Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Detecting the insider before the damage is done
As we discussed in the previous article, there are several types of insiders—some act with clear intent, while others unknowingly open the door to external attackers. In either case, the challenge in detecting them lies in distinguishing which behaviours come from the attacker and which from the legitimate user, since it's not possible to tell who’s who at a glance.
A notable case appeared in a May 2022 Yahoo report, when a data scientist stole the organisation’s intellectual property—more than 500,000 pages of research. He used this information to stand out in his new job, at a direct competitor of Yahoo.
The insider—whether negligent or malicious—represents one of the greatest challenges in cybersecurity.
Forensic techniques in the investigation helped confirm the data scientist’s intent and actions, showing that the documents had been transferred using his credentials to one of his personal devices, registered under the company’s BYOD policy.
Undoubtedly, a company like Yahoo takes Cyber Security seriously. However, identifying intent in a user’s behaviour is extremely difficult to detect and control—especially when organisational tools and policies are not designed with a proactive cybersecurity approach in mind.
A common question from our clients is: 'What can we do to detect an insider before they carry out a malicious action?' The answer isn’t simple or universal—it depends on the organisation and its security policies. However, here are some controls that can help build a perimeter to prevent and detect these types of threats in time.
Traditional tools like firewalls, IPS or antimalware are not enough against insiders—especially those who know internal systems inside out.
One of the first things to consider is that traditional malicious activity detection tools—like firewalls, IPS, WAFs or antimalware—are not designed to detect internal attackers. This is mainly because these systems “trust” that the user is who they claim to be, but do not analyse whether the behaviour is “normal.”
Understanding the types of insiders
With this in mind, it's important to understand the risks associated with each of the three types of insiders.
- Actions performed by a compromised insider or impersonated insider often display unusual behaviours or differ from the legitimate user’s, because someone is impersonating them and trying to explore the organisation.
- The negligent insider leaves doors open, allowing attackers in—not to impersonate their profile, but to use that entry point to explore systems and networks.
- The malicious insider is by far the hardest to detect and contain. They know the organisation, will avoid incriminating behaviour, and have time on their side.
The malicious insider is, without a doubt, the most difficult to detect and contain.
Given this context, there are measures that can help detect an internal attacker early by analysing factors such as:
- Access to systems and assets. When an engineering employee attempts to access the finance server, it's highly suspicious—even if no malicious action is taken. Behaviour analytics capabilities in EDR or MDR systems can flag these anomalies.
- Changes in user behaviour. For instance, activity spikes—whether during unusual hours or in the number of logins and processes executed in a short timeframe. Threat hunting teams play a key role in detecting these patterns by investigating processes and services on endpoints.
- Data movement. Often, we focus on outbound or inbound data transfers over the network, but insiders may move data to removable media or even corporate cloud storage. Policy controls are critical, but detecting behavioural changes via pattern analytics is what makes the difference—this is where properly configured XDR and MDR tools are essential.
- External devices. These are usually used by compromised insiders, but sometimes negligent insiders allow attackers to connect devices to the corporate network or to their own computers, exposing company data. In such cases, technical controls like UBA are essential to detect suspicious behaviour across devices and networks.
- Failed login attempts. One of the clearest signs of an attacker is when they try to escalate privileges, causing a spike in failed logins from a user on a machine. This may be the insider’s only big mistake before any malicious activity takes place. To detect this effectively, authentication logs are vital—monitored via SIEM alerts or behaviour anomalies detected by UEBA.
Detecting an insider before a malicious act is committed requires a contextual, behaviour-based approach, supported by advanced detection tools. Monitoring access or traffic isn’t enough—you need to understand actions, intentions and deviations from normal patterns.
Investing in observability, behavioural analytics, and tools like UEBA, EDR or XDR—properly configured—is now essential to prevent one of the hardest types of attack to detect: the one that comes from within.
Understanding the different types of insiders and the risks they pose is essential for developing proactive defence strategies.
