How to Defend Against Malicious Insider Attacks


We’d love to believe that all employees act in good faith and show undying loyalty to their companies. Sadly, the truth is some employees do have malicious intent.

Malicious insider attacks are typically carried out by an employee who has been offered a large sum of money from a competitor in exchange for stealing company secrets. The targeted data is often stored in Google Workspace, Microsoft 365, or another SaaS enterprise platform accessible to employees.

A former Apple engineer recently reached a plea agreement after he was arrested for stealing intellectual property he reportedly planned to sell to a competitor. While malicious insiders don’t receive a ton of press, they have been, for example, deemed a “significant risk” to Australia’s defense system.

How Most Malicious Insiders Obtain Guarded Company Information

Verizon’s 2022 Data Breach Investigations Report shows that the most common way to carry out a malicious insider attack is through privilege abuse. This term refers to the misuse of privileges associated with a user’s account, whether that action is taken purposely or accidentally. The motive for a malicious insider attack is most commonly financial (78%), followed by a grudge (9%) and espionage (8%) to round out the top three.

An external hacker’s typical attack lifecycle begins with reconnaissance, usually followed by initial access and persistence techniques if successful. In the case of a malicious insider, those tactics aren’t necessary because the threat actor likely already has the knowledge and level of access needed to pull off the attack. This limits an organization’s detection abilities, because nothing may look out of the norm.

Most malicious insider attacks become visible later in their progression. Those signs aren’t always obvious. Let’s dig into some typical indicators that may let you know you’re dealing with a malicious insider and how to identify them within your SaaS environment.

The Suspicious Patterns and Activities to Watch For

Malicious insiders rarely show signs up front. Perhaps there’s a particularly disgruntled employee you might have a hunch about, but otherwise it’s hard to know who might be interested in extracting your most sensitive data.

Anyone with administrative privileges is a potential risk. But, of course, you don’t expect all of them to be malicious insiders. The true malicious actors are persistent, escalate privileges, and sometimes employ defense evasion tactics as they operate, making them harder to catch.

The creation of a new unauthorized account that has a high level of privileges should raise red flags. Maybe this is a normal action if you’re onboarding a new administrator. If not, it could be a sign of an insider attack. Likewise, if a suspended account becomes unsuspended and then starts sharing, exporting, or downloading data, your suspicions should be raised.

Sustained exfiltration is another potential indicator. Attackers will often try to export or download data in smaller batches in an attempt to avoid detection, but a large number of files moving over a sustained period of time (or all at once) should also be investigated as a potential threat.

Determining if Activities Qualify as Threat Indicators

When any of the above indicators are combined, your Security team should look into the situation to see if the data exfiltration is malicious and not for a legitimate business purpose.

The good news is there are insider threat programs to help organizations detect and identify individuals who may become insider threats by categorizing potential risk indicators. And when you pair threat detection with secure posture management capabilities like continuous monitoring, you can actually prevent an incident from happening.

These insider threat programs use a variety of rules to determine which events to flag. Examples of these rules include:

  • Sustained data exfiltration detection: When data is downloaded from your systems over a given time period, it can be indicative of a long-term data exfiltration. Flagging these scenarios gives you the ability to see what data is being downloaded, how much has been downloaded, and how long a user has been doing so.
  • Email forwarded to external email address: Legitimate business reasons to send an email outside your organization are certainly valid. But it’s still a scenario where you want to know exactly who’s receiving those messages.
  • Resource shared externally: Similar to emails going outside your organization, any resource that’s been shared outside your environment can be flagged so you understand who is on the receiving end.
  • Custom rules: Recognizing that cookie-cutter rules may not be enough for some organizations is key for any insider threat program. Creating custom rules on the fly can, for example, enable you to monitor unique business processes. Or you can monitor for specific activities from groups or individual employees that meet certain criteria, such as users or groups gaining access to privileged data.

AppOmni takes a holistic approach to SaaS security with both proactive and real-time measures to continuously monitor all SaaS activity and provide alerts on potential malicious threats. Our platform continuously monitors SaaS activity and event logs, normalizes data, and delivers alerts with actionable context that reduce remediation time. Security teams can integrate AppOmni with SIEM, SOAR, and UEBA solutions to operationalize SaaS activity monitoring and quickly respond to threats.

Learn more about how you can use AppOmni to monitor your SaaS activities for potential malicious threats and take immediate action with guided remediation steps.


More Blog Posts

Request A Demo

AppOmni’s SaaS security platform gives security and IT teams an easy and automated way to secure their SaaS data and environments.