Delegated Access via Managed Service Providers

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

Establish and maintain processes where all policy violations, including those perceived as minor or low-impact, are addressed consistently, proportionately, and promptly. By reinforcing that even small infractions matter, organizations deter boundary testing behaviors and reduce the risk of escalation into more serious incidents.

Implementation Approaches

• Develop clear disciplinary guidelines that outline expected consequences for different categories of violations, ensuring minor infractions are not overlooked.
• Empower first-line supervisors and managers with authority and tools to address minor violations at the earliest opportunity through corrective conversations, formal warnings, or minor sanctions as appropriate.
• Track policy violations centrally, including minor incidents, to identify repeat offenders or emerging behavioral patterns across time.
• Communicate the rationale for enforcement to the workforce, framing minor violation enforcement as a measure to protect operational integrity rather than bureaucratic punishment.
• Conduct periodic reviews of enforcement actions to ensure consistency across departments, teams, and levels of seniority, minimizing perceptions of favoritism or uneven discipline.

Operational Principles

• Proportionality: Responses to minor violations should be appropriate to the severity but still reinforce the boundary.
• Visibility: Enforcement actions should be visible enough to deter others, without unnecessarily shaming or alienating individuals.
• Predictability: Personnel should understand that violations will predictably result in consequences, eliminating ambiguity or assumptions of tolerance.
• Escalation Readiness: Organizations should be prepared to escalate interventions for individuals who demonstrate patterns of repeated minor violations.

A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.

Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.

This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.

Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.

Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.

Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.

Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.

Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.

In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.

Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses.

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

Threat intelligence feeds that include indicators of insider tactics—rather than just malware or phishing IoCs—can inform policy decisions, access design, and targeted monitoring. These feeds allow organizations to anticipate adversarial interest in recruiting, coercing, or planting insiders, and to mitigate the tools and behaviors those insiders are likely to use.

Prevention Measures:

Subscribe to threat intelligence services that provide curated insider threat profiles, including:

• Recruitment patterns used by foreign intelligence services.
• Behavioral precursors to sabotage, data theft, or access misuse.
• Indicators from anonymized insider case disclosures (e.g., DFIR reports, industry reporting, national CERTs).

Use these feeds to inform:

• DLP tuning based on exfiltration paths observed in real incidents.
• Risk-based access policies that factor in job function, department, or geographic anomaly exposure.
• Targeted internal education on known techniques (e.g., false flag account creation, side-channel messaging, Git repo exfiltration).

Examples of Insider-Focused TI Sources:

• CERT Insider Threat Center
• Mandiant reports on insider-aligned TTPs
• Verizon DBIR insider incident breakdowns
• Public sector alerts (e.g., FBI on DPRK IT workers or contractor placement)
• Industry-specific ISACs with insider incident advisories

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

• Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
• Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
• Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
• Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
• Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

Key Prevention Measures:

Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

• Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
• Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
• Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
• Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

Benefits:

PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.

Regulation Awareness Training equips staff with the knowledge and understanding required to comply with legal, regulatory, and policy obligations relevant to their roles. This includes, but is not limited to, export controls, international sanctions, anti-bribery laws, conflict-of-interest rules, antitrust regulations, and data protection requirements.

The training should be customized according to the specific risks of different roles within the organization, ensuring that employees in high-risk areas—such as legal, procurement, sales, finance, engineering, and senior management—receive in-depth education on how to recognize and avoid behaviors that could lead to regulatory violations. Scenarios that could result in inadvertent or intentional breaches should be addressed, alongside practical advice on how to report concerns and escalate issues.

To accommodate varying learning styles and operational needs, Regulation Awareness Training can be delivered through multiple formats:

• eLearning Modules: For general staff, to provide flexible, scalable training on compliance topics, which can be completed at the employee's convenience.
• Instructor-led Sessions: For higher-risk roles or senior management, where more interactive, in-depth training may be necessary to address complex regulatory requirements and nuanced decision-making.
• Scenario-based Workshops: To reinforce learning with real-world examples and role-playing exercises that help employees internalize regulatory concepts.

By fostering a culture of compliance and accountability, Regulation Awareness Training helps minimize the risk of breaches, whether intentional or accidental, and strengthens the organization’s ability to identify, prevent, and respond to regulatory infringements.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

Implementation Approaches

• Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
• Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
• Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
• Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
• Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

Operational Principles

• Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
• Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
• Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
• Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

Monitor AWS CloudTrail logs to detect unauthorized creation, modification, or deletion of compute, storage, network, or management resources. Unauthorized resource activity may indicate insider preparation for data exfiltration, illicit compute use, or unauthorized persistent access.

Where to Configure/Access

• AWS CloudTrail Console: https://console.aws.amazon.com/cloudtrail/
• AWS CloudWatch Logs Console (for log streaming and alerting): https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups

Detection Methods

Monitor CloudTrail API event types such as:

• RunInstances (EC2 instance creation)
• CreateVolume (EBS volumes)
• CreateBucket (S3 buckets)
• CreateFunction / UpdateFunctionCode (Lambda functions)
• CreateCluster (ECS/EKS clusters)

Configure event selectors to capture management events across all regions.

