Threats

T1078

Insider Threat

How to distinguish compromised insiders from malicious insiders, what UEBA detects, and the data leakage patterns analysts look for in logs and endpoint telemetry.

View on Graph

What Insider Threats Are and the Two Categories

An insider threat is a security risk originating from within the organization — someone with legitimate access who uses that access to harm the organization, intentionally or otherwise. MITRE ATT&CK maps the use of valid accounts for unauthorized purposes to T1078 (Valid Accounts), and insider threat investigations often involve this technique plus T1530 (Data from Cloud Storage), T1048 (Exfiltration Over Alternative Protocol), and T1052 (Exfiltration Over Physical Medium).

Dismissing insider threats as “just a people problem, not a security problem” is a mistake — insider incidents are among the most damaging and hardest to detect because every action is authorized until it is not.

Compromised Insider

The compromised insider is the more common type. Their credentials are stolen or their device is taken over by an external attacker. The insider may not even know they’re being used.

Indicators:

  • Account used from unusual location. Login from an IP in a different country than the user’s known location — especially if the user’s device is still showing activity on the internal network.
  • After-hours access. Logins and data access at times the user does not normally work.
  • New device enrollment. New MFA device, new browser fingerprint, new device profile enrolled to the user’s account.
  • Password changes initiated by attacker. If the attacker has access, they may change the password to lock out the legitimate user.
  • Impossible travel. Login from New York and a second login from London within 30 minutes — physically impossible. The first login may have been the attacker logging in from a VPN node.
  • Phishing preceding the anomaly. The compromised user had a phishing alert or reported a suspicious email in the preceding days.

Detection approach: Baseline the user’s normal behavior — typical login times, typical source IPs (HQ, home VPN, etc.), typical file access patterns. Deviations trigger alerts.

Malicious Insider

The malicious insider is acting intentionally — a disgruntled employee, a departing employee taking data to a competitor, or a contractor exfiltrating data for personal gain.

Indicators:

  • Mass file access/downloads. A user downloading hundreds of documents or accessing files they have never touched before. This is the strongest single indicator.
  • USB mass storage usage. Large data transfers to USB drives (monitored by DLP on Windows and macOS).
  • Printing sensitive documents. A user printing hundreds of pages of confidential documents.
  • Email forwarding to personal address. Setting up auto-forwarding of corporate email to a personal Gmail account.
  • Data uploads to personal cloud storage. Accessing Google Drive, Dropbox, or OneDrive for personal accounts (not the corporate OneDrive).
  • Last-day activity spike. A departing employee downloading everything they can in their final days.
  • Access to data outside role. A finance person accessing source code repositories or an engineer accessing HR records.
  • Disharmony indicators. The user has submitted a resignation, been placed on a PIP, or had a performance incident. Behavioral indicators: late-night badge access, unusual coworker interactions.

Detection approach: Role-Based Access Control (RBAC) review alerts when a user accesses data outside their job function. Data Loss Prevention (DLP) monitors for bulk file operations.

UEBA — What It Detects

User and Entity Behavior Analytics (UEBA) builds a baseline of normal behavior and alerts on deviations. It is the most effective tool for insider threat detection.

What UEBA Baselines

  • Login times and days of week. When does the user normally work? 9-5 weekday? Occasional weekend?
  • Login locations and devices. Which IP ranges, which VPN gateways, which devices?
  • File access patterns. Which file shares, which cloud resources, how many files per session?
  • Email patterns. Volume, recipients, attachment size, external vs. internal ratio.
  • Application usage. Which apps, how frequently, what times of day.
  • Network traffic volume. How much outbound traffic does the user’s machine generate?

What Triggers a UEBA Alert

BehaviorUEBA Score ImpactInvestigation Priority
User downloads 500 files from HR share in 10 minutesCritical spikeHigh — probable exfiltration
User logs in from a new IP in a different countryMedium deviationHigh — possible credential compromise
User enables auto-forwarding of all email to personal addressCritical behaviorHigh — data exfiltration setup
User accesses share drive they have never accessed in 18 monthsMedium deviationMedium — investigate context
User VPNs in at 3 AM, downloads 10 files, leavesAnomalous timing + anomalous volumeHigh — combine indicators
User prints 200 pages of confidential documentsCritical behaviorHigh — physical exfiltration

Detection Workflow — Insider Triage

Step 1: Identify the Category

Is the user compromised or malicious? Start by asking:

  • Is the user reachable? If they’re on PTO or unreachable, assume compromised account. Reset credentials immediately.
  • Does the user report unusual activity? “I got a notification about a login from a country I’ve never visited” = compromised.
  • Is there a recent phishing or compromise event associated with this user? Check the recent incident log.
  • Is there a work-related reason for this behavior? Ex: IT admin downloading 500 files to migrate a file server = legitimate. Same behavior from sales = not.

Step 2: Check Activity Baseline

Compare current activity to the user’s historical baseline:

  • Timing: Is this during their normal work hours?
  • Volume: How does today’s activity compare to the past 30 days’ average?
  • Data type: Is the accessed data consistent with their job role?
  • Destination: Are files going to a known business partner or an unknown external service?

