Identifying Potential Malicious Insiders

All insider threats are not created equal, however, all can do equal amounts of damage to a company or organization. I have written on this topic before in relation to the F.B.I.’s IDLE program, which was begun to help companies find malicious insiders. In this post, I want to focus more on the insiders themselves, their characteristics, their motivations, and their techniques.

Basically, there are three types of problematic insiders. The first, and maybe most common, is the naïve insider who can best be exemplified by the following behavior. “Wow! This beautiful Russian woman saw my profile and wants to meet me. All I have to do is open this attachment to find out more about her.”

The second type of destructive insider is the careless insider. “Yeah, I know I’m not supposed to use public WIFI to log onto my company network, but what are the chances anything bad will really happen?”

And the third type of destructive insider is the type I will focus on in this post: The malicious insider. These are employees, former employees, business partners, or contractors who have access to a corporate or organization’s network. Their goals may vary but whatever they do could cause serious damage.

First of all, here are a few statistics to keep in mind. Although more than a third of breaches are linked to insiders, 70% are not reported. Depending on which source is cited, these attacks cost a company between $513,000 and $11 million a year… and these are averages. Insider breaches are the most difficult to detect because insiders are familiar with the network and understand the cybersecurity protection that is being used. According to a Ponemon study, it took companies an average of 197 days to discover an insider attack and 69 days to stop it, so it would be good if companies had some idea of which employees needed the most monitoring.

Although all types of insider attacks are damaging, the malicious insider attack has the potential to do the most harm. Often, these insiders work in IT and are, therefore, more skilled in organizing their attacks. It is not unknown, for example, for IT administrators who, in case they get fired, set up fake accounts so that they can use them to launch an attack against the company. Malicious insiders can have access to company secrets, plans, databases, and network user login data. They may be able to organize an attack that stays hidden longer by manipulating the cybersecurity protection installed on a network. They can even manipulate logs to show that nothing unusual is occurring.

Most malicious insiders are male. This may largely be due to the fact that most IT employees are male. However, women should not be discounted. Imagine if they were. Malicious outsiders could then use them to launch and orchestrate an attack.

Although even the most trusted employee could become a malicious insider, most of the time, malicious insiders have behavior patterns that give them away. They may already be considered as problem employees for one reason or another. According to the CERT Guide to Insider Threats, they may have conflicts with other workers or management, refuse to follow rules, criticize the company or management to other employees, and have problems with anger management. Background checks may find that these potential malicious insiders have a history of arrests, conflicts with management, or misuse of travel time or travel expenses. They may even have been previously charged with or convicted of hacking. Such findings are certainly worth taking into consideration when hiring someone for the IT department.

Disgruntled insiders are normally not as interested in stealing information as in getting revenge. Disgruntled IT workers will try to sabotage the company network. They are in a position to do this because they are familiar with the network. Most often, these workers expect to be fired and construct the revenge scenario while they are still at the company. Later, after they are dismissed, they can implement their plan remotely. Being fired is not the only precipitating factor, however. Any action by the company that may not meet an employee’s expectations (such as not getting a raise or promotion) can be enough to trigger the desire for revenge.

The second type of malicious insider is more interested in intellectual property theft. Such theft is most commonly committed by scientists, engineers, programmers, and salespeople. They may try to sell the information to competitors or foreign governments or use it to begin their own businesses. If they are connected to a foreign government, they are committing the theft because that is what they have been assigned to do from the time they were hired.

Some employees simply need money. Lower level employees can make money by working with malicious outsiders to get information that the outsider can parlay into cash. Individual hackers or hacker teams may seek out cash-strapped employees. At other times, the employees themselves may have a job which puts them in a position to defraud the company. They may have access to money and simply can’t resist the chance to take it.

Here is a graph breaking down the 700 insider crimes that CERT had in its database at the time of their report.

threat graph


For the purposes of this post, I am more concerned with insider sabotage and intellectual property theft/espionage as this is where the most damage to a company will come from.

