Insider Threat Indicators: Finding the Enemy Within

Insider Threat Indicators: Finding the Enemy Within

November 26, 2019

Cynthia Gonzalez

Learn what is an insider threat, what are the indicators to detect an insider threat and what tools can provide you with protection against insider threats.

The value of sensitive data and information to organizations is higher than ever. Many organizations allocate numerous resources to their cyber defensive measures and form a security operations center (SOC) to protect themselves against cyber attacks.

While cyber attacks are a threat to companies, they are not as common and in some cases, not as dangerous, as insider threats which are also much harder to detect.

In this article, we provide you with information about insider threats, including what is an insider threat, the indicators that can help you detect insider threats and the best tools to provide protection against such threats.

In this post:

What Is an Insider Threat?

An insider threat is malicious activity aimed at organizations and carried out by people who are employed by the organization. The suspects in these scenarios, typically, employees or contractors are people with access to the organization’s network =, including databases and applications.

Types of Insider Threats
There are several ways that an individual employed by the company becomes an insider threat:

  • Malicious insider (Turncloak)—an individual who abuses their access and credentials to carry out activities with malicious intent, typically in the form of stealing information for financial and personal gain.
  • Careless insider (Pawn)—someone who unknowingly or mistakenly creates vulnerabilities and exposes the system or network to outside threats. This is the most common insider threat since it can happen to anyone without intention by clicking on a misleading link or forgetting a flash drive that contains sensitive information.
  • Compromised insider (Imposter)—an outsider who achieved insider access by posing as a user with legitimate access such as an employee, contractor or partner. This is also known as corporate espionage.

Examples of Insider Threat Indicators

Any form of irregular behavior at the system or network level that indicates suspicious activity would constitute an insider threat. There are numerous insider threat indicators and knowing how to recognize the signals and keeping track of employees is a major part of insider threat prevention. Examples include:

  • Poor performance reviews—when performance reviews of an employee suddenly start to drop, it might be a sign of a disgruntled employee. On the one hand, the lower performance could be the result of the employee losing interest in their work or loyalty to the company. On the other hand, a disgruntled employee may take offense from poor performance reviews and could attempt to “get back” at the company and abuse their access to hinder its operations.
  • Policy disagreements—employees who vocally express their disagreements with company policies may become insider threats. This typically occurs when they decide to take action to encourage the company to make the change in policies they desire.
  • Displeased employees—employees who are frequently arguing and getting into conflicts with co-workers and supervisors can “take out” their frustration in forms that may cause damage to the organization. More ways to detect disgruntled employees are declined performance, more mistakes than usual, missing deadlines and constantly arriving late to the office.
  • Financial distress—employees under duress from financial causes are constantly under pressure. They are easily exploitable by outsiders and are potentially trying to sell valuable data to outside parties in an attempt to manage their debts or steal information or belongings from other employees for extortion.
  • Suspicious financial gain—employees who start to make expensive purchases like new expensive cars that seem above what they should afford with their pay grade can be a cause for concern. They should be watched carefully to make sure they are not trading company information for a profit.
  • Odd working hours—employees who sign into the network outside of working hours at suspicious times such as the middle of the night, could be attempting to conceal malicious intent.
  • Unusual international travel—employees who suddenly start to take multiple trips to other countries and/or cities may be engaging in corporate espionage. These employees are often referred to as moles because they might be secretly employed by other organizations, industrial or governmental, to steal information from other companies.
  • Leaving the company—anyone who leaves the company is a potential risk for an insider threat. It is a good practice to look at past network activities of such individuals and ensure they have not abused their access in any form.
  • Overly enthusiastic employees—employees who are overly enthusiastic could be acting under a secret agenda and will try to prove their value to expand their access to data in an attempt to abuse it.

Insider Threat Detection Solutions

This form of threat is more elusive and harder to detect and prevent than traditional outsider threats. An unauthorized party who tries to gain access to the company’s network maymight raise many flags. However, a former employee who sells the same information the attacker tried to access will raise none. This is why many insider threats are not detected before they carry out their malicious intent.

The most common insider threats are not motivated by malicious intent and the damage they cause is unintentional. To deal with these kinds of threats, certain security solutions and policies have to be applied. For example, increasing visibility into user access and activities is a good practice for detecting and defending against insider threats.

Using UEBA to Detect Insider Threat Indicators
User and entity behavior analytics (UEBA) tracks, collects and analyzes data gathered from computer and user activities. UEBA uses several techniques to distinguish between normal and suspicious behaviors.

To enable them to perform this task, UEBA solutions require a learning period. After UEBA learns the normal patterns of behavior, it can flag suspicious activities that do not fit these guidelines. UEBA solutions can detect suspicious activities that might indicate insider threats, such as irregular online behavior, unusual access activities, credential abuse and large uploads or downloads of data.

The most critical function of UEBA is the ability to detect suspicious activities that might be the result of malicious intent and flag the individuals who perform them as insider threats before they can cause significant damage.

Using SOAR to Detect Insider Threat Indicators
Security orchestration, automation, and response (SOAR) tools are cybersecurity solutions designed to allow organizations to collect data and alerts on security threats generated by multiple sources.

Many organizations use SOAR solutions within their security operations center (SOC) to augment other security tools like security information and event management (SIEM). A SOC can use the automated functions of SOAR to deal with threats more quickly and efficiently in addition to reducing staff workloads and standardizing security incident response processes.

SOAR assists the SOC analysts in decision-making and groups all the information together. SOAR can detect suspicious activities such as multiple users created in your system and let the analysts in the SOC decide how to act against these users. Additionally, SOAR provides SOC analysts with playbooks they can use to run automated workflows and performs various actions to contain and mitigate threats. These capabilities reduce the potential to cause critical damage.


Protecting your business against insider threats is as important as traditional cybersecurity practices that focus on external threats. However, insider threats are often much harder to detect than threats from outside the organization that cannot be blocked by antivirus and firewalls. By looking for insider threat indicators, you can stay ahead, and respond to one of the biggest threats facing your organization.

In terms of threat solutions, Exabeam offers security tools, such as SOAR and UEBA, which can recognize suspicious employee behavior that might indicate malicious intent. Read more about Exabeam’s solutions to see how you can develop a better security strategy and protect your environments and systems from a range of internal and external threats.

Want to learn more about Insider Threats?
Have a look at these articles:

Recent UEBA Articles

Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

Read More

An Outcome-based Approach to Use Cases: Solving for Lateral Movement

Read More

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Read More

Using Advanced Analytics to Detect and Stop Threats [White Paper]

Read More

Understanding Insider Threat Detection Tools

Read More

Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

Exabeam/KPMG Joint Special Session After Report

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More