Module 16: Investigating Insider Threats
Modules 11-14 investigated attacks by external threat actors — someone outside the organisation who stole credentials, hijacked sessions, and committed fraud. This module investigates a fundamentally different scenario: an authorised user with legitimate access who is stealing data.
Insider threat investigation is harder than external-attacker investigation in every dimension. The user has legitimate access to the data they are exfiltrating — there is no “unauthorised access” alert to trigger on. The evidence standards are higher because the outcome may be termination or prosecution of an employee — not just containment of an anonymous attacker. HR and legal counsel must be involved from the start — not after the investigation is complete. And the investigation must be conducted confidentially — the subject cannot know they are being investigated until a decision is made.
This module teaches the complete insider threat investigation lifecycle using M365 and Defender for Endpoint telemetry.
What you will build during this module
Insider Threat Investigation Playbook. Decision tree from initial indicator (UEBA anomaly, HR referral, or DLP alert) through activity reconstruction, evidence preservation, HR/legal coordination, and outcome determination.
5 Insider Threat Detection Rules. KQL analytics rules covering: bulk file download exceeding baseline, file transfer to personal cloud storage, USB device file copy, email forwarding to personal address, and departing employee anomalous activity (watchlist-correlated).
Evidence Preservation Checklist. Steps for preserving digital evidence to employment law standards: litigation hold, eDiscovery search, chain of custody documentation, and screenshot capture.
HR/Legal Coordination Guide. When to involve HR and legal, what information to share at each stage, confidentiality requirements, and the handover process from security investigation to HR disciplinary action.
Prerequisites
Complete Modules 1 (Defender XDR), 2 (Defender for Endpoint — for device telemetry), 6 (KQL), 8 (UEBA), 10 (detections), and 11 (threat hunting). Modules 10 and 11 (detections and threat hunting) provide the behavioural analytics foundation this module depends on.
MITRE ATT&CK techniques covered
T1567 (Exfiltration Over Web Service), T1048 (Exfiltration Over Alternative Protocol), T1052 (Exfiltration Over Physical Medium), T1114.003 (Email Collection: Email Forwarding Rule), T1530 (Data from Cloud Storage).
Compliance mapping
NIST CSF: DE.AE-2 (Anomalous activity detected), RS.AN-1 (Investigations conducted), RS.AN-2 (Impact understood). ISO 27001: A.5.9 (Inventory of information), A.6.1 (Screening), A.6.5 (Responsibilities after termination). SOC 2: CC6.1 (Logical access controls), CC6.8 (Prevent unauthorized data removal), CC7.3 (Evaluate security events).
How this module is structured
15.1 — Insider Threat Fundamentals. How insider threats differ from external attacks, the insider threat indicator model, and the investigation constraints (confidentiality, evidence standards, HR/legal involvement).
15.2 — Incident Briefing: INC-2026-0401-005. The scenario: HR reports that a senior engineer has submitted their resignation. The engineer has access to proprietary design documents. UEBA shows anomalous file download activity over the past 2 weeks.
15.3 — Activity Reconstruction. Using CloudAppEvents, DeviceFileEvents, and DeviceNetworkEvents to build a complete timeline of the user’s data access and transfer activity.
15.4 — Identifying Exfiltration Channels. Personal cloud storage, USB devices, email forwarding, print, and screen capture. Each channel has different telemetry sources and different detection capabilities.
15.5 — Evidence Preservation. Litigation hold, eDiscovery, chain of custody, and forensic imaging considerations. Evidence standards that external-attacker investigations do not require.
15.6 — HR and Legal Coordination. The interaction model between security, HR, and legal throughout the investigation. What to share, when, and with whom.
15.7 — Containment Without Tipping Off. Reducing the insider’s access without alerting them that they are under investigation. The operational challenge unique to insider threat.
15.8 — Detection Engineering. 5 deployable KQL analytics rules for insider threat detection.
15.9 — Module Assessment. 20 scenario-based questions testing insider threat investigation decisions.