article

Insider threat indicators

Insider threats are a particularly difficult type of cybersecurity challenge, because insider threat indicators can be hard to catch. Since insiders are authorized users who have been legitimately granted certain access privileges, they are inherently trusted. Knowing what insider threat indicators are is crucial to identifying and stopping individuals who are doing harm to an organization intentionally or accidentally.

What is an insider threat?

An insider threat is a security compromise that originates from within an organization. When insider threat indicators go unnoticed, damage is caused by malicious, negligent, or unintentional acts by insiders who have authorized access privileges and knowledge of an organization’s processes and procedures.

Failure to heed insider threat indicators can compromise the confidentiality, integrity, and availability of an organization’s vital resources, such as data, equipment, facilities, finances, networks, operations, personnel, and systems.

Understand insider threat indicators by knowing who and what is considered an insider

“An insider is any person who has or has authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.

Examples of an insider may include:

  • A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.
  • A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
  • A person to whom the organization has supplied a computer and / or network access.
  • A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
  • A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.
  • A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.
  • In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.”

Source: CISA (Cybersecurity & Infrastructure Security Agency), a Division of the U.S. Department of Homeland Security

Insider threat indicators provide warnings about a number of potential risks to an organization, including:

  1. Corruption
  2. Degradation of an organization’s resources or capabilities
  3. Espionage (e.g., corporate, criminal, or nation-state)
  4. Sabotage
  5. Terrorism (e.g., state, religious, or political)
  6. Unauthorized access and disclosure of information
  7. Workplace violence

Types of insider threats

Inside threat indicators, when followed, can identify the various types of insider threats. These fall into two main categories—intentional and unintentional.

Malicious insiders

A malicious insider, also known as an intentional insider threat, is caused by an internal actor who takes advantage of the access privileges and knowledge of the organization to deliberately commit or facilitate misdeeds, such as data theft or leakage, disrupting operations, fraud, revenge, sabotage spying, or stealing money or other assets. Among the many motivations for malicious insiders’ nefarious acts are a desire for financial gain or vengeance.

Intentional insiders who use their positions and access to commit malicious acts include:

  1. Collusive insiders—one or more insiders collaborate with someone or a group outside of the organization
  2. Third-parties—trusted third parties (e.g., contractors or vendors) who have insider access
  3. Lone wolves—individuals inside an organization who act alone

Negligent insiders

An unintentional insider threat, also referred to as a negligent insider threat, is caused by an insider who inadvertently compromises an organization with no intention of committing malicious acts.

Although unintentional insider threat actors have no ill intent, they can pose a more significant risk than malicious insiders.

Studies have shown that unintentional insiders are responsible for far more compromises than intentional insiders. While much is made of the malicious insider, detecting insider threat indicators should also focus on the various types of unintentional insiders and their mistakes, including:

  • Accidental insiders who make honest mistakes such as:
  • Being manipulated into opening an attachment in a phishing email that contains a virus
  • Improperly disposing of sensitive documents
  • Mistyping an email address and accidentally sending sensitive information to an unauthorized recipient
  • Careless insiders do not pay attention to security procedures and unwittingly:
  • Allow someone to “piggyback” through a secure entrance point
  • Misplace or lose a portable storage device containing sensitive information
  • Ignore messages to install new updates and security patches or change their passwords
  • Store confidential information on their personal devices
  • Third-party insiders who are either careless or make honest mistakes that give a malicious actor access to an organization’s systems and resources

Compromised insiders

A legitimate user can become a compromised insider if their credentials are stolen and used by an outside threat actor. Credentials are typically stolen as part of a data breach, malware attack, or social engineering campaign (e.g., phishing). A compromised insider can also result from a user being coerced into sharing their access privileges through blackmail or other tactics.

Third-party collaborators

Third-party collaborators can be contractors, vendors, partners, part-time workers, or even customers who have been granted authorization to access an organization’s systems, data, or applications. Like employees, third-party collaborators can be deliberate or unwitting.

When driven by malicious intent, third-party collaborators can act independently or as part of a group to conduct malicious activities. When acting with others, third-party collaborators sometimes engage employees or other threat actors from outside the organization.

Insider threat indicators

Insider threat indicators are behavioral patterns or activities that identify a person or other entity as a potential security risk. The wide range of insider threat indicators that can indicate a problem are grouped into two categories—technical and behavioral.

Technical insider threat indicators

Regardless of the type of insider (e.g., malicious or accidental), technical insider threat indicators can provide clear alerts that inappropriate activities are occurring. Examples of technical insider threat indicators include the following.

Excessive data access or downloads

Additionally, abrupt increases in file downloads, printing, or data transfers can indicate malicious activity. This can be demonstrated by surges in network traffic as large downloads or volumes are copied. Unsanctioned software and hardware, such as USB drives, can also indicate an insider threat.

Unauthorized access to or use of confidential information

In rare cases, an insider accidentally tries to access or use confidential information without authorization. In most cases, this is a clear indication of an insider threat. These actions include searching for, viewing, copying, or sharing confidential information, including trade secrets, financial records, personal data, or proprietary research.

Changing file names or extensions

Another important indicator is when a user changes the names of files containing sensitive information. For example, changing a document’s file extension or name (e.g., quarterly-sales-report.xls to website-edits.doc or sales-report.xls to to-do.xls).

Increased privilege requests

Repeated requests for escalated privileges or permissions to access system resources that are not associated with the job function are an insider threat red flag. When individuals seek higher levels of access than their job requires, it may indicate that they are looking for or trying to access information, applications, or systems that they should not. It can also be an indicator of preparations to execute a malicious campaign, such as a ransomware attack or other malware attack. In another case, the escalation in privileges is used to gain access to systems and set backdoor entry points to be accessed later.

Anomalous network activity

Anomalous network activity includes unusual patterns or behaviors on the network that deviate from normal operations. Examples of anomalous network activity include large volumes of data being transferred at odd hours or to unfamiliar external locations, which can indicate data exfiltration. Frequent access attempts from unusual locations or devices can be a sign of credential theft or misuse. A significant spike in network traffic that regular business activities cannot explain can also be a sign of an insider’s malicious activity.

Behavioral indicators of insider threats

Both malicious and accidental insiders can be identified by being vigilant about behavioral insider threat indicators. Less quantitative than technical insider threat indicators, behavioral insider threat indicators still effectively surface potential risks. Behavioral insider risk indicators include the following.

Unusual work patterns

Unusual work patterns are a strong indicator of an insider threat. Often, a malicious insider will log into applications and networks at unusual times (e.g., after hours, over weekends, or while on vacation), work late when there is no clear reason to be doing so, or access systems or data at different times outside of their normal scope.

Disgruntled behavior

Actions associated with disgruntled employees can indicate either an active malicious insider or a potential one. Indicators include drastic changes in personality, arriving late and leaving early, initiating conflicts with managers and coworkers, exhibiting a decline in work performance and quality, and unexplained absences. 

Additional characteristics of a disgruntled employee are discussing resignation and potential new opportunities, displaying resentment, disappointment, or dissatisfaction toward management, coworkers, or the organization at large, and engineering situations to compromise managers or coworkers.

Policy violations

Active or potential malicious insiders attempt to circumvent or violate security controls and organizational policies. This includes disabling or attempting to evade security measures such as firewalls, antivirus software, or encryption to gain unauthorized access. Other indicators are installing unapproved software or applications on company devices and sending confidential information through personal email accounts or to unauthorized recipients.

Preventing insider threats

Insider threat prevention strategies

A number of strategies can be used to monitor and identify insider threat indicators. Following are several commonly used strategies.

Insider threat awareness and training

Conduct cybersecurity awareness training with a focus on insider threats regularly. Proven tactics for awareness and training include:

  • Presenting training sessions that cover the basics of recognizing and preventing insider threats
  • Running phishing simulation exercises to educate employees on recognizing and responding to phishing attempts, which are widely used to compromise insiders
  • Conducting regular reviews of security policies, especially those related to insider threats
  • Organizing interactive workshops where employees can see and engage in real-world insider threat scenarios

Security policies
Implementing robust data and network security measures is essential to any strong security posture and preventing insider threats. These should include:

  • Limiting users’ access to only the data and systems necessary for their job roles, employing the principle of least privilege to minimize unnecessary access
  • Enforcing strong authentication methods, such as the use of multi-factor authentication (MFA) to verify user identities and strong passwords to prevent security breaches through endpoints
  • Requiring that sensitive data be encrypted both in transit and at rest to protect it from unauthorized access
  • Establishing rules for continuous monitoring and auditing of network and data activities to detect unusual behavior
  • Developing and implementing a comprehensive incident response plan to rapidly respond to any indicators of an insider threat
  • Enforcing strict rules for how access is granted to third-party vendors and partners and auditing their use to ensure compliance

