What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

What is an insider threat?

An insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases. These users can be current employees, former employees, or third parties like partners, contractors, or temporary workers with access to the organization’s physical or digital assets. They can even come in the form of compromised service accounts. While the term is most commonly used to describe illicit or malicious activity, it can also refer to users who unintentionally cause harm to the business.

Why do insiders go bad? The motivation for malicious insiders vary — most often, compromises and data exfiltrations are financially motivated. However, incidents can also result from espionage, retaliation or grudge towards the employee, or just carelessness in poor security hygiene, or an unlocked or stolen access. Insider threats are more common in some industries — such as healthcare, the financial sector and government institutions — but they can compromise the information security of any company.

Recommended Reading: Security Big Data Analytics: Past, Present and Future.

Types of insider threats

Malicious Insider

An employee or contractor who knowingly looks to steal information or disrupt operations. This may be an opportunist looking for ways to steal information that they can sell or which can help them in their career, or a disgruntled employee looking for ways to hurt an organization, punish or embarrass their employer. An example of a malicious insider are the various Apple engineers who were charged with data theft for stealing driverless car secrets for a China-based company.

Negligent Insider

An employee who does not follow proper IT procedures. For example, someone who leaves their computer without logging out, or an administrator who did not change a default password or failed to apply a security patch. An example of a negligent insider is the data analyst who, without authorization, took home a hard drive with personal data from 26.5 million U.S. military veterans, that was stolen in a home burglary.

Compromised Insider

A common example is an employee whose computer has been infected with malware. This typically happens via phishing scams or by clicking on links that cause malware downloads. Compromised insider machines can be used as a “home base” for cybercriminals, from which they can scan file shares, escalate privileges, infect other systems, and more. As is the case of the recent Twitter breach where attackers used a phone spear phishing attack to gain access to employee credentials and their internal network. The attackers managed to gain information about Twitter’s processes and target employees with access to account support tools to hack high-profile accounts and spread a cryptocurrency scam that earned $120,000.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you effectively manage and mitigate insider threats:

Integrate threat intelligence with SIEM
Enrich your SIEM with real-time threat intelligence feeds. This allows you to correlate insider activities, such as abnormal file access or data transfers, with known malicious patterns, helping to identify insider threats quicker.

Implement fine-grained access controls
Enforce the principle of least privilege by restricting access based on roles and responsibilities. Use automated tools to adjust permissions as employees switch roles or leave, ensuring access is never more than what’s necessary.

Monitor abnormal user behavior with UEBA
User and Entity Behavior Analytics (UEBA) can detect deviations from baseline behavior, such as unusual login times or accessing unauthorized resources. This is critical for detecting subtle insider threats before they escalate.

Leverage data loss prevention (DLP) for sensitive data
Deploy DLP tools to track and restrict the movement of sensitive data across your network, especially to external devices like USBs. This can prevent unauthorized exfiltration of intellectual property by malicious insiders.

Use multifactor authentication (MFA) on high-risk accounts
Secure sensitive systems and privileged accounts with MFA. This adds a layer of protection against compromised insiders whose credentials have been stolen or phished.

Conduct regular phishing simulations
Train employees to recognize phishing attempts through simulated phishing attacks. Regular simulations and follow-up training reduce the risk of employees being compromised by phishing, one of the most common insider threat vectors.

Insider Threats Take the Lead: Why Organizations Are Falling Behind

According to the report from Exabeam, From Human to Hybrid: How AI and the Analytics Gap Are Fueling Insider Risk, insider risks have now surpassed external threats as the leading concern for security teams. In our survey, 64% of cybersecurity professionals identified malicious or compromised insiders as a greater danger than outside attackers, compared to 36% who pointed to external actors. 

Within that 64%, 42% saw malicious insiders as the primary concern, and 22% cited compromised insiders. Over half (53%) reported insider incidents had increased in the past year, and 54% expect them to rise further in the next 12 months.

Detection capabilities remain underdeveloped. Only 44% of organizations are using user and entity behavior analytics (UEBA), which are critical for detecting abnormal activity. Although 88% say they have an insider threat program, many are informal, underfunded, or lack visibility across systems. Leadership alignment is also a gap: 74% of security professionals believe executives underestimate insider risk.

Generative AI is accelerating the problem. 76% of organizations have seen unauthorized use of GenAI tools by employees. AI-enhanced phishing and social engineering (27%) and unauthorized GenAI usage (22%) rank among the top insider threat vectors, alongside privilege misuse (18%). 

Security leaders acknowledge the need for better behavioral insight, but face technical and organizational roadblocks. Privacy resistance (20%), lack of visibility (16%), and fragmented tools (10%) create blind spots in detection efforts.

Learn more by downloading Exabeam’s research report “From Human to Hybrid: How AI and the Analytics Gap Are Fueling Insider Risk.”

How to find insider threats

Organizations can spot or predict insider threats by observing user behavior in the workplace and online. Being proactive may allow organizations to catch potentially malicious insiders before they exfiltrate proprietary information or disrupt operations.

What behaviors can your organization use to identify insider threats?

Employee or contractor behavioral traits, and organizational events, that should be heeded to reduce the risk of insider threats.

What suspicious security events can indicate a possible insider threat? 

Behaviors that suggest malicious or compromised insiders.

Examples of Insider Threats 

Yahoo

In May 2022, Yahoo was hit by an insider threat attack. Qian Sang, a research scientist at the company, received a job offer from a competitor called The Trade Desk. Minutes later, Sang downloaded about 570,000 pages of Yahoo’s intellectual property to his personal devices, including information about Yahoo’s AdLearn product. 

It took Yahoo several weeks to realize that Sang had stolen company data, including a competitive analysis of The Trade Desk. Yahoo sent Sang a cease-and-desist letter and brought three charges against him, including intellectual property data theft, claiming that Sang’s actions divested Yahoo’s exclusive control of its trade secrets.

Microsoft 

In 2022, Microsoft experienced a data leak due to employee negligence. Cyber security firm spiderSilk discovered the leak – several Microsoft employees exposed their login credentials to the company’s GitHub infrastructure. This information could allow access to Azure servers and possibly other internal Microsoft systems. 

Microsoft refused to divulge which systems these credentials protected. An internal investigation determined no one attempted to access the sensitive data, and the company took action to prevent this from occurring again. However, if this mistake exposed EU customer information, Microsoft could have faced a GDPR fine of as much as €20 million.

Proofpoint 

What happened to Proofpoint proves that no one is immune to cyberattacks, including cybersecurity firms. In July 2021, Samuel Boone, an ex-employee, stole Proofpoint’s confidential sales enablement data right before starting working at Abnormal Security, a competitor. 

Unfortunately, Proofpoint’s data loss prevention (DLP) solution could not prevent the employee from downloading high-value documents to a USB drive. It took Proofpoint several months to discover that Boone had taken these files. By that time, Boone could have achieved significant headway in sales at Abnormal Security. Proofpoint sued Boone in federal court for unlawfully sharing battlecards that could give him and his new employer an unfair advantage.

Twitter 

In July 2020, hackers compromised several high-profile Twitter accounts by launching a phone-based spearphishing campaign targeting Twitter employees. The campaign lured them in through a Bitcoin scam. 

The attackers started by looking for information about internal processes and systems. Once they found the right employees to target, the attackers accessed account support tools that enabled them to break into 130 Twitter accounts. 

This scam had a relatively minor financial impact on Twitter, and the victims received their money back. However, this incident exposed Twitter’s significant role in the information market and the company’s vulnerability to attacks.

Four ways to prepare against insider threats

There are many things an organization can do to combat insider threats. Here are the four main areas to focus on.

1. Train your employees

Conduct regular anti-phishing training. The most effective technique is for the organization to send phishing emails to its users and focus training on those users who do not recognize the email as a phishing attempt. This will help reduce the number of employees and contractors who may become compromised insiders.

Organizations should also train employees to spot risky behavior among their peers and report it to HR or IT security. An anonymous tip about a disgruntled employee may head off a malicious insider threat.

2. Coordinate IT security and HR

There is no shortage of stories about IT security teams that were blindsided by layoffs. Coordination between the CISO and the head of HR can help prepare IT security. Simply putting affected employees on a watchlist and monitoring their behavior can thwart many threats. Likewise, HR may advise IT security about certain employees that were passed over for a promotion or not given a raise. Tuning data loss prevention (DLP) tools with active thought and input from HR may also give an early warning sign of both self-harm and disgruntlement in terms of the establishment.

3. Build a threat hunting team

Many companies have dedicated threat hunting teams. Rather than reacting to incidents after they are discovered, threat hunting takes a proactive approach. Dedicated individuals on the IT security team look for telltale signs, such as those listed above, to heed off theft or disruption before it occurs.

4. Employ user behavioral analytics

User Behavior Analytics (UBA), also known as User and Entity Behavior Analytics (UEBA), is the tracking, collecting, and analyzing of user and machine data to detect threats within an organization. Using various analytical techniques, UEBA delineates anomalous from normal behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. UEBA can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, UEBA can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.

Understanding the insider threat kill chain

If you want to understand insider threats in more detail, in this section we explain how insider threats grow and evolve – attacker motivations, methods of compromise, and how insider threats use privilege escalation to do more damage.

Insider threat motivations

More often than not, the ultimate goal of an insider threat is financial gain. Whether this is a malicious insider who has accepted cash for trade secrets, a negligent user who sends a wire-transfer to a fraudulent bank account after receiving a spoofed email from an “executive,” or a compromised insider whose credentials are stolen and used by attackers to exfiltrate and sell personally identifiable information (PII) of their patients. But there are many motivators for insider threats: sabotage, fraud, espionage, reputation damage or professional gain. Insider threats are not limited to exfiltrating or stealing information, any action taken by an “insider” that could negatively impact an organization falls into the insider threat category.

Insider threats are caused by malicious, negligent, and compromised individuals whose motivations are quite different.

How are employees compromised

There are several means by which an employee can become a compromised insider:

• Phishing – a cybercrime in which a target individual is contacted via email or text message by someone posing as a legitimate institution in order to lure the individual into providing sensitive data, such as personally identifiable information (PII), banking and credit card details, and passwords. Some phishing schemes may also try to entice a target to click on a link that triggers a malware download.
• Malware infection – a cybercrime when a machine is infected with malicious software – malware – infiltrates your computer. The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials. A Malware infection can be initiated by clicking on a link, downloading a file, or plugging in an infected USB, among other ways.
• Credential theft – a cybercrime aimed at stealing the username and password – the credentials – of a targeted individual. Credential theft can be done in a variety of ways. Phishing and malware infection, mentioned above, are common. Some criminals may engage in social engineering, which is the use of deception to manipulate individuals into divulging their credentials. A bogus call from the IT helpdesk, where the user is asked by the attacker to confirm their username and password, is a common technique.
• Pass-the-hash – a more advanced form of credential theft where the hashed – encrypted or digested – authentication credential is intercepted from one computer and used to gain access to other computers on the network. A pass-the-hash attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plain text password, especially during RDP sessions.

Insider threats and privilege escalation

Insiders can carry out their plans via abuse of access rights. The attacker may try what is known as privilege escalation, which is taking advantage of system or application flaws to gain access to resources they do not have permission to access.

In some cases, abuse of access rights takes the form of someone with privileged access abusing their power. In a historic case from 2008, a system administrator working for the San Francisco city government blocked access to the city’s network and refused to surrender the admin passwords. The worker was disgruntled, and his job was in jeopardy, it was revealed.

These complex threats cannot be detected with traditional correlation rules because they are unknown threats. Instead, a security analyst would need to understand the user’s normal activity to be able to identify abnormal and potentially malicious activity.