Detections

Leverage threat intelligence feeds that include insider-specific indicators—such as behavioral markers, tactics used by recruited insiders, anonymized exfiltration infrastructure, and social engineering methods—to enrich detection of internal threats. Unlike traditional TI feeds that focus on malware or external IPs, insider-focused feeds highlight tactics used to manipulate access, stage data, or coordinate with external actors.

Detection Methods:

Integrate insider-focused threat intelligence sources into SIEM, EDR, or UEBA platforms. These may include:

Indicators of misuse of collaboration tools (e.g., OneDrive, Slack, GitHub).
VPN or proxy services associated with known data exfiltration actors.
Identified techniques for bypassing DLP, such as stenography, encryption layering, or screen scraping.
Known burner email domains, decentralized file drop sites, or illicit data markets.

Use TI feeds that profile known insider operations—such as previously identified contractors or developers tied to state programs (e.g., North Korean contractor aliases).
Cross-reference internal behavior (e.g., file staging, privilege escalation, unusual scripting patterns) with threat actor TTPs derived from known insider incidents.
Monitor for command-line syntax, file naming conventions, or tools that match profiles of past insider incidents (e.g., private rsync use, exfil via private Git repos).

Indicators:

Use of anonymization tools or services commonly flagged in insider TI feeds.
Behavioral sequences (e.g., mass SharePoint access followed by personal cloud login) matching known insider TTPs.
Internal tool usage (e.g., Powershell download cradle, credential harvesting) found in TI reports of insider toolkits.
Unusual outbound traffic to infrastructure linked to past insider activity or hybrid APT/insider collaboration cases.

Examples of Insider-Focused TI Sources:

Sections

ID	Name	Description
MT017	Espionage	A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.
PR033	Joiner	The subject enters the organization with a pre-formed intent to exploit their position, gain access to sensitive data, or otherwise contravene internal policies. Unlike most new hires (who align with organizational values and security expectations) joiner-motivated subjects present a latent threat from day one, often embedding their intent within the onboarding process, role selection, or early-stage access decisions. Joiner motivation may stem from pre-existing agendas including espionage, competitive intelligence, ideology, or personal financial gain. The subject may deliberately target roles that offer visibility into proprietary systems, customer data, intellectual property, or internal governance. Their background may be curated to pass pre-employment screening, and they may arrive with pre-established exfiltration methods or operational security tactics designed to avoid detection. Risk is highest during the early tenure period, when access is granted but behavioral baselines are not yet established. These subjects often exploit onboarding leniency, trust-building phases, and provisioning delays, taking advantage of initial low scrutiny to stage preparatory actions or initiate incremental infringement. Investigators should treat joiner cases with heightened sensitivity. Detection may implicate upstream controls such as hiring processes, third-party screening providers, or internal referral pathways. Missteps in attribution may also generate legal or reputational risk, particularly if the subject was placed in a position of elevated trust.
MT017.001	Nation-State Alignment	The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization. Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence. Example Scenarios: A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping. A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.
MT005.002	Corporate Espionage	A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit.
MT005.001	Speculative Corporate Espionage	A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization.