Insider Threats: Detection and Prevention of Internal Threats
An insider threat is the security risk that originates from within: employees, service providers and former employees with legitimate access who - through intent, carelessness or a compromised credential - expose the organization's data, systems and critical operations. It is the threat the security team detects latest and, proportionally, the most expensive: according to Ponemon Institute's Cost of Insider Threats Global Report 2023, the average annual cost of a poorly managed insider threat program reaches US$ 16.2 million per organization, with an average containment time of 86 days.
What an insider threat is and why it is different
An external attacker must overcome firewalls, EDR, multi-factor authentication and intrusion detection before reaching the asset they want. The insider is already on the other side of all these controls. They know the systems, know where the backups are, understand the approval processes and - in most cases - have permissions the SOC would consider normal for their role.
This does not mean insider threats are undetectable. It means detection needs a different layer of analysis: not what the user is doing, but whether what they are doing is consistent with what they have always done, with what their role requires and with what is happening around them in the same period.
MITRE ATT&CK documents dozens of techniques used by insiders, especially in the Collection (T1530, T1213), Exfiltration (T1048, T1052) and Defense Evasion (T1070) clusters. The difference from an external attacker is that the insider rarely needs to exploit technical vulnerabilities - they simply use the access they already have.
Three types of insider threat
The CERT Insider Threat Center at Carnegie Mellon University, a global reference on the subject since 2001, classifies insiders into three functional categories with distinct implications for detection and response:
| Type | Motivation | Behavioral signals | Priority control |
|---|---|---|---|
| Malicious | Financial gain, revenge, espionage, sabotage | Access to data outside their scope, large downloads before termination, creation of hidden accounts, exfiltration via personal channels | UEBA + DLP + access review + secure offboarding |
| Negligent | Carelessness, lack of training, convenience | Clicking on phishing, use of unauthorized devices, credential sharing, shadow IT, weak passwords | Continuous training + MFA + DLP + EDR |
| Compromised | Credential stolen by an external actor (stealer, phishing, social engineering) | Login at atypical times/locations, multiple resources accessed in an unusual sequence, behavior diverging from the historical baseline | UEBA + phishing-resistant MFA + PAM + session monitoring |
The negligent insider accounts for the largest share of incidents (about 62% of cases in the CERT/CMU dataset), but the malicious insider causes the deepest and most deliberate damage. The compromised insider is technically the hardest to detect because the behavior can be calibrated by the external attacker to mimic normal patterns.
Behavioral indicators: what the SOC should watch
Insider threat indicators fall into two planes: digital and non-digital. The SOC operates in the digital plane, but the HR team and direct managers need to report signals from the human plane so the correlation is complete.
High-risk digital indicators:
- Access to systems or files never visited in the last 90 days, especially outside business hours
- Download volume significantly above the personal baseline (e.g., 10x the weekly average)
- Use of removable storage devices on endpoints that never used USB
- Sending emails with attachments to personal accounts (Gmail, Hotmail) from corporate addresses
- Attempts to access privileged resources without a formal request in the ticketing system
- Installation of unauthorized compression, encryption or tunneling tools
- Unusual queries to the user directory (LDAP enumeration)
- Multiple authentication failures followed by success on a high-privilege account
Non-digital indicators relevant to correlation:
- Announced or negotiated departure - the highest-risk period for data exfiltration
- Recent disciplinary conflict with management or HR
- Documented financial difficulties (may indicate motivation to sell data)
- Physical access to restricted areas outside standard hours
Detection: the four technical layers
1. UEBA - User and Entity Behavior Analytics
UEBA is today the most effective control against insider threats because it operates on patterns, not on static rules. The engine collects logs from heterogeneous sources - Active Directory, VPN, SaaS applications, CASB, endpoints, databases - and builds behavior models per user, per role and per department. When a user deviates from their own baseline or from the peer group's baseline, the risk score rises.
Machine learning techniques common in UEBA include isolation forest for point anomaly detection, LSTM (recurrent neural networks) for access time series, and clustering (k-means or DBSCAN) to identify groups of atypical behavior. NIST SP 800-92 (Guide to Computer Security Log Management) and NIST SP 800-137 (Information Security Continuous Monitoring) provide the normative basis for this collection and analysis architecture.
2. DLP - Data Loss Prevention
DLP monitors and blocks data transfers through controlled channels: corporate email, uploads to web services, USB devices, printing, screen sharing. Its effectiveness depends directly on the quality of data classification - without knowing what is confidential, DLP generates false positives in a volume the team cannot triage.
The architecture recommended by NIST SP 800-53 Rev. 5 (controls SI-3, SI-4 and SI-12) combines endpoint DLP (installed agent) with network DLP (inline or ICAP) and content inspection at email gateways and CASB for SaaS coverage.
3. Privileged Access Monitoring (PAM)
Privileged Access Management records and audits every session of users with administrative access - whether to a server, database, firewall or SCADA system. The session is recorded (video replay), commands are logged and, optionally, the session can be automatically terminated if prohibited commands are detected (e.g., DROP TABLE in production without an approved change ticket).
PAM also implements the just-in-time (JIT) model: the user requests privileged access, the system grants it for a limited time (e.g., 2 hours), and the access is automatically revoked when it ends. This eliminates the risk of permanently open privileged accounts - the main entry point for privilege escalation by both malicious insiders and attackers with compromised credentials.
4. SIEM with correlation of insider indicators
The SIEM (Security Information and Event Management) aggregates all logs and applies correlation rules to identify sequences of events that, in isolation, seem normal but together indicate insider activity. Example correlation rule: user accessed HR_confidential at 11 PM + downloaded 2 GB + tried to send an email with a .zip file to an external domain, all within a 40-minute window. Each separate event could be ignored; the full chain triggers a P1 alert.
Prevention: structural controls
Least privilege and segregation of duties
The principle of least privilege determines that each user has access only to what they need to perform their role, nothing more. In practice, most organizations accumulate permissions over time - an employee changes departments, inherits the old access and accumulates new ones. Periodic access reviews, required by NIST SP 800-53 (AC-2) and ISO 27001 (A.9.2.5), correct this accumulation quarterly or semi-annually.
Segregation of duties (SoD) prevents a single person from controlling an entire high-risk process - for example, no one who can approve payments should also be able to register vendors. This control is especially relevant for preventing internal financial fraud.
Secure offboarding
According to CERT/CMU, 25% of documented malicious incidents involve former employees who retained active access after termination - whether due to a failure in the revocation process or backdoors created beforehand. Secure offboarding needs to be a process executed on the same day as the termination, before the person leaves the building or ends the remote session, covering: revocation of accounts (AD, VPN, SSO, SaaS, API tokens), device recovery, rotation of shared secrets and monitoring of access attempts for 30 days after departure.
Culture and reporting channels
Insider threat programs that work combine technology with culture. This means: clearly communicating to employees that monitoring exists and what its scope is (a requirement of the LGPD and the CLT); creating anonymous reporting channels so colleagues can report suspicious behavior without fear of retaliation; and integrating the HR, legal and management teams into the response chain, not just the SOC.
LGPD and the legal limits of monitoring
Monitoring employees' digital behavior is legally permitted in Brazil, provided the conditions of the LGPD (Law 13.709/2018) and labor legislation are met. The minimum requirements are:
- Documented legal basis: monitoring of corporate equipment falls under the employer's legitimate interest (art. 7, IX of the LGPD) for information security and fraud prevention purposes.
- Transparency: the monitoring policy must be communicated to the employee before it begins, ideally in the employment contract or a signed internal policy.
- Proportionality: collect only the data necessary for the stated purpose; do not intercept the content of personal communications (e.g., personal WhatsApp, personal Gmail).
- Security of the collected data: monitoring logs are personal data and require adequate access controls, a defined retention period and secure disposal.
- Registration in the RoPA: the monitoring activity must be recorded in the Record of Processing Activities, required by art. 37 of the LGPD for mid-sized and large controllers.
The ANPD (National Data Protection Authority) has not yet issued specific guidance on employee monitoring in the context of information security. Until it does, it is recommended to adopt the guidelines of the European Data Protection Board (EDPB) as a best-practice benchmark - in particular, Guidelines 5/2022 on the use of technology in the workplace.
Insider threat incident response
Response to an insider incident follows the structure of NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide), with adaptations for the legal and HR context:
- Detection and triage: the UEBA/SIEM alert is validated by the SOC analyst to eliminate false positives before any action.
- Silent containment: unlike external attacks, in insider threats premature containment can destroy evidence and alert the suspect. The initial strategy is usually increased monitoring without immediate blocking.
- Evidence preservation: logs, PAM session captures and access metadata are collected with a chain of custody for use in disciplinary or legal proceedings.
- Involvement of HR and legal: before confronting or blocking the employee, legal reviews the body of evidence and defines the appropriate procedure (warning, dismissal for cause, notification to the Public Prosecutor's Office).
- Active containment and remediation: access revocation, credential rotation, damage assessment and notification of affected parties in accordance with LGPD requirements (art. 48 - notification to the ANPD within 2 business days for incidents with relevant risk).
- Lessons learned: review of the detection process, adjustment of UEBA/SIEM rules and policy updates.
References
- CERT Insider Threat Center / Carnegie Mellon University. Common Sense Guide to Mitigating Insider Threats, 10th edition, 2022.
- NIST SP 800-53 Rev. 5 - Security and Privacy Controls for Information Systems and Organizations (controls AC-2, SI-3, SI-4, SI-12).
- NIST SP 800-61 Rev. 2 - Computer Security Incident Handling Guide.
- NIST SP 800-92 - Guide to Computer Security Log Management.
- MITRE ATT&CK - techniques T1530, T1213, T1048, T1052, T1070 and detection DS0002.
- Ponemon Institute. 2023 Cost of Insider Threats Global Report.
- EDPB - Guidelines 05/2022 on the use of tracking technologies.
- Law 13.709/2018 (LGPD) - arts. 7, 37 and 48.
Frequently asked questions
What is an insider threat and why is it more dangerous than external attacks?
An insider threat is any security risk originating from a person with legitimate access to the organization's systems - employees, service providers or former employees with active credentials. The danger is greater because the insider has already bypassed the perimeter controls: they know the critical assets, know where the sensitive data is and have permissions that let them act without raising immediate alerts. CERT/Carnegie Mellon notes that the average time to detect an internal incident is 85 days, versus about 20 days for external attacks using compromised credentials.
What are the three main types of insider threat?
The CERT Insider Threat Center classifies insiders as: (1) Malicious - acts with deliberate intent to cause harm or steal data; accounts for about 26% of cases. (2) Negligent - has no malicious intent but causes incidents through carelessness (phishing, shadow IT, weak passwords); responsible for about 62% of incidents according to Ponemon (2023). (3) Compromised - the employee did not act in bad faith, but an external actor obtained their credentials and operates disguised as a legitimate user.
How does UEBA detect an insider's anomalous behavior?
UEBA builds a baseline of each user's normal behavior over weeks and calculates a risk score when the user deviates from their own baseline: access to never-visited resources, login at atypical times, abnormally high download volume, or lateral privilege escalation. UEBA does not trigger on a fixed rule - it contextualizes: a 10 GB download may be normal for a data engineer and anomalous for a legal analyst.
Is DLP enough to prevent leaks caused by insiders?
No. DLP intercepts transfers through known channels, but it does not detect exfiltration through unmonitored channels (photographing the screen, personal VM, tunneling), nor access without transfer (viewing secrets). DLP needs to operate together with UEBA, PAM and data classification to close the gaps. NIST SP 800-53 Rev. 5 recommends this layered approach.
Can the company monitor employees' digital behavior without violating the LGPD?
Yes, with an adequate legal basis and proportionality. Monitoring of corporate equipment falls under legitimate interest (art. 7, IX of the LGPD) for information security purposes, provided there is: a documented policy communicated to the employee; a legitimate purpose; data minimization; and registration in the RoPA. Intercepting the content of the employee's personal communications is not permitted.
What should happen in the offboarding process to eliminate insider risk?
Secure offboarding requires a checklist executed on the same day as the termination: immediate revocation of all accounts (AD, VPN, SSO, SaaS, API tokens); device recovery; rotation of shared secrets the employee knew; and an alert to the SOC to monitor post-termination access attempts for 30 days. CERT/CMU documents that 25% of malicious incidents involve former employees with active access after termination.
Behavioral insider detection with Decripte's SOC
Decripte operates a 24x7 SOC specialized in behavioral detection of internal threats for companies of 1 to more than 100,000 employees. Our platform correlates signals from UEBA, DLP, PAM and SIEM in a single dashboard, with human triage by certified analysts and response playbooks adapted to the Brazilian legal context - including LGPD compliance and support for producing evidence for disciplinary and legal proceedings.
Companies that want to understand their current exposure to insider threats can start with a free threat assessment through the platform. For organizations with enterprise requirements, the Threat Management plan includes continuous monitoring, periodic access reviews and incident response with a defined SLA.