Zero trust

Following a zero trust approach to security is a highly effective strategy for preventing and minimizing the impact of insider threats. This model operates on the principle that no user or system, whether inside or outside the network, should be trusted by default. Several of the key elements of zero trust that help with insider threats are:

  • Verifying the identity and access rights of users before granting access to any resources
  • Enforcing the principle of least privilege access
  • Reviewing and adjusting access permissions regularly to ensure they remain appropriate
  • Dividing the network into smaller, isolated microsegments to limit the spread of potential threats
  • Continuously monitoring user activities and network traffic for unusual behavior
  • Employing data encryption to protect sensitive data both in transit and at rest
  • Using automated tools to respond to detected threats
  • Conducting frequent security audits to assess the effectiveness of zero trust policies

Tools and technologies for monitoring and mitigating insider threats

The following are specific tools and technologies that are commonly used to identify and stop insider threats.

User and entity behavior analytics (UEBA)

UEBA tools analyze the behavior of users and entities (e.g., devices) to detect anomalies that could indicate insider threats. They use machine learning algorithms to establish baselines of normal behavior and flag deviations.

Security information and event management (SIEM)

SIEM systems aggregate and analyze log data from across the network in real-time to identify suspicious activities, correlate events, and generate alerts for potential insider threats.

Data loss prevention (DLP)

Data loss prevention tools monitor and control the movement of sensitive data within and outside the organization, which can stop malicious insiders from unauthorized exfiltration using messaging tools (e.g., email and instant messaging) or file transfer tools.

Endpoint detection and response (EDR)

Endpoint detection and response tools monitor endpoints (e.g., computers and mobile devices) for suspicious activities indicative of malicious insiders, such as unauthorized access attempts, changes to system files (e.g., sharing or modifications), or abnormal network connections.

Network traffic analysis (NTA)

By monitoring and collecting data about network traffic, network traffic analysis tools can identify unusual patterns that may indicate insider threats. These tools use artificial intelligence (AI) and machine learning (ML) to identify patterns and detect anomalous activity, such as unusual data transfers, unauthorized communications, and other activities associated with insider threats.

File integrity monitoring (FIM)

File integrity monitoring tools help identify malicious insiders by tracking changes to files and systems to detect unauthorized modifications. They provide detailed information about when critical files were altered, accessed, or moved, as well as the user who made the changes.

Behavioral biometrics

Behavioral biometrics are commonly used for authentication, but they can also be used to track users’ behavior and identify unusual activity associated with malicious insiders. Examples of behavioral biometrics include typing patterns, mouse movements, and how a person handles their device (e.g., angles and strength of grip).

Threat detection platforms

Threat detection platforms combine multiple tools and techniques to provide a holistic view of insider threat risks by integrating data from various sources and applying advanced analytics.

What motivates malicious insiders?

Insider threats are motivated by various factors. Among the primary drivers of malicious insider threats are the following.

Financial gain

Insiders commonly seek to steal sensitive information, intellectual property, or money to sell to competitors or cybercriminals for financial profit.

Revenge

Disgruntled employees who feel wronged or unfairly treated or others with a grievance with an organization sometimes engage in malicious activities to harm the organization as a form of retaliation.

Ideological beliefs

In some cases, individuals motivated by political, religious, or social beliefs act against the organization to support a belief, cause, or movement they feel strongly about (e.g., Edward Snowden’s disclosure of millions of the National Security Administration’s classified documents to the media).

Coercion

Insiders may be coerced or blackmailed into conducting malicious activities against their will. This is often perpetrated by criminals who exploit an insider’s vulnerabilities.

Thrill or attention-seeking

Some insiders are driven by the desire to prove their technical skills or outsmart the organization’s security measures, seeking personal satisfaction or recognition.

External influence or recruitment

Employees are sometimes recruited and bribed by external entities, such as competitors or nation-state actors, to gather and share confidential information.

Job dissatisfaction

Employees who are unhappy with their jobs, management, or career progression have been known to engage in malicious activities out of frustration or to force change.