Insider Sabotage

 Keep in mind that we are speaking of IT people who want to get revenge by disrupting the company network. To this end, some employees have simply refused to give up key passwords for certain network components, forcing the company to spend large amounts of time and effort to regain control of these components. This could force them to shut down the network while it is being retooled. However, the disgruntled employee could set up kill switches to shut down these components if anyone tries to reset passwords. It should be clear from this that companies should make sure that passwords do not fall under the control of any one individual in order to thwart such attacks.

IT insiders could insert malware into the system and make it undetectable by disabling certain cybersecurity protocols. The malware could be set up to be triggered remotely and cause all sorts of damage from deleting key files, launching a ransomware attack, or covertly exfiltrating files. Often, the attacker doesn’t even need malware to access the company network because they could set up a false profile with administrative rights. The company may have deleted the disgruntled employee’s account as soon as they were fired but be totally unaware of the fake accounts. To prevent such attacks, companies need to frequently monitor all users that have administrative rights. In addition, companies need to investigate whether a particular employee can be linked to any network problems that occur. While a malicious user is setting up a revenge attack, they may inadvertently cause problems within the company network. Such temporary problems should not be discounted without some investigation. If an employee was found to be at fault, that employee should be closely monitored, especially if they have a history of poor performance or match other malicious insider indicators.

The CERT study found these indicators of malicious insider activity.


Any of these should trigger an investigation into potential network sabotage.

Insider Theft and Espionage

 In many ways, insider theft and espionage is much harder to detect. It generally concerns the movement of information or data through cyber channels or removable devices. Some malicious employees may need neither as they have internalized the company’s most important data. That is to say, they have learned or memorized the information they need. So how can such bad employees be detected?

First of all, companies must be suspicious of any important source code that is downloaded or sent to an external address. Unless it is clear why an employee would do this (such as working at home), they should be questioned. Unusually large downloads should be investigated as should data sent to unknown IP addresses. Information sent to foreign servers should be looked into. If information is being accessed remotely from unknown addresses, be suspicious. An insider working for a foreign country may have planted malware in the network and that malware may be gathering and sending data. The bad news is that the attackers may know how to hide the exfiltration. The CERT report found that insiders who stole information felt that they were entitled to it since they were involved in its creation. Such people may access or keep designs, code, reports, or databases. The problem is that, when caught, many of these employees did not believe they had done anything wrong.

The ignorance defense does not work in the following cases. The CERT report warns employers to be suspicious when,

  • an employee resigns to join a competitor,
  • an employee is a citizen of a foreign country,
  • an employee is looking for another job, or
  • an employee is starting their own business.

Contractors and Business Partners

Keep in mind that it’s not only your own employees that you have to worry about. Anyone with access to a corporate network is a potential malicious insider. Contractors have been used to launch attacks on many occasions and contractors themselves have been known to steal data and information. More worrying is that both contractors and business partners come with more endpoints to protect. Unless the company requires them to install strong endpoint protection, the company will become more vulnerable with every new endpoint that is allowed to access its network.


Good cybersecurity protection begins with hiring good people. Thorough background checks can go a long way towards identifying potential insiders. An individual with high qualifications but a questionable work history can be hired, but must be closely monitored. Monitoring both the network and employee behavior is important. It is especially important to frequently monitor individuals with administrative rights because that is where the biggest problems will begin.

Those involved with new product development or special products may need more monitoring than most employees since they are in a position to do the company significant harm if they should decide to monetize what they have access to. Close monitoring is even more important for foreign nationals on these teams. Of course, it is important to give highly qualified foreign nationals a chance to help your company and most are probably not malicious. However, any foreign national from a potentially hostile state needs to be monitored more closely. Your company’s future has no place for political correctness. At least this is what the statistics show.

It is not unknown for insiders to completely destroy a company. Taking precautions may be time consuming; however, considering the alternative, it’s worth the effort.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s