Ekran System Blog

News, opinions, and industry insights

4 Cyber Security Insider Threat Indicators To Pay Attention To


Probably, everyone can agree that stopping insider threats is not an easy task.  Various insider threat indicators help you to know where the potential threat is coming from, but this is only half of the battle.

Insider Threat Indicators

Before we fully dive into this topic, it is worth noting that you need much more than simply watching human behavior to identify insider threat. Reliable detection also requires a specific tools that will allow you to gather full data on user activities. However, fully discounting behavioral indicators is also a mistake, as they allow to detect users that pose increased risks of being malicious insiders, and better prepare for a potential attack by turning your attention to them.


In this article we will cover such behavioral signs and indicators, and also touch on effective insider threat detection. So, without further ado, let us look at the people, that pose the most risk to any organization.


What is an insider


First things first, we need to define who insiders actually are. In the simplest way, insider can be defined as a person belonging to a particular group or an organization. More often than not, said person can have legitimate access to a secure data, putting them into ideal position to threaten its safety.


However, not every insider has the same level of access, and thus not every one of them presents the same level of threat. Various sources, such as 2016 Insider Threat Spotlight Report, give us the information on most dangerous type of insiders include:


  • Privilege users – these are people with unrestricted access to sensitive data, most often system and database administrators, as well as upper management. While usually being the most trusted employees in an organization, they also pose the most threat.
  • Third party providers and contractors – usually, you have little control over cyber security on the third party provider end. While you may audit their security controls as a part of your selection process, this still does not guarantee a complete safety. It is best to protect your remote connections from potential malicious insiders or compromised accounts.
  • Remote workers – by connecting to your corporate infrastructure using personal, often poorly protected devices, they put your data under the threat of malicious attack and inadvertent leakage. For example, often such data can be easily accessed by family members and other associates
  • Regular employees – with limited access to sensitive data, employees rarely conduct full fledged insider attacks. However, they can often leak data or compromise your corporate infrastructure inadvertently, either by mistake or by becoming a victim of phishing.


As we can see, not every dangerous insider is a malicious one. There is also a big threat of inadvertent mistakes, committed, most often, by employees and subcontractors. Every company can fall victim to this and trying to reduce the likelihood of employee mistake is extremely hard.


Your best bet in this situation is to educate your employees on best cyber security practices and put policies in place that will limit the possibility and help mitigate damage in case of a mistake. For more details on this you can refer to our article on how to prevent user error.


And when it comes to malicious insiders, there are numerous things that can help you actually deter and detect attacks, not the least of which is actually user behavior evaluation.  Next, let’s take a more detailed look into an insider threat indicator ontology. 


Goals of malicious insiders


Malicious insiders can target a variety of assets, depending on their motivation, usually focusing on data that can be either easily sold on black market (such personal information of clients or employees), or can be crucial to company operations (such as marketing, financial information, or intellectual property). Frequent targets of malicious insiders include databases, file servers, endpoints, specific applications, mobile devices, as well as network and cloud storages.


The most frequent goals of malicious insiders include data theft, fraud, sabotage and espionage. In his book Beyond Fear, famous security expert Bruce Schneiner discusses several types of malicious insiders and their motivation:


  • Opportunist – insiders that didn’t plan any malicious actions beforehand, but decided to attack when an opportunity presented itself. Financial difficulties and a history of previous problematic behavior can be catalysts for such an attack. Opportunists can usually be easily deterred by the basic security measures, such as access control and user action monitoring. 
  • Calculated attacker – these types of insiders are usually much harder to deter. They plan their actions beforehand and usually target very specific data. It can be extremely hard to detect such attacks even after they happened.
  • Emotional attacker – these are disgruntled employees (for example, the one that received termination notice) attacking spontaneously out of revenge. They rarely wait for the right opportunity or have detailed plans and sometimes even want to get caught in order to bring attention to their issues.
  • Terrorist and digital activist – these insider attacks are usually pre-planned and often instead of stealing data, simply try to do as much damage as possible (for example, by compromising corporate network infrastructure and taking it out from within). They can’t usually be deterred by regular security and can even think of it as an additional challenge that validates their beliefs.


Apart from the four types above, Bruce Schneiner also mentions friends and relationships as another type of malicious insiders that can commit fraud or data theft by accessing computers of their friends or family without knowing it. This type of insiders is worth considering when dealing with subcontractors and remote workers.


4 Common behavioral indicators of malicious insider


Detecting malicious insider attack can be extremely difficult, particularly when you are dealing with calculated attacker or disgruntled former employee that knows all ins and outs of your company. One way to detect such an attack is to pay attention to various suspicious behavior indicators.


Of course, behavioral tells that indicate a potential insider threat can vary depending on the personality and motivation of malicious insider, but there are certain common things you need to watch out for:


1. Disgruntled employee


As mentioned above, when employees are not satisfied with their job or perceives a wrongdoing on part of the company, they are much more likely to conduct insider attack.


There are many signs of disgruntled employees, the most obvious of them are frequent conflicts with workers and supervisors. Declined performance and general tardiness (such as being late to work, doing more mistakes than usual, constantly missing deadlines, etc.) are also can be indicators of an unhappy employee. Employees, that exhibit such behavior, needs to be closely monitored.


Apart from that, employees that received notice of termination also pose additional risks and should be monitored regardless of their behavior up until they leave the work, at which point their access to corporate infrastructure should be immediately revoked.


