What is Insider Threat?

January 23, 2017  |  Joe Gray

As the name implies, this should be an excellent starting point for the subject topic, in this case insider threat. While I make every effort to be thorough and hit every aspect, there are times that I inadvertently omit things or skip them due to scope, time, length or applicability. Email any questions you have about this or any other topic to blog@advancedpersistentsecurity.net

This blog aims to inform you about insider threat. This is from both a personal and a commercial perspective, meaning that it can be applied in both settings. Disclaimer: I am in no way, shape, or form - past or present, compensated to endorse any solutions or software mentioned throughout this blog post.


This is a time when organizations are spending more than ever before on information security solutions. Often, these solutions are effective in protecting much of an organization's assets. The one element that there is no true comprehensive solution to protect from attack is the human element. As Social Engineering evolves and grows in application and popularity, people are being exploited more frequently to enable successful attacks that would be otherwise unthinkable.

Department of Homeland Security

Insider threat, per the US Department of Homeland Security and Carnegie-Mellon University CERT (Computer Emergency Response Team), is a "current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems."

Director, National Intelligence

The Director of National Intelligence via National Counterintelligence and Security Center (NCSC) : An insider threat arises when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States. Malicious insiders can inflict incalculable damage. They enable the enemy to plant boots behind our lines and can compromise our nation's most important endeavors.

We are seeing more attacks and incidents being associated with various forms of insider threat:

  • One theory of the Ashley Madison data breach is that insider threat enabled the “Impact Team breach” or readily handed the data over.
  • With limited knowledge and insight, some believe that the Bank of Bangladesh SWIFT attacks were insider threat.
  • Seemingly without information, the Yahoo data breaches may be due to insider threat.

What is Not Insider Threat

There is a level of ambiguity in terms of what constitutes insider threat. Some entities state that all actions dealing with users is insider threat. I tend to disagree with this broad generalization. If I am able to crack a password or find a password on a dump site, that is NOT insider threat. Cracking a password is the result of a poorly implemented security policy that allows weak passwords. (Note: This operates under the assumption that Social Engineering or Open Source Intelligence - OSINT was not used to come up with a selected password list). For the latter, finding a password on a dump site is not insider threat, but an outcome of otherwise poor security.

While the scenario above does not entirely encompass what is not insider threat, it provides an example of the analysis and thought process in classifying as insider threat.

Insider Threat Types

I break insider threats into two types: Active (Intentional) and Passive (Unintentional). The distinction lies within the motivation of the threat; are they willingly malicious or merely ignorant due to poor security programs of the organization. A user that intentionally poses an insider threat is different from one that poses as a threat but is not intentional in nature.

Active Insider Threat (Intentional)

This is the type of threat associated with someone internally doing something deliberate that causes harm. The motivations for this could be:

  • Social
  • Financial (either poor finances or greed)
  • Anger
  • Sadness
  • Fraud
  • Theft
  • Activism/Hacktivism
  • Sabotage

The scope of the insider threat hinges upon their access, the design of the organization's computing assets, and motivation. A disgruntled employee acting in anger or sadness may just delete files or corrupt an asset, such as a server. Fraud, theft, etc. could remove files and release them publicly, thus doxing the organization. Sabotage would see a competitor enlist an employee to get a job with a competitor (or "flip" an internal employee).

Much of the principles of the psychology behind insider threat relate to same six principles of persuasion from Dr. Cialdini that are used in social engineering:

  1. Urgency/Scarcity
  2. Authority
  3. Social Proof
  4. Likability
  5. Reciprocity
  6. Commitment and Consistency

These are applied more frequently in passive insider threat.

Passive Insider Threat (Unintentional)

Unlike active insider threats, passive insider threat deal with users that are ill-informed or with poor security posture. These are the people and users that fall victim to social engineering. The attacker will use the principles of persuasion to get the internal user to do one of two things: perform an action or provide information. These can be phishing, vishing, smishing, or pretexting. More information about mitigating passive insider threat below.

Insider Threat: Examples

Based on Chelsea (Bradley) Manning and Edward Snowden, amongst others, the Department of Defense and Intelligence Community are continuously ramping up their detection and prevention capabilities.


While serving in the Army in Iraq, Manning (then Bradley) had access to classified documents as an Intelligence Specialist then leaked them to WikiLeaks, confiding in Adrian Lamo. Lamo felt that this endangered human life and, through a friend, notified Army Counterintelligence and Manning was subsequently apprehended. Many believe that Manning's motivation was based on the Army's denial of his gender reassignment surgery. This was during the “Don't Ask, Don't Tell” period.


Edward Snowden leaked NSA documents and while the debate of insider threat versus whistleblower is controversial, the methods by which he got the documents and published them is almost textbook insider threat.

Snowden leaked (by some estimations) 1.7 million documents from the United States NSA and equivalents in Great Britain and Australia. As stated above, this is controversial and not the topic of this debate, but reports state that Snowden did abuse his position's privileged access to gain access to files. This is an example of improper segregation of duties and poor application of the principle of least privilege.

Insider Threat Mitigation

Mitigating insider threats is tricky. A key determining factor in protecting against insider threat is understanding the motive. Protecting against passive threat is relatively simple due to the lapse in awareness and training. An effective employee training program geared to people on various levels (technical, non-technical, management/C-Level) is a fairly inexpensive way to reduce this type of threat. The same principles for active insider threat (discussed in the preceding paragraph) will further mitigate insider threat.

Protecting against active insider threat is trickier than passive. These insiders are specifically looking to inflict harm. Detection is key beyond prevention. Training of what is an insider threat and how to identify/whom to report to is a double edged sword. Non-malicious users are trained and insider threats are alerted to what their peers are looking for. User Behavior Analytics (UBA) is an up-and-coming solution that observes user activity and flags upon predefined criteria as implemented by the organization.

Applying sound "Cyber Hygiene" or "Security Hygiene" is another amplifying method of reducing possible impact of insider threat. Examples are:

  • Complex (strong) passwords
  • Principle of least privilege
  • Background checks
  • Controlled use of administrative credentials
  • Prevention of execution of software in the user space (C:Users), including AppData, Documents, Downloads, and Desktop
  • A robust Incident Response program
  • Application whitelisting
  • Malware protection
  • File Integrity Monitoring


In conclusion, insider threat is a complex problem. While there are several ways to mitigate insider threat, the only way to eliminate it is to eliminate all people. This is unreasonable as it would also include all code written by people. The key is having a good detection and response program and ongoing training. Only then will people be empowered to report what they see in the proverbial trenches.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial