Insider Threat
highinsider-threat
Authorised individuals (employees, contractors, or partners) misuse legitimate access to exfiltrate data, sabotage systems, or commit fraud — either intentionally or through negligence. Distinct from credential theft because the actor already holds valid permissions, which makes detection dependent on behavioural rather than authentication signals.
Information DisclosureTamperingRepudiation
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1078 | Valid Accounts | Defense Evasion |
| T1530 | Data from Cloud Storage | Collection |
| T1485 | Data Destruction | Impact |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
Common Weakness Enumeration
Mitigating controls
ctrl-insider-1- Enforce least-privilege and just-in-time access with mandatory approval workflows for sensitive actions
ctrl-insider-2- Deploy User and Entity Behaviour Analytics (UEBA) to detect anomalous access patterns
ctrl-insider-3- Apply separation of duties for high-risk operations (production data access, financial transactions, key management)
ctrl-insider-4- Run a joiner-mover-leaver process that promptly revokes access on role change or departure
ctrl-insider-5- Use tamper-evident audit logging shipped to a system the actor cannot modify
ctrl-insider-6- Apply DLP on email, file sharing, and removable media to detect bulk data egress