2. Unusually enthusiastic employees


Sometimes employee will express unusual enthusiasm over additional work. This may include staying late at work without any specific requests, repeatedly volunteering for extra work, working at odd hours, trying to perform work outside the scope of their normal duties, etc.


All of these actions can be considered an attempt on part of employee to expand their access to sensitive data. While not necessary malicious, such actions are a great indication that you should keep an eye on the employee and make sure that they aren’t copying or otherwise tempering with sensitive data inside your company.


3. Unusually frequent trips and vacations


Sometimes employee will start to take trips to other cities of even countries. Such trips may be a good indicator for industrial espionage. Employee may work on a competing company, or even government agency, and transfer them your sensitive data.


Another indication of a potential threat is when employee expresses questionable national loyalty. This may not only mean that they are working with government agents or companies of other nations, but that they in general are more likely to stay loyal to the company and may take an opportunity to steal or compromise data when it presents itself.


Apart from that, frequent travel can also indicatea change to financial circumstances, which is in an of itself is a good indicator of a potential insider threat.


4. Unexplained changes to financial circumstances


If employee unexpectedly pays their debt or conducts expensive purchases without any obvious additional income sources, it can be a great indicator that they may profit from your sensitive data on the side.


There are several scenarios for this: they may be approached by competition and coerced into conducting industrial espionage (financially insecure employees are vulnerable, so you need to watch out for this); they may copy and sell your data for profit; they may start a competing business and use your data, such as client list, in order to take away your market share.


Overall, any unexpected and quick changes to financial circumstances are a case of concern and should be taken as a serious indicator for close monitoring over employee in question. If you want to learn more on behavioral indicators related to insider threats, refer to this PDF version of an Insider threat awareness course on a Sandia website.


It also worth noting that money is not the only way to coerce employees, even loyal ones, into industrial espionage. Sometimes competing companies and foreign states can engage in blackmail or threats. Damaging information, such as, for example, previous drug addiction or problems with the law can be effectively used against an employee if it falls into the wrong hands. One way to limit this is to use background checks in order to make sure that there is no undisclosed information that can be used for blackmail.


Apart from insider threat indicators helpful for predicting insider attacks, users behavior can also help you detect an attack in action. There are certain tells that indicate that users are gathering data without authorization. They include:


  • Unauthorized download or copying of sensitive data, particularly, when conducted by employees that received a notice of termination
  • Taking and keeping critical sensitive information in home
  • Operating unauthorized equipment (such as cameras, recording devices, mass storages, internet access points, etc.)
  • Asking other employees for their credentials
  • Accessing data that has little to no relation to present role at the company


Such behavior patterns should be considered as red flags and should be taken extremely seriously. In order to limit the damage from the potential insider attack, you should exercise thorough access control and make sure to prohibit mass storages and other unauthorized devices.


Ekran System – insider threat detection tool to reliably protect your data


Up to this point we discussed various behavior patterns that can serve as an indicator of a potential insider threat. However, we want to reiterate the point we made in the beginning – such indicators should not be used as a sole, or even main tool for detecting insider threats.


Instead, they are best used as a complimentary source of information combined with user action monitoring – your primary tool for insider threat detection. The only way to reliably know when an incident is taking place is to actually have a complete insight into what an insider is doing. And the only that provides such insight is user action monitoring solutions, such as Ekran System.


Ekran System conducts full video recordings of user screen, including all mouse movements, allowing you to literally see the same thing your employees are seeing. Insider attacks are often indistinguishable from regular employee routine, and not always indicated by their behavior. Having a complete video recording at hand allows you to circumvent such limitation.


Apart from that, Ekran System also records a wide variety of additional data. This includes names of executed applications, titles of active windows, visited URLs, clipboard content, entered keystrokes, connected USB devices, entered commands and running scripts for Linux sessions, etc. All of this data is coupled with a video, allowing for easy searching and producing a complete extensive picture of everything that’s happened during a user session.


Ekran System can record any user session regardless of the level of privilege, applications or network protocols used. Recording agent is designed to minimize performance impact, while compressed data has minimum load on the network and, likewise, has relatively small space requirements for storage.


Ekran System also aids in incident detection by providing robust alerting functionality (including predefined and custom made alerts), as well as powerful search feature. Any potential incident can be quickly detected and reviewed as necessary. If the session is still ongoing, it can be viewed in real time and user can be manually blocked, if necessary. Ekran System also can automatically block any connected USB devices, preventing the use of unauthorized mass storages.


Apart from session recording and incident response capabilities, Ekran System also provides additional protection in the form of several access control features. Secondary authentication allows to clearly distinguish between users of shared accounts, while one-time passwords and two-factor authentication functionality allow to reliably protect from credential theft and unauthorized logins.


Another major advantage of Ekran System is its flexible and affordable licensing, making the solution cost-effective for deployment of any size. Support for a free database is an additional boon for smaller companies, allowing them to save costs on additional third-party licenses.




Insider threat detection is tough, there is no ifs, ands, or buts about it. However, every company is vulnerable, and when insider attack eventually happens, effective detection and quick response can save company a ton of money in remediation costs and reputation damage. Therefore, it is always best to be ready now, than to be sorry later.


In order to make insider threat detection work, you need to know about potential behavioral tells, that will point you in the direction of a potential perpetrator. However, such indicators are not a panacea, and should be used in tandem with other measures, such as regular background checks and user action monitoring solutions, such as Ekran System.


Only by combining all the tools at hand you will be able to get truly impressive results when it comes to insider threat detection.