Insider threats are risks from people within an organization who use their authorized access or organizational knowledge to cause damage. According to the Cybersecurity and Infrastructure Security Agency (CISA), an insider is any person who has or had authorized access or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. 

That’s a lot of potential people who can unleash chaos on your attack surface. But it's not always a case of a pissed off employee trying to sabotage the company on their way out. More often than not, it's completely unintentional and accidental. 

Here’s how insider threats are categorized:

1. The malicious insider

A malicious insider intentionally misuses their authorized access to steal data, disrupt business operations, or otherwise harm the organization. Their motives can range from financial gain, like selling company secrets, to settling a score for perceived wrongdoing. The bottom line is they know the rules of the game the organization plays by, and they’re willing to break them for personal gain. 

2. The compromised insider

A compromised insider is an employee whose credentials have been stolen by an external attacker, often through phishing scams, malware, or stolen credentials. The attacker then uses these credentials to access accounts, systems, and networks as a legitimate user in the organization. The scammed employee has no idea their account is being used for malicious activities, making this type of threat especially sneaky and tough to spot with traditional security measures. 

3. The negligent insider

Negligent insiders aren’t trying to cause harm, but following security policies isn’t always at the top of their to-do list. Their ignorance, mishaps, and mistakes, like clicking on sketchy phishing links, reusing weak passwords across multiple accounts, or connecting to different public wifi networks every time they leave the house, cause security blunders. They’re not trying to stir up a data breach, but unfortunately, their habits can have the same devastating consequences as a malicious attack. 

Let’s break down a classic example of a malicious insider threat. Imagine a sales executive who has been with a company for a few years. She has heaps of organizational knowledge and full access to all the databases with customer information. But she’s hopping to a new job at a top competitor in just a few weeks. In her last week, she logs into the company's CRM like normal, but this time she downloads the entire customer list and stores it on a thumb drive, complete with contact details and sales history. She plans to bring this list directly to the competitor on her first day for an easy competitive edge. 

The employee had legitimate access to the data as part of her job, but she intentionally misused that access for personal gain, regardless of the potential damage she might bring to the company. 

Threat hunting is a proactive approach that combines intelligence, data logs, and alerts to create and define hypotheses. By testing the hypotheses, defenders find unknown threats, security gaps, and potential zero-day vulnerabilities. 

In other words, instead of waiting for an alarm to go off, threat hunters assume that attackers (in some cases, insider threats) are already inside the network and actively look for signs of shady activity.

Here’s another way to think about threat hunting:

• Traditional security is like having a burglar alarm on your house. It only goes off after someone has broken in. 

• Threat hunting is like having a security guard who patrols the property, checks for unlocked windows, and looks for footprints in the garden. 

Threat hunting vibes are all about being proactive, not reactive.

Let’s say a threat hunter is looking for signs of malicious Remote Monitoring and Management (RMM) installation. RMMs are legitimate tools used by threat actors to gain remote access to endpoints. The threat hunters start with a hypothesis, like "An attacker is installing malicious RMM software on endpoints in targeted environments to gain persistence."

Here’s how they test the hypothesis:

1. Trigger: Something like an alert, abnormal network behavior, or threat intelligence kicks off the hunt. 

2. Investigation: This involves investigation and analysis of data from tools like Managed Security Information and Event Management (SIEM) and Managed Endpoint Detection and Response (EDR). Analytics and machine learning tools help with pattern recognition and anomaly detection. 

3. Resolution: Get rid of the problem and kick out the threat actor! Patch vulnerabilities, update security policies, or remove malicious artifacts. 

In this case, the 24/7 Huntress SOC found overwhelming evidence that an attacker tricked a victim into downloading renamed malicious RMM installers disguised as legitimate-looking government documents—a compromised insider. This activity happened over several months. Our SOC analysts used the IoCs on the compromised host to pivot and investigate additional endpoints, quickly spotting evenmore instances of nasty RMMs on different hosts and ultimately kicking the threat actor to the curb. 

Example of a Huntress SOC threat hunt for malicious RMMs

Threat hunting is a proactive way to spot this type of activity, whether insiders are malicious or unwitting, and shut down the attackers who hide in the noise.  

Threat hunting isn't a one-size-fits-all activity. It’s broken down into three categories, each with a different starting point.

1. Intelligence-Driven Hunting

This type of hunt is based on specific threat intelligence, like an alert from a government agency about a new malware strain, a security vendor report about new threat actor tactics, or SIEM or EDR alerts. The threat hunter uses the intelligence to look for specific indicators of compromise (IOCs) within their own environment.

Check out this example of intelligence-driven threat hunting from our SOC:

2. Hypothesis-Driven Hunting

The hunter uses their knowledge of attacker techniques and their own company's environment to form a hypothesis about a potential threat. For example, they might hypothesize, "An attacker is using PowerShell to run malicious scripts that are disguised as normal administrative tasks." They then actively search for evidence to prove or disprove that hypothesis. This is where a deep understanding of insider threat behavior comes in handy.

3. Anomaly-Driven Hunting (Analytics)

This approach uses machine learning and data analytics to spot outliers and anomalies in user and system behavior. The idea is to establish a baseline of what "normal" looks like for your network. Then, the system automatically flags any activity that strays significantly from that baseline. For example, if an employee who normally works a normal Monday-to-Friday schedule during the day suddenly starts accessing sensitive files at 3 am over the weekend, that's an anomaly worth investigating. This is a powerful tool for insider threat monitoring.

More resources to learn more about proactive threat hunting:

• Information to Insights: Intrusion Analysis Methodology

• Utilizing ASNs for Hunting & Response

• Brute Force or Something More? Ransomware Initial Access Brokers Exposed

Building an insider threat hunting program is a journey, but you can start with a few key steps:

• Know Your Environment: Understanding what "normal" looks like in your network helps you spot the anomalies that signal insider threats
  
  

• Use threat intelligence: Bring in data from threat intelligence feeds to deepen your understanding of current threat landscapes
  
  

• Encourage continuous learning: Threat landscapes never stop changing—regular training and knowledge updates for your threat hunting team are key

Insider threats are here whether you’re prepared or not. By building a security strategy with proactive threat hunting, you can turn the tables on would-be attackers and protect your organization from the inside out.