The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization. Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence. Example Scenarios: A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.
A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements. Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations. This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs. Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.
A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This prev...
A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers). Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.
A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typical...
An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns. Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values. Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual. Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.
An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the sub...
An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied. Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation. In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations. Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses.
An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance me...
Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat. Mental Health and Personal StrugglesTrigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation. Negative Statements or Discontent with the CompanyTrigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization). Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment. Hearsay and Indirect ReportsTrigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems. Implementation ConsiderationsCollaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.
Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of...
Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.
Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organiza...
Threat intelligence feeds that include indicators of insider tactics—rather than just malware or phishing IoCs—can inform policy decisions, access design, and targeted monitoring. These feeds allow organizations to anticipate adversarial interest in recruiting, coercing, or planting insiders, and to mitigate the tools and behaviors those insiders are likely to use. Prevention Measures:Subscribe to threat intelligence services that provide curated insider threat profiles, including:Recruitment patterns used by foreign intelligence services.Behavioral precursors to sabotage, data theft, or access misuse.Indicators from anonymized insider case disclosures (e.g., DFIR reports, industry reporting, national CERTs). Use these feeds to inform:DLP tuning based on exfiltration paths observed in real incidents.Risk-based access policies that factor in job function, department, or geographic anomaly exposure.Targeted internal education on known techniques (e.g., false flag account creation, side-channel messaging, Git repo exfiltration). Examples of Insider-Focused TI Sources:CERT Insider Threat CenterMandiant reports on insider-aligned TTPsVerizon DBIR insider incident breakdownsPublic sector alerts (e.g., FBI on DPRK IT workers or contractor placement)Industry-specific ISACs with insider incident advisories
Threat intelligence feeds that include indicators of insider tactics—rather than just malware or phishing IoCs—can inform policy decisions, access design, and targeted monitoring. These feeds allow or...
Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.
Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into considerati...
Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.In the Group Policy Editor, navigate to:Computer Configuration -> Administrative Templates -> System -> Removable Storage Access Open the following policies and set them all to Enabled:Removeable Disk: Deny execute accessRemoveable Disk: Deny read accessRemoveable Disk: Deny write access
Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.In the Group Policy Editor, navig...
A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. This form of screening involves the systematic analysis of publicly available digital content—such as social media profiles, posts, comments, blogs, forums, and shared media—to assess potential risks associated with an individual. Social media screening is typically conducted to identify indicators of reputational risk, conflicting motives, or behavioral patterns that may suggest the potential for insider threat activity. Content of concern may include public expressions of hostility toward the organization, affiliation with extremist or high-risk groups, or engagement with topics unrelated to the subject's role that could indicate potential misuse of access. Trusted service providers specializing in OSINT and digital risk intelligence may be engaged to perform this screening on behalf of the organization. These providers use automated tools and analyst-driven review processes to ensure consistent, legally compliant, and policy-aligned assessments of online behavior. When implemented as part of pre-employment screening or ongoing risk monitoring, social media screening can serve as a proactive measure to detect insider threat indicators early. To be effective and ethical, such programs must follow applicable privacy laws, data protection regulations, and internal governance standards. When responsibly executed, social media screening enhances the organization's ability to identify individuals who may present an elevated risk to information security, personnel safety, or corporate reputation.
A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. Thi...
An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint. Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed. An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).
System logs
An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity. The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat). Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software. Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.
System logs
An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity. The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established. A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious. Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.
System logs
Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.
System logs
Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic. NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred. Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.
Network traffic
Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.
Multiple sources
Leverage threat intelligence feeds that include insider-specific indicators—such as behavioral markers, tactics used by recruited insiders, anonymized exfiltration infrastructure, and social engineering methods—to enrich detection of internal threats. Unlike traditional TI feeds that focus on malware or external IPs, insider-focused feeds highlight tactics used to manipulate access, stage data, or coordinate with external actors. Detection Methods:Integrate insider-focused threat intelligence sources into SIEM, EDR, or UEBA platforms. These may include:Indicators of misuse of collaboration tools (e.g., OneDrive, Slack, GitHub).VPN or proxy services associated with known data exfiltration actors.Identified techniques for bypassing DLP, such as stenography, encryption layering, or screen scraping.Known burner email domains, decentralized file drop sites, or illicit data markets. Use TI feeds that profile known insider operations—such as previously identified contractors or developers tied to state programs (e.g., North Korean contractor aliases).Cross-reference internal behavior (e.g., file staging, privilege escalation, unusual scripting patterns) with threat actor TTPs derived from known insider incidents.Monitor for command-line syntax, file naming conventions, or tools that match profiles of past insider incidents (e.g., private rsync use, exfil via private Git repos). Indicators:Use of anonymization tools or services commonly flagged in insider TI feeds.Behavioral sequences (e.g., mass SharePoint access followed by personal cloud login) matching known insider TTPs.Internal tool usage (e.g., Powershell download cradle, credential harvesting) found in TI reports of insider toolkits.Unusual outbound traffic to infrastructure linked to past insider activity or hybrid APT/insider collaboration cases. Examples of Insider-Focused TI Sources:CERT Insider Threat Center publicationsMandiant reports on insider-aligned TTPsVerizon DBIR insider incident breakdownsPublic sector alerts (e.g., FBI on DPRK IT workers or contractor placement)Industry-specific ISACs with insider incident advisories
System logs
Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.
Multiple sources
Depending on the type of VPN appliance or service used, VPN logs can provide detailed records of user activity. These logs typically include information such as user IDs, device types, IP addresses, and connection timestamps. By analyzing VPN logs, security teams can identify deviations from normal usage patterns, such as connections from unusual geographic locations, access during odd hours, or unusually large data transfers. Anomalies in VPN usage can serve as early indicators of suspicious behavior, potentially signaling attempts at data exfiltration or other unauthorized activities. Alerts triggered by these irregularities allow for further investigation to assess potential threats.
System logs
This technique is part of the ForScie Insider Threat Matrix, a community-driven knowledge base for insider threat intelligence.
View on ForScie Matrix