Set metric filters and alarms for suspicious activity through CloudWatch.

Indicators

• Unapproved resources provisioned without matching Infrastructure as Code deployments.
• Resources created manually via console or CLI outside approved automation frameworks.
• Resources missing mandatory organizational tags (e.g., project ID, owner).

Monitor Azure Activity Logs and Azure Resource Graph for detection of unauthorized creation, modification, or deletion of resources in Azure subscriptions. Unapproved deployments may signal insider staging, misuse of compute, or persistence attempts.

Where to Configure/Access

• Azure Activity Logs (via Azure Portal): https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activitylog
• Azure Resource Graph Explorer: https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ResourceGraph/queries

Detection Methods

Monitor for critical resource operation event types:

• Microsoft.Compute/virtualMachines/write (VM creation)
• Microsoft.Storage/storageAccounts/write (Storage)
• Microsoft.KeyVault/vaults/write (Key Vaults)
• Microsoft.Authorization/roleAssignments/write (Role Assignments)

Deploy Azure Monitor or Sentinel queries for operational drift and unauthorized resource creation.

Indicators

VMs or services deployed outside managed resource groups.

Use of non-standard SKU types (e.g., GPU-enabled VMs).

Resources missing mandatory tags such as cost center or compliance level.

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

Service Principal Names (SPNs) are unique identifiers used by the Kerberos authentication protocol to associate a service instance with a specific account in Active Directory. In the Kerberos authentication process, a client—which could be any user, computer, or service—requests access to a particular service, such as email, file shares, or database servers. To authenticate and gain access to that service, the client must obtain a service ticket from the Ticket Granting Service (TGS).

The client first requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), which is part of the Kerberos infrastructure. Once the client has a TGT, it can use it to request a service ticket from the TGS for a specific service identified by its SPN. The service ticket contains the hashed credentials of the service account associated with that SPN, allowing the client to authenticate to the service securely.

In a Kerberoasting attack, an adversary—who is often a domain-joined user—requests service tickets for service accounts with weak or guessable passwords. These tickets can then be captured and cracked offline to reveal the service account’s password. This process is typically initiated by an attacker who targets SPNs associated with high-privilege accounts.

A Honey SPN is a decoy SPN created with no legitimate use, designed specifically to attract malicious actors. By monitoring for TGS requests for these fake SPNs, defenders can detect when attackers are probing for service tickets associated with non-existent or intentionally misleading accounts. These unauthorized requests serve as an early detection mechanism, allowing defenders to identify enumeration attempts and potential attack activities before credential abuse occurs.

Event ID: 4769 – Kerberos Service Ticket Request (Security Log)
This event is logged whenever a client requests a service ticket from the TGS. It provides details of the SPN being requested, allowing defenders to track requests for honey SPNs and identify potential Kerberoasting activity.

In cyber deception, a "honey user" (or "honey account") is a decoy user account designed to detect and monitor malicious activities. These accounts attract attackers by appearing legitimate or using common account names, but any interaction with them is highly suspicious and flagged for investigation. Honey users can be deployed in various forms, such as Active Directory users, local system accounts, web application users, and cloud users.

A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Monitor Google Cloud Audit Logs to detect unauthorized creation or modification of compute, storage, and IAM resources. Subjects creating GCP resources without authorization may be staging infrastructure for exfiltration or persistent insider access.

Where to Configure/Access

• Google Cloud Logging (Audit Logs): https://console.cloud.google.com/logs
• Admin Activity Logs Documentation: https://cloud.google.com/logging/docs/audit

Detection Methods

Monitor Admin Activity logs for key methods:

• compute.instances.insert (VMs)
• storage.buckets.create (Buckets)
• compute.disks.insert (Persistent disks)
• iam.serviceAccounts.create (Service Accounts)

Use Log-Based Metrics and Cloud Monitoring alerting for policy violations.

Monitor project and folder-level activity for resource creation.

Indicators

• VMs or services created in unauthorized folders or projects.
• New service accounts with high privileges.
• Missing mandatory labels (environment, owner, compliance status).

Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.

Monitor Oracle Cloud Infrastructure (OCI) Audit Logs to detect unauthorized system or service creation. Unauthorized provisioning in OCI can indicate insider threat activity aimed at illicit compute use, data staging, or security control bypass.

Where to Configure/Access

• OCI Audit Console: https://cloud.oracle.com/audit
• OCI Audit Documentation: https://docs.oracle.com/en-us/iaas/Content/Audit/Concepts/auditoverview.htm

Detection Methods

Analyze Audit Events such as:

• LaunchInstance (Compute instance creation)
• CreateBucket (Object Storage creation)
• CreateVolume (Block Volume creation)
• CreateVcn (Virtual Network creation)

Configure Object Storage log exports and integrate with SIEM tools (e.g., Splunk, QRadar) for real-time detection.

Indicators

• Compute or storage resources created in unauthorized compartments.
• VCNs created without associated security lists or network ACLs.
• Instances launched using high-compute shapes without approved business justification.