Insider Threat: One pattern, four scenarios, thirteen countermeasures

Published: Oct 23, 2017
Author: John Grim

As many of you know, we released our sophomore publication of the Data Breach Digest in February 2017. Building on the success of the 2016 report, we wanted to go beyond the investigator perspective on data breaches—so, for the 2017 Data Breach Digest, we provided a stakeholder perspective. After all, data breaches are complex affairs, requiring various stakeholders with specific roles, responsibilities and authorities to tackle the response effort.

In our most recent update to the 2017 Data Breach Digest—“The Insider Threat: Protecting the Keys to the Kingdom”—we focus on stakeholder involvement, including human resources, legal counsel, corporate communications, law enforcement, as well as internal and external digital forensics investigators. Over the years, we've found these to be the typical stakeholders involved in insider-threat-related cybersecurity incidents.

Although insider threat cases may not be typically the largest or even the most technical of data breaches, they are complex in and of themselves. This complexity stems from insider threat actors operating from a position of privilege and trust. Their objectives are to steal or compromise data, corrupt or destroy data, disrupt business operations, or cause embarrassment to an organization. Their motivations include financial gain, espionage, grudges, ideology, fun and convenience. Moreover, given their position within an organization, they can be very difficult to detect—and when discovered, the investigation can be a delicate matter.

Insider threat scenarios

As presented in "The Insider Threat: Protecting the Keys to the Kingdom," threat action varieties most attributable to human factors include Social (human assets are compromised), Misuse (insiders are threat actors), and Error (people making mistakes).

According to our incident and breach corpus, over the previous three years (2014 – 2016), 60% of all data breaches involved one or more of these three human elements. While most, if not all, of the scenarios in the Data Breach Digest involve some form of the Human Element, four scenarios over the previous two editions focus primarily on the insider threat.

  • Disgruntled Employee—the Absolute Zero. An employee resented his organization's restructuring. The employee collected confidential files for his new job. He got caught. The investigation confirmed this and found he had left his employer with "mass delete" commands set to kick off long after he was gone.
  • USB Infection—the Hot Tamale. A contracting company announced unilateral pay cuts for its employees. A mysterious outsider offered a janitor "bonus pay" if he’d plug a USB flash drive into various systems. The janitor did, malware was introduced, an investigation occurred, and the janitor received a 100% pay cut.
  • Insider Threat—the Rotten Apple. A middle manager was aware of company buyout details exceeding his level of authorization. How did he know these details? Turns out, he had socially engineered his system administrator buddy for credentials, accessed the CEO’s email account, and helped himself to all kinds of sensitive company details.
  • Rogue Connection—the Imperfect Stranger. A company’s customers complained about not being able to access their web accounts. An investigation initially found the organization’s IP address space blocked due to malicious C2 server activity. It turned out the Bring Your Own Devices (BYOD) network segment was infected by malware from a remote employee’s laptop.

Historically, our data corpus tells us that breach discovery lags behind the initial compromise, sometimes by days, weeks, or even longer. For the Insider and Privilege Misuse incident pattern, breach discovery is more likely to take months or even years to detect. This breach discovery lag is attributable to the difficulty in detecting the insider threat, especially those with privileged accounts who are conducting their nefarious activities stealthily.

Disgruntled employees, such as the one presented in the Absolute Zero scenario, are some of the most difficult threat actors against which to defend. Employees hiding their true feelings or acting secretly, as in the Hot Tamale and Rotten Apple scenarios, are sometimes even harder to counter due to the difficulty in detecting their malicious behavior. Finally, as shown in the Imperfect Stranger scenario, there are those employees who inadvertently—due to their actions—compromise or destroy data, or disrupt business operations.

Leveraging lessons about insider threats

Using the lessons learned from these four scenarios—combined with our experience in investigating countless other data breaches over the years—we formulated thirteen insider threat countermeasures. We clustered these countermeasures into three groupings: detection and validation, response and investigation, and prevention and mitigation. Read the entire "Insider Threat: Protecting the Keys to the Kingdom" report for full details.

Detection and validation

  1. Report suspicious insider activity—train and sensitize employees to recognize the signs of suspicious behavior, and report it.
  2. Log and monitor user accounts—use a Security Incident and Event Monitoring (SIEM) solution, or a User Behavior Analytics (UBA) solution to monitor, detect, and log suspicious account activities.
  3. Inventory and monitor sensitive data—track your assets and know where sensitive data is. Monitor systems for data loss.

Response and investigation

  1. Activate the insider threat playbook—notify key stakeholders, determine evidence sources, and identify witnesses and subjects.
  2. Assemble the incident response team—work closely with HR, legal counsel, and a digital forensics firm.
  3. Collect and preserve evidence—leverage established evidence handling tools, procedures, and documentation.
  4. Contain and eradicate the threat—conduct activities such as blocking traffic, rebuilding systems, disabling accounts, and removing malware.
  5. Conduct personnel interviews—interview witnesses and suspects to determine the nature of suspicious activity; involve HR and legal counsel.

Prevention and mitigation

  1. Start a personnel security program—vet employees through background checks and screening interviews; enforce least privilege, duty separation, and duty rotation for sensitive jobs.
  2. Deter insider threat activities—implement effective security policies and procedures. Provide ongoing training to remind employees of these.
  3. Maintain physical security—limit access to physical facilities and sensitive areas. Use security cameras, employee badges, and audit trails.
  4. Harden the digital environment—restrict access to sensitive systems. Encrypt network traffic and digital media. Remove unneeded apps and patch necessary apps.
  5. Prepare for organization changes—brace for negative impact, maintain a strict "need-to-know", and establish termination protocols.

Using these countermeasures can help to keep your organization out of the headlines, and save you from sending out data breach notifications to customers, employees, and regulators. In the unfortunate event you do get that call, remember the Verizon Threat Research Advisory Center (VTRAC) Investigative Response Team is here to help you respond to and investigate these situations.

Data Breach Reporting Resources

Insider Threat: Protecting the Keys to the Kingdom

Download the "Insider Threat: Protecting the Keys to the Kingdom," an update to the 2016 and 2017 Data Breach Digests:


2017 Data Breach Investigations Report

Get the 2017 DBIR, our foremost publication on cybersecurity, and one of the industry’s most respected sources of information:

2017 Data Breach Digest

Read the 2017 DBD for the story of Verizon’s most intriguing cybercrime investigations:

Vocabulary for Event Recording and Incident Sharing (VERIS) Resources

Check out the VERIS Community Database, as well as these other VERIS-related resources:


VERIS Framework:

VERIS Schema:

VERIS Community Database:

John Grim, the primary author of the Verizon Data Breach Digest, has over fifteen (15) years of experience in conducting digital forensic investigations within the government and civilian security sectors. Currently, John serves as a part of the Verizon Threat Research Advisory Center (VTRAC) and leads a team of highly skilled technical digital investigators. In this capacity, John responds to cybersecurity incidents, conducts on-site data breach containment and eradication activities, performs digital forensic examinations, leads pro-active data breach response preparedness training and tabletop exercises, and conducts e-discovery and litigation support for customers around the world.