Step 3: Correlate Log Sources

QuestionWhich Source to Check
Who logged in and from where?Windows Event ID 4624 (logon), VPN logs, CloudTrail ConsoleLogin
Failed logon attempts?Windows Event ID 4625 — surge of failures may indicate attacker guessing after account takeover
What files were accessed?Windows Event ID 5140 (file share access), CloudTrail GetObject/PutObject
What data left the network?Proxy logs, firewall connection logs, DLP alerts, Sysmon Event ID 3 (network connection)
What commands were run?Windows Event ID 4688 (process creation), PowerShell 4103/4104 (module/script block logging)
Was email auto-forwarding set up?Exchange admin audit logs, Event ID E5N in Unified Audit Log
Was data written to USB?DLP alerts, Windows Event ID 4656 (removable storage handle request)
Was a new scheduled task created?Windows Event ID 4698 (scheduled task creation)
Was there a change in group membership?Windows Event ID 4732 (user added to security-enabled local group)

SPL query — detect mass file access anomaly:

index=windows sourcetype=WinEventLog Security EventCode=5140
| stats count by UserName, ShareName, RelativeTargetName, SourceAddress
| eventstats avg(count) as avg_count, stdev(count) as stdev_count by UserName
| where count > (avg_count + 3*stdev_count)
| eval severity = if(count > 100, "CRITICAL — probable exfiltration", "HIGH — investigation needed")
| table UserName, ShareName, count, avg_count, SourceAddress, severity

SPL query — detect after-hours logon for users who normally work 9-5:

index=windows sourcetype=WinEventLog Security EventCode=4624 LogonType=2 OR LogonType=10
| eval hour = strftime(_time, "%H")
| where hour < 7 OR hour > 19
| lookup user_baseline_lookup UserName OUTPUT WorkingHours
| where like(WorkingHours, "%09%") OR like(WorkingHours, "%08%")
| stats values(LogonType) as LogonTypes, values(WorkstationName) as Workstations, count by UserName, date_hour
| where count > 3

SPL query — detect USB mass storage usage spike:

index=windows sourcetype=WinEventLog Security EventCode=4656
| search AccessMask="0x10000000" OR AccessMask="0x2" (generic read/write to removable media)
| stats count by UserName, ObjectName, ComputerName
| eventstats avg(count) as avg_count by UserName
| where count > (avg_count + 2*stdev_count)
| eval severity = if(count > 20, "HIGH", "MEDIUM")

SPL query — detect auto-forwarding rule setup:

index=o365 sourcetype=MSExchange:AdminAudit
| search Operation="Set-Mailbox" AND Parameters="ForwardingSmtpAddress" OR Parameters="DeliverToMailboxAndForward"
| eval forwarding_domain = extract_field("Parameters", "ForwardingSmtpAddress")
| where NOT like(forwarding_domain, "%yourdomain.com%")
| stats values(forwarding_domain) as ExternalEmail, values(CreationTime) as TimeDetected by UserWhoModified, MailboxOwner

Step 4: Determine Severity

SeverityCriteriaAction
CriticalMass data exfiltration in progress or confirmed credential compromise with active malicious activityIsolate user’s machine, disable account, escalate to IT security lead and legal
HighBulk data downloads, unusual cloud API calls, or email auto-forwarding configuredInvestigate within the hour. Interview user. If unreachable, disable account preemptively.
MediumSingle anomalous login from new location, unusual after-hours accessInvestigate within 24 hours. Check for other anomalies. Reset password if anomalous login from untrusted location.
LowMinor policy violation (accessing non-sensitive resources outside role)Document, inform manager, review in quarterly risk assessment

Insider Threat Response — What to Do

Immediate (within 15 minutes)

  • Determine if the user is compromised or malicious
  • If compromised: revoke tokens, force MFA re-registration, reset password, isolate machine
  • If malicious: disable account immediately, preserve logs, escalate to legal before confronting
  • Capture a forensic snapshot of the affected system (EDR full scan, memory capture if possible)

Within 1 hour

  • Review the scope of accessed data — which files, which systems, how much
  • Search for post-access activity: outbound data transfers, new admin accounts, scheduled tasks
  • Check if the compromised account was used to access other systems (ServiceNow, Jira, code repos)
  • Review shared mailboxes, distribution lists, and delegated access granted by the user

Within 24 hours

  • Determine the data exposure impact — was PII, financial data, or intellectual property accessed?
  • Engage legal counsel for malicious insider cases — documentation for potential termination or prosecution
  • Interview the user (or the user’s manager) to understand context
  • Update DLP rules and UEBA baselines based on this incident
  • Document the incident timeline and lessons learned

Preventative Controls

ControlWhat It PreventsImplementation
Least privilege accessLimits blast radius — the malicious insider can only access what they needRBAC, JIT (Just-In-Time) access, access reviews
DLP (Data Loss Prevention)Blocks bulk file transfers to USB, email, cloud storageMicrosoft Purview DLP, Symantec DLP, or cloud-native DLP
UEBADetects anomalous behavior before data leavesExabeam, Splunk UBA, Azure Sentinel UEBA
Separation of dutiesPrevents single-person critical actionsRequire two approvals for: data access changes, financial transactions, system admin actions
Background checksReduces malicious insider risk pre-hirePre-employment and periodic screening for high-risk roles
Offboarding automationRemoves access immediately on terminationSCIM provisioning, identity management system (Okta, Azure AD)
User activity monitoringRecords all user actions for forensic investigationScreen recording (with consent), keystroke logging (with consent), file audit
MFA enforcementMakes compromised credentials harder to use aloneRequire MFA for all cloud access, VPN, and admin accounts
Data classificationLabels sensitive data so DLP rules can block access by unauthorized rolesMicrosoft Purview Information Protection, Boldon James

Sources