Not all cybersecurity threats come from the outside. Insider threat attacks, enabled by the privileged permissions we give to trusted employees, can be hard-to-catch and devastating. Recently, one of my clients experienced an insider threat incident that highlights both the unique challenges of insider threat and the importance of being prepared for this type of incident.
The Incident
It started with a simple notification email. An employee received an alert from JIRA that file permissions had been changed on one of their documents. The change granted edit rights to a colleague they didn’t recognize as needing access. Thankfully, instead of ignoring it, the employee flagged the issue to their manager.
The manager escalated the report to the IT manager, who quickly began an investigation. What they found was concerning:
- The user who received the new permissions had just put in their two weeks’ notice.
- They were leaving the company on poor terms, having even threatened to take a vendor with them.
- Their company OneDrive account had been completely wiped.
Fortunately, the client had robust backups in place. They were able to restore everything from OneDrive and, more importantly, review what had been deleted. It turned out that the employee hadn’t just tampered with one file. They had downloaded large amounts of company intellectual property (IP) to their personal systems.
The Response
The client’s incident response (IR) process kicked into action immediately. They took the following concrete actions:
- Opened an IR ticket to document the incident in detail.
- Notified legal counsel and cyber insurance to determine any legal obligations and leverage cyber policy incident support.
- Cut off all access to company systems for the departing employee.
- Seized the company laptop for forensic review.
- Confirmed data exfiltration to a personal cloud storage account through OneDrive log reviews.
After confronting the employee, the company terminated them on the spot. To avoid legal action, the former employee agreed to cooperate in verifying that all company data had been removed from personal devices.
That cleanup process included:
- Running a script to locate company files.
- Inspecting logs for data remnants.
- Recording a live video call to visually confirm deletion of files on the employee’s laptop.
- Walking through external drives, deleting files, and performing multiple full (not quick) reformats.
While the client can’t know for certain whether data exists on an undisclosed drive, they did everything reasonable to ensure the data was secured. Thankfully, because the organization doesn’t host or retain customer data, no external notifications were required.
Lessons Learned
Every incident should end with a post-mortem. For this client, the review led to several important decisions:
Enhancing monitoring: Automating alerts in Microsoft Sentinel
This incident was only caught as early as it was thanks to a JIRA notification. Automating alerts in Microsoft Sentinel will flag suspicious behavior exhibited by this departing employee such as mass downloads, permission changes, or large-scale deletions in real time. This enables the IT team to investigate quickly before the activity causes lasting damage.
Implementing stronger data loss prevention (DLP) – upgrading Microsoft protections.
Modern DLP tools help detect and block attempts to move sensitive files to unauthorized devices or cloud services. These can prevent or significantly hamper an inside threat actor’s attempts to exfiltrate your data!
Restricting external email and cloud use: Blocking access to personal Gmail, Dropbox, and other unmanaged services.
Allowing personal email and file-sharing platforms creates easy exfiltration paths for company data. Restricting these services keeps information within monitored, company-approved channels.
Updating data handling policies: Clarifying expectations around data use and retention.
Policy updates make it clear that employees cannot download, delete, or move company data outside official systems. By training and enforcing this policy, there’s no excuse for an employee to be exfiltrating data – even accidentally!
Tightening offboarding procedures: Immediately revoking access when employees resign under negative circumstances.
Waiting even a day to revoke access gives departing employees time to cause harm. Immediate removal of access eliminates that risk and is a straightforward step to protect company assets.
Best Practices for Managing Insider Threats
From this incident, several broader lessons apply to nearly every organization:
- Have backups you can trust. Without reliable OneDrive backups, this incident could have resulted in catastrophic loss of data.
- Train employees to speak up. The incident was only caught because someone reported a suspicious permission change.
- Legal and HR must be involved early. Insider threats are not just technical, they’re also legal and human issues.
- Plan for offboarding. Immediately revoking access for employees who resign under strained conditions is a best practice.
- Monitor user behavior analