring, or access beyond role
- Signing NDAs or non-compete agreements but immediately accessing sensitive data
- Requesting unusual access levels for stated job duties

26.2.2 Behavioral Precursors to Malicious Insider Events

Category Indicator Risk Weight
Job stress Performance reviews, disciplinary action, passed over for promotion Medium
Financial stress Wage garnishments, bankruptcy filings, sudden luxury purchases High
Personal conflict Reports of interpersonal conflict, HR complaints filed Medium
Resignation signals Job hunting activity on LinkedIn, taking PTO/vacation before departure High
Behavioral changes Unusual hours, antisocial behavior, expressing resentment Medium
Policy violations Multiple policy violations, security exceptions requested High
Unusual interest Research on security tools, encryption, steganography High

26.2.3 Technical Behavioral Indicators

Data Staging Indicators:
├── Large volume of file access in short timeframe
├── Copying files to removable media
├── Uploading to personal cloud (Dropbox, Google Drive, OneDrive personal)
├── Emailing files to personal email address
├── Accessing files outside normal working hours
└── Accessing files unrelated to current job function

Credential Abuse Indicators:
├── Login from unusual geography/IP/time
├── Using another employee's credentials
├── Multiple failed login attempts followed by success
├── Escalating own privileges in directory
└── Accessing service accounts directly

Sabotage Indicators:
├── Accessing backup systems or deletion of files
├── Modifying configuration files of critical systems
├── Creating backdoors or unauthorized accounts
├── Bulk deletion of records
└── Accessing systems after termination

26.3 UEBA for Insider Threat Detection

User and Entity Behavior Analytics (UEBA) establishes behavioral baselines and detects anomalies using machine learning.

26.3.1 UEBA Architecture

flowchart LR
    A[Data Sources] --> B[UEBA Engine]

    subgraph "Data Sources"
        L1[Active Directory\nLogon Events]
        L2[DLP\nFile Access/Copy]
        L3[Email Gateway\nSend/Receive]
        L4[Web Proxy\nURL Categories]
        L5[Badge/Physical\nAccess Logs]
        L6[Cloud Apps\nBox/O365/GDrive]
        L7[CASB\nShadow IT]
        L8[HR System\nJob Status/Tenure]
    end

    subgraph "UEBA Engine"
        B1[Baseline\nBuilding\n30-day warm-up]
        B2[Anomaly\nDetection ML]
        B3[Risk Scoring\nper User/Entity]
        B4[Alert\nCorrelation]
    end

    B --> C[Insider Threat\nInvestigator Queue]
    B --> D[SIEM Integration\nHigh-Risk Alerts]

    style C fill:#e63946,color:#fff

26.3.2 UEBA Use Cases

# Sample UEBA detection logic (pseudo-code)

class InsiderThreatDetector:

    def detect_data_exfiltration_precursors(self, user: str, events: list) -> float:
        risk_score = 0.0

        # Detect large volume file access (T1039)
        file_access_count = count(events, type="FILE_ACCESS", window="1_hour")
        baseline_hourly = self.baseline(user, "FILE_ACCESS_HOURLY")
        if file_access_count > baseline_hourly * 5:
            risk_score += 25.0

        # Detect access to sensitive directories outside role
        sensitive_access = [e for e in events if e.path in SENSITIVE_DIRS
                           and not user_has_role_access(user, e.path)]
        if sensitive_access:
            risk_score += 30.0

        # Detect personal cloud uploads (T1567.002)
        personal_cloud_events = [e for e in events
                                 if e.destination in PERSONAL_CLOUD_DOMAINS]
        if personal_cloud_events:
            risk_score += 40.0

        # Correlate with HR risk factors
        hr_risk = self.get_hr_risk_factors(user)
        if hr_risk.recent_pip or hr_risk.recent_termination_notice:
            risk_score *= 1.5

        return min(risk_score, 100.0)

