16.1 Insider Threat Fundamentals

Insider Threat Fundamentals

Every module so far investigated an external attacker — someone who bypassed authentication, stole credentials, or tricked a user into granting access. The attacker had no legitimate reason to be in the environment. Detection focused on finding anomalous access patterns.

Insider threat is different in every dimension.

Why insider threat is harder

The user has legitimate access. A senior engineer downloading design documents is normal behaviour — until they do it at 11pm the night before their resignation takes effect. There is no “unauthorised access” to detect. The detection challenge is distinguishing normal work from data theft using the same account, the same device, and the same applications.

The evidence standard is higher. An external-attacker investigation results in containment and hardening. An insider threat investigation may result in termination, civil litigation, or criminal prosecution. The evidence must be: complete (no gaps in the timeline), preserved (chain of custody maintained), and defensible (methodology can withstand legal scrutiny). A Sentinel bookmark is sufficient evidence for an AiTM containment decision. It is not sufficient evidence for a wrongful termination defence.

Confidentiality is mandatory. The subject of the investigation cannot know they are being investigated. If they discover the investigation, they may: accelerate exfiltration (grab everything they can before access is revoked), destroy evidence (delete files, clear browser history, wipe USB drives), or take legal action claiming harassment or unfair treatment. The investigation must be conducted through log analysis and monitoring — not by asking the user about their activity.

HR and legal are involved from the start. External-attacker investigations involve HR and legal after containment — for reporting and lessons learned. Insider threat investigations involve HR and legal from the initial indicator — because every action taken during the investigation has employment law implications.

The insider threat indicator model

Insider threat investigations typically start from one of three sources:

HR referral. HR reports a risk indicator: the employee submitted their resignation, is on a performance improvement plan, was passed over for promotion, or has expressed dissatisfaction. HR requests that security monitor for data exfiltration. This is the most common trigger.

DLP alert. A Data Loss Prevention policy fires: the user emailed a file containing sensitive data to a personal address, uploaded a file to a personal cloud storage service, or attempted to copy a file classified as “Confidential” to a USB device.

UEBA anomaly. User and Entity Behaviour Analytics detects a deviation from the user’s baseline: significantly higher file download volume, access to repositories they do not normally access, or activity during unusual hours.

Each trigger provides different initial evidence and different investigation starting points. The HR referral provides context (why the user might be exfiltrating) but no technical evidence. The DLP alert provides specific technical evidence (what was exfiltrated) but no context. The UEBA anomaly provides a pattern (something changed) but neither specific evidence nor context.

Insider threat categories

Departing employee data theft. The most common category. An employee who is leaving takes company data — client lists, product designs, source code, financial models — to use at their next employer or to start a competing business. The exfiltration typically occurs in the 2-4 weeks between resignation and last day.

Disgruntled employee sabotage. An employee who feels wronged (disciplinary action, denied promotion, pay dispute) deliberately damages systems, deletes data, or disrupts operations. Less common than data theft but higher immediate impact.

Inadvertent insider. An employee who accidentally exposes data — forwarding a sensitive email to the wrong recipient, uploading a confidential file to a public cloud folder, or losing a USB drive. Not malicious, but the data exposure is the same. The investigation determines whether the act was intentional or accidental — which determines the response (security awareness retraining vs disciplinary action).

Collaborating insider. An employee working with an external threat actor — providing credentials, disabling security controls, or installing malware. Rare but the most damaging. The investigation must identify both the insider and the external collaborator.

This module focuses on departing employee data theft — the category SOC teams encounter most frequently and the scenario in the incident briefing.

Subsection artifact: The insider threat indicator model (3 trigger types) and category taxonomy (4 types). These are the opening sections of your insider threat investigation playbook.

Knowledge check

The insider threat investigation mindset

Investigating an insider requires a fundamentally different mindset from investigating an external attacker.

Assume innocence until the evidence says otherwise. External attacker investigations start from a confirmed malicious event (phishing email, token replay, inbox rule). Insider investigations often start from a risk indicator (resignation, competitor move) with no confirmed malicious activity. The investigation must be open to the finding that the employee is doing nothing wrong — and that finding is documented and reported with the same rigour as a finding of exfiltration.

Your role is investigator, not prosecutor. You gather evidence. You present facts. You do not determine guilt. You do not recommend punishment. You do not tell HR what to do. The distinction matters because: your investigation report may be reviewed by employment lawyers, the employee’s solicitor, or an employment tribunal. If the report contains conclusions (“Marcus stole data”) rather than facts (“Marcus downloaded 67 files and transferred them to USB”), it undermines the legal process and potentially the organisation’s position.

Proportionality in every action. Every query you run, every hold you place, every access restriction you implement must be proportionate to the risk. Placing a litigation hold on an employee’s mailbox because they mentioned updating their LinkedIn is disproportionate. Placing a hold after they resigned to join a competitor and their file download volume increased 5x is proportionate. Document the proportionality reasoning for every investigation action.

The null finding is a success. If the investigation finds no evidence of exfiltration: that is a valid, valuable outcome. It means the precautionary investigation confirmed the employee is not stealing data. Report it clearly: “Analysis of [subject’s] M365 and endpoint activity over the past 30 days shows no deviation from baseline and no evidence of data transfer to personal channels. No further investigation recommended.” Close the investigation cleanly.