Opportunity

In some cases, malicious insiders are simply opportunistic, exploiting an unexpected chance to commit fraud or theft when they believe they can do so without being detected.

Personal issues

Financial difficulties, addiction, or other issues can push individuals to engage in malicious insider activities, such as collusion (i.e., with cybercriminals or malicious insiders), theft, or fraud.

What is a real-life example of an insider threat?

An informative example of an insider threat is the case of Edward Snowden who worked for the Central Intelligence Agency (CIA) and National Security Agency (NSA) through subcontractors. The Snowden case illustrates the who, how, and why of an insider.

Snowden was motivated by anger related to his belief that the United States government’s surveillance programs were violating civil liberties and people’s privacy rights. His response was to expose these activities by stealing and leaking millions of classified documents to the media. He exploited his role as an IT contractor and SysAdmin, using legitimate credentials and accessing systems he had permission to access. From there, he was able to determine what information was available and where it was stored.

Once Snowden identified the target documents, he used technical workarounds to present himself as a trusted user, gaining unauthorized access to the systems where the documents resided. By masquerading as an authorized user, Snowden was able to evade anomaly detections. Snowden further circumvented security controls by encrypting the files he wanted to exfiltrate. Snowden also modified the log files of the systems to camouflage his breach and theft.

It is presumed that Snowden gained access to the classified documents by tricking users with higher permissions into sharing their credentials. With each subsequent escalation in privileges, Snowden was able to access more systems and files.

Avoiding complacency when it comes to insider threat indicators

For many people, it is difficult to believe that a coworker or partner would hurt an organization, but it happens every day. The stakes are high, too.

Compliance rules consider a breach a breach, whether it was intentional or unintentional. And with many data breaches resulting from unintentional insider missteps, staying vigilant about insider threat indicators is imperative.

Savvy organizations utilize the right technology and encourage team members to pay attention to particular activities and behaviors and look for possible risks. Using all available resources and staying alert to insider threat indicators is the best way to mitigate these risks.

What are the six categories of insider threats?

1. Careless workers who disobey, disregard, or evade security measures deliberately or accidentally. Threats from these insiders include using shadow IT, sharing files without security, using insecure wireless networks, failing to install software updates and patches, posting sensitive information to outside channels (e.g., social media), and sending sensitive data outside the organization (e.g., emailing or instant messaging).

2. Compromised insiders make up the majority of insider threats. These are authorized users who have had their credentials compromised. Common ways for this to happen are falling for phishing and social engineering scams, credential leaks, dictionary attacks, brute-force attacks, credential stuffing, man-in-the-middle attacks, password spraying attacks, and keyloggers.

3. Disgruntled workers can be current or former employees who are seeking to do damage to an organization for personal and financial gain, sabotage to further an agenda, or revenge. Often, these workers have access or retained access to systems, data, or applications.

4. Departing employees presents a significant risk to organizations as they can take sensitive information when they leave. For those with elevated privileges, they can also establish backdoors to enable reentry for themselves or a third party after they leave.

5. Inside agents, also called moles, collaborators, or collusive threats, facilitate attacks by third parties. They provide access, often sharing their credentials. The motivations of inside agents include revenge, fraud, bribery, and blackmail.

6. Third-party insiders have authorized access to systems, data, and applications as part of their jobs. These insiders include part-time staff, contractors, vendors, service providers, partners, and even customers. Third-party insiders are often responsible for supply chain or value chain attacks.

What are the criteria for an insider threat?

To be considered an insider threat, an individual has access to and knowledge of an organization's systems and assets that come from having internal access and visibility. Insider threats are commonly thought to be employees but can also include contractors, partners, vendors, or other third parties with authorized access to an organization's network, systems, or data.

What are the consequences of an insider cybersecurity incident?

Like any cybersecurity breach, one perpetrated by an insider can result in loss of revenue, operational disruption, fines and penalties, legal actions, reputational damage, and loss of trust. Insider threats also exacerbate these consequences because the scale of their nefarious actions often exceeds those of outside cyber attackers due to their understanding of the attack surface and assets from an internal perspective. Insider threats are motivated primarily by malice and greed. They commonly seek to exfiltrate sensitive information or disrupt operations.

Date: January 2, 2025Reading time: 17 minutes
Security

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us