How to Detect an Insider Threat

Most threat intelligence tools focus on the analysis of network, computer and application data while giving scant attention to the actions of authorized persons who could misuse their privileged access.

Compromised account

Infected host

Account misuse

Data staging

Low and slow attack

Unauthorized print job

Fileless malware

Zero-day attack

For secure cyber defense against an insider threat, you have to keep an eye on anomalous behavioral and digital activity.

Behavioral Indicators

There are a few different indicators of an insider threat that should be looked out for, including:

  • A dissatisfied or disgruntled employee, contractor, vendor or partner.
  • Attempts to circumvent security.
  • Regularly working off-hours.
  • Displays resentment toward co-workers.
  • Routine violation of organizational policies.
  • Contemplating resignation or discussing new opportunities.

Digital Indicators

  • Signing into enterprise applications and networks at unusual times. For instance, an employee who, without prompting, signs into the network at 3am may be cause for concern.
  • Surge in volume of network traffic. If someone is trying to copy large quantities of data across the network, you will see unusual spikes in network traffic.
  • Accessing resources that they usually don’t or that they are not permitted to.
  • Accessing data that is not relevant for their job function.
  • Repeated requests for access to system resources not relevant for their job function.
  • Using unauthorized devices such as USB drives.
  • Network crawling and deliberate search for sensitive information.
  • Emailing sensitive information outside the organization.

Up next:

How to Protect Against Insider Attacks