The first category of potential insider threat indicators involves human behavior. Humans are creatures of habit, and when those habits suddenly change, it's something to note. These behavioral indicators of insider threat form the foundation of what security teams should monitor, especially given that theft of personally identifiable information (76%) and theft of intellectual property (59%) are among the most common insider incidents.

Policy workarounds and rule bending

Ever have an employee who's suddenly started creating workarounds for security policies? This could look like an employee who received access to a system that they don't normally need for their work role. 

This isn't always an insider threat with nefarious intent—it can sometimes just be people working as fast as possible without security or compliance considerations. But it's a yellow flag worth keeping an eye on, especially if it's coupled with other indicators of malicious or misguided behavior.

Unusual file hoarding

Are we talking about a sales representative downloading the entire product roadmap when their work focuses on one product line? File hoarding is one of the more common insider threat indicators. 

Off-hours access to sensitive resources

Working late, including a late-night VPN session, is not automatically suspicious. But if those late-night VPN sessions start to become a pattern, combined with accessing sensitive data that the person doesn't normally touch during the work day, now you've got a pattern worth investigating.

Softer insider-risk indicators: Beyond behavior and tech

Although technical and behavioral indications tend to be the most prominent of warning signs on security teams’ radars, there are some less overt insider risks. Psychological pressures, financial concerns, personal issues, or even influence exerted by external actors are some of the risk drivers that impact employee behavior and create conditions for insider threats. Recognizing these “softer” areas of risk before they become a problem can help your organization act before an insider threat manifests.

You don't have to spy on people to spot insider threat indicators. In fact, the best indicators often involve watching your security tools. Modern endpoint detection and response (EDR) tools can report anomalies that would be impossible to see just by watching your people.

Impossible travel and location anomalies

Geolocation anomalies, especially those that involve physically impossible travel, are one of the most straightforward insider threat indicators. Someone compromised, shared, or used credentials that didn't belong to them.

Mass downloads and data hoarding gone digital

When an employee suddenly begins downloading gigabytes of data, especially data they do not normally need access to, start gathering evidence. 

Disabled logging and security controls

This is a big one. If you observe someone with administrator access disabling logging, turning off security monitoring, or tampering with audit trails, you've likely got a very high behavioral indicator of insider threat. There's rarely a legitimate reason for someone to disable the very controls that were designed to protect the organization's data.

Risky OAuth grants and third-party app permissions

Keep an eye out for employees granting broad permissions to third-party applications, especially suspicious-looking "productivity tools" that request full access to your email, contacts, and files. Maybe it's no big deal, but maybe that innocuous app is an exfiltration pipeline in disguise.

Inbox rule tampering

Attackers love to set up inbox rules that automatically forward emails or move messages to obscure folders. The idea is to maintain persistence and steal information while staying below the radar. Normal employees rarely require complex email rules that need to be applied to sensitive correspondence.

Okay, it's not the data itself talking to you, but sometimes the data is what shows you the narrative. Here are some insider threat detection tools you can use to identify unusual data movement patterns.

Personal cloud sync activity

Does work data start suddenly syncing to personal cloud accounts like Dropbox, Google Drive, or OneDrive? Transfers via these common cloud services are another transfer method to look for. A small number of employees may be doing it innocently to access data on multiple devices. But a cloud sync is also how data leaves the organization.

USB spikes and removable media usage

Ohh, the venerable USB drive. Yes, that $5 technology from 2000 is still kicking, and it's still one of the most common and easiest methods for an insider to exfiltrate data.  

Encrypted archives in unusual places

When someone stores password-protected ZIP files or encrypted archives in temporary folders, personal directories, or near-deletion staging areas, it's usually because the individual is preparing data for movement, usually exfiltration. They bundle it up, slap on some encryption to sidestep your DLP tools, and stash it somewhere they think you're not watching.

This is where a lot of organizations struggle. You want to detect insider threats, but you don't want to watch every employee to the point that your company becomes a dystopian nightmare. You can do both if you're thoughtful about how you monitor behavior.

Define clear thresholds

Define clear thresholds for what degree of behavior, in combination, should trigger different levels of response. A late-night login? Nothing more than a curiosity. A late-night login plus mass downloads plus a new OAuth grant for that suspicious third-party app? Start digging.

Implement dual-review processes

Never allow one person to have unilateral control over what gets investigated. Insider threat detection should have at least a dual-review process.

Align with HR and Legal

Align with these teams in advance of an incident so you know how to integrate, when to involve, and what evidence you need for different types of incidents. 

Document your playbooks

So far, we've talked about detecting insider threats. But the best security is security that prevents insider threats from even being a concern in the first place. Build a culture that makes it more difficult for an insider to successfully attempt an attack.

Embrace least privilege

Nobody should have access to more information than their job requires. Harden your environment in a way that employees have less access and therefore less to exfiltrate. 

Conduct periodic access reviews

Conduct periodic access reviews so people's access matches their actual role, not their most recent job description. This is one of the best ways to root out stale or inappropriate access across your environment.

Create clear reporting paths

Make it as easy as possible for other employees to report potentially suspicious behavior. Sometimes your best detection tool is a coworker who spots something off and knows how to report it safely.

Insider threat detection means having a view of your entire environment, from endpoints to cloud to identity. Huntress Managed Identity Threat Detection and Response (ITDR) provides that visibility, with identity-centric signals to detect anomalous behavior before it becomes a serious issue. Combine that with Huntress Managed SIEM for correlation and evidence collection, as well as our Managed Security Awareness Training, to create a stronger reporting culture.