26.3.3 UEBA Products

Product Vendor Key Differentiators
Varonis Varonis File system DLP + UEBA; data access governance
Microsoft Sentinel UEBA Microsoft Native O365/Azure integration; entity pages
Splunk UBA Splunk Integration with Splunk SIEM; kill chain detection
Securonix UEBA Securonix Threat chaining; behavior-based risk scoring
Exabeam Exabeam Session timeline reconstruction; analyst experience
ObserveIT (Proofpoint) Proofpoint Video/session recording for privileged users

26.4 Technical Controls

26.4.1 Data Loss Prevention (DLP)

# Microsoft Purview DLP Policy — Sensitive Data Protection
DLP Policy: "Prevent Exfiltration of Customer PII"
  Conditions:
    - Content contains: Credit card numbers (built-in SIT)
    - Content contains: Social Security Numbers
    - Content contains: Protected Health Information patterns

  Locations:
    - Exchange Online (email)
    - SharePoint Online (files)
    - OneDrive for Business (personal sync)
    - Teams (chat/files)
    - Endpoint (Windows devices)

  Actions:
    - Block: Upload to personal cloud storage
    - Block: Forward to external email
    - Allow with justification: Business reason required
    - Alert: Security team notification
    - Audit: All matching activities logged

  User Experience:
    - Policy tip shown to user explaining violation
    - Override permitted with documented justification
    - False positive reporting channel available

26.4.2 Privileged Access Management (PAM)

# CyberArk PAM — privileged session recording
# All privileged sessions (Admin, Root, SA accounts) recorded
# Keystrokes + screen video stored in vault
# Session can be terminated by security team in real time

# HashiCorp Vault — just-in-time credential issuance
vault write database/creds/readonly @payload.json
# Returns: temporary DB credentials valid for 1 hour
# No standing privileges — must re-request each time
# Full audit trail: who requested, what, when

# Principle of Least Privilege implementation:
# Role-based access control (RBAC) — not individual-based
# Regular access reviews (quarterly for privileged, annually for standard)
# Auto-revoke on job change / departure

26.4.3 Endpoint Controls

# Block USB storage on all endpoints (via GPO)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" `
  -Name "Start" -Value 4  # 4 = Disabled

# Allow specific approved USB devices by hardware ID
# Device Manager → Properties → Hardware IDs → Add to whitelist in GPO

# Windows Defender Application Control (WDAC) — prevent unauthorized execution
New-CIPolicy -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
ConvertFrom-CIPolicy .\policy.xml .\policy.bin
Set-RuleOption -FilePath .\policy.xml -Option 3 -Delete  # Remove audit mode

26.5 Insider Threat Program Design

26.5.1 Program Components

An insider threat program SHALL include:

GOVERNANCE:
├── Executive sponsor (CISO or equivalent)
├── Cross-functional team: Legal, HR, IT, Security, Management
├── Written program charter and policy
└── Regular review cadence (quarterly)

PREVENTION:
├── Pre-employment background checks
├── Security awareness training
├── Clear acceptable use policies
├── Termination procedures (access revocation within 1 hour)
└── Confidentiality agreements

DETECTION:
├── UEBA/behavioral analytics
├── DLP monitoring
├── Privileged access monitoring and session recording
├── Anomalous access alerting
└── HR-to-Security communication process (notify security of HR events)

RESPONSE:
├── Documented investigation procedures
├── Legal hold process
├── Chain of custody for digital evidence
├── Coordination with Law Enforcement (when appropriate)
└── Post-incident review

CULTURE:
├── Ethics hotline / anonymous reporting
├── No retaliation policy
├── Positive security culture — security as support, not police
└── Exit interview process

26.5.2 Termination Procedures — Critical Controls

SAME-DAY TERMINATION CHECKLIST:
□ Disable all Active Directory accounts (BEFORE notifying employee)
□ Revoke VPN and remote access certificates
□ Disable badge access immediately
□ Disable email (or set to forward-only with monitoring)
□ Revoke cloud application access (O365, Salesforce, GitHub, AWS)
□ Change shared account passwords employee had access to
□ Disable MFA tokens
□ Retrieve company devices (laptop, phone, badge)
□ Review recent data access: last 30 days of DLP/file access logs
□ Review email send/receive: look for exfiltration before termination
□ Preserve email and file system for 90 days (litigation hold)
□ Notify key colleagues/clients as appropriate

JURISDICTION-SPECIFIC REQUIREMENTS:

United States:
├── Fourth Amendment applies to government employees
├── ECPA: Electronic Communications Privacy Act — limits monitoring
├── State laws vary significantly (California CCPA, Illinois BIPA)
├── Labor law: Monitoring must be disclosed in employment agreements
└── Union agreements may restrict monitoring

European Union:
├── GDPR Article 88: Employee data processing for employment purposes
├── Works council approval may be required (Germany: Betriebsrat)
├── Data minimization: Collect only what's necessary for the purpose
└── Privacy Impact Assessment required for systematic monitoring

Required HR Steps Before Investigation:
1. Documented reasonable suspicion
2. Legal and HR approval before accessing employee communications
3. Chain of custody documentation from first evidence collection
4. Employee rights notification (varies by jurisdiction)

26.6.2 Evidence Collection

# Digital forensics for insider threat — key evidence sources
# 1. Preserve before investigation (legal hold)

# Windows Event Logs — last 90 days minimum
wevtutil epl Security C:\Evidence\Security.evtx
wevtutil epl System C:\Evidence\System.evtx

# File system activity — last access times
# Note: NTFS last access time update may be disabled
# Enable before investigation: fsutil behavior set disablelastaccess 0

# DLP logs — all file operations for target user
# Pull from DLP console: filter by user, date range, sensitive data categories

# Email — complete mailbox export
# Exchange: New-MailboxExportRequest -Mailbox user@corp.com -FilePath \\server\evidence\mailbox.pst
# Include: Sent, Deleted Items, Recoverable Items (holds deleted messages 14 days by default)

# Cloud app activity
# Microsoft 365: Unified Audit Log (purview.microsoft.com)
# Google Workspace: Admin SDK Reports API
# Salesforce: Login History, Field History Tracking

26.7 Benchmark Controls

Control ID Title Requirement
Nexus SecOps-IT-01 Insider Threat Program Documented program with cross-functional team; reviewed annually
Nexus SecOps-IT-02 UEBA Deployment UEBA monitoring for all privileged users; risk scoring implemented
Nexus SecOps-IT-03 DLP Coverage DLP policy covering email, cloud storage, and endpoint for sensitive data categories
Nexus SecOps-IT-04 Privileged Session Recording All privileged (admin) sessions recorded in PAM solution
Nexus SecOps-IT-05 Access Revocation Same-day (within 1 hour) access revocation procedure for terminations
Nexus SecOps-IT-06 Data Access Governance Regular access reviews; access aligned to current role at all times

Exam Prep & Certifications

Relevant Certifications

The topics in this chapter align with the following certifications:

  • GIAC GCTI — Domains: Cyber Threat Intelligence, Insider Threat Analysis
  • GIAC GCIH — Domains: Incident Handling, Insider Threat Detection
  • CISSP — Domains: Security and Risk Management, Security Operations

View full Certifications Roadmap →

Key Terms

DLP (Data Loss Prevention) — Technology that monitors, detects, and blocks the unauthorized transmission of sensitive data across network, email, and endpoint channels.

Least Privilege — The principle of granting users and systems only the minimum permissions required to perform their defined functions.

PAM (Privileged Access Management) — Technology and processes for controlling, monitoring, and auditing privileged access to systems — particularly admin and root accounts.

UEBA (User and Entity Behavior Analytics) — Security analytics that applies machine learning to establish behavioral baselines for users and systems, detecting anomalies that may indicate insider threats or compromised accounts.

Velocity-of-Access Anomaly — A UEBA detection where a user accesses significantly more files, systems, or data than their normal baseline in a given time window — common indicator of data staging before exfiltration.