Insider threats – Mens Rea of The Enemy Within

You already have an insider threat actor….sorry

One of the biggest threats to any organisation continues to be malicious actors who work within your teams, what drives someone to turn on their own and what goes through their minds when caught?

Every organisation has experienced one, if you haven’t I’m afraid to say you will. We will go into some of the things you can do to try and understand and deal with them.


Before I started working in information security I spent nearly a decade as an investigator in law enforcement, during which time I investigated everything from shoplifting to murders.

A number of those investigations also included people who had committed crimes against their employers, these were often computer crimes and various types fraud. Investigating these has given me an insight into their mindset and thought process leading them to committing the offense as well as their actions after.

Who are they?

The threat of malicious insiders is clear and has been defined as one of the major threats to a organisation for some time, much of the reasons behind this boils down to one thing. Trust.

Organisation’s need to trust their employees, sometimes in very sensitive areas but even in a non sensitive position an insider threat can do a great deal of damage (reputation damage). They have knowledge of the strengths and weaknesses of your organisation and likely know how to circumvent obvious security to achieve their objectives.

Company size can also effect the chance of it happening ,  people feel less “guilty” and more confident of attacking larger organisations due to insurance and feeling far more removed from the intimacy of those they may be crossing.

So why do they do it? The simplest answer is that they are human, sometimes we do stupid things and sometimes we do malicious thing, but that doesn’t really help us understand the deeper meaning.

From my experience there are three types of malicious insiders:

The Planted

I have investigated many individuals who have infiltrated companies with the pure intentions of stealing from or damaging a company, usually as part of an organised crime group or possibly a political activist. In my experience they were planted into companies to steal then leave, these often don’t get discovered until its too late and capturing them can be difficult when they have had a decent head start.

The Opportunists

An example for this is when I investigated a work experience student who created a VPN tunnel to exfiltrate some intellectual property, it wasn’t a particularly sophisticated plan but the ones that work are often the basics. They didn’t join with the plan to steal anything but quickly realised data was left poorly protected and decided to take advantage.

The Pressured

In my experience many of these were people heavily in debt who felt they had no other options, they are generally quite poor at covering evidence as they have had less time or desire to come up with effective plans, they are also not usually experienced at criminality so make “rookie” mistakes. However it could also include people who have been pushed into action by social or political pressure.

A simple example also of this can be found below, whereby a employee of a fire service stole cash from a firefighting charity because he needed to pay his divorse legal bills. This is clearly a straightforward cash theft but it does show that finances are enough to push trusted employee’s to commit crimes even against charities.

How do I stop this happening?

Tricky one, however some basics go a long way, for example common information security practices such as job rotations, mandatory holiday and the principle of least privilege go a long way to help. Companies will already have ideas on whether security clearances is necessary so I won’t go into that.

Employee support services also go a long way, they may prevent some having to make mistakes or feeling that they have no other options, giving people alternative ways to escape their problem is a strong deterrent.

It’s also important to think about what technical alerting you can put into place, it’s not about spying on people its about putting the right processes and checks in place to ensure the areas of most sensitivity are covered. I won’t go into much around data loss prevention solutions  but these are again invaluable in helping stem the risk of theft or leaks.

Finally an overlooked aspect is fully understanding your estate, there may be privileged activities that are taken place which are not common knowledge in the organisation, be sure you know what is going on and what privileges employee’s have.

The endgame

Predicting and detecting insider threats is obviously the preferred outcome, finding them before they cause loss or damage. However at some point someone will slip through the net and you need to ensure you are prepared to cut the risks of someone tampering with evidence or causing further damage remotely.

Don’t assume the police (if they are involved) will sort everything, they won’t always complete actions such as searches or device seizures as fast as the organisation wants or needs so you need to ensure you understand what devices could be outstanding and what access routes are possible.

Finally trust me, it is common for insiders threat actors to ask work colleagues to complete actions for them, especially is the work colleagues are unaware of the situation. Ensure the suspects resources are monitored for activity from anyone, ideally lock them down but don’t rely just on locking the gate.

Caught in the act

From experience not everyone goes quietly and don’t expect them to do what they are told, many will try and cover tracks and destroy evidence even after being arrested and I have seen attempts even while in custody.

Speaking with peers they worked with can help, they may have seen or notified behavior they dismissed but could indicate what might be driving the malicious actor.

Build up a understanding of their network of associates at work, it sounds dramatic but at the early stages you will likely not know how many are involved and how deep the rot runs.

Final thought

Understanding what is driving an insider can help you predict their next actions and any attempts for them to cover tracks, it can also help you better defend should someone else try similar in the future. It’s not always easy to tell what drives them and whether they had the malicious intentions especially so early on in any investigation and you may never find out why someone acted how they did. Ask yourself questions about them, what do you know and what don’t you know, make a list of it helps but answering questions around their mindset and intent might just help you prevent further loss or at least know some of the warning signals.

Ultimately this is a familiar issue as when trying to defend against external threats in that you can’t protect against everything, so you need to work out your most vulnerable areas and employee’s and do what you can to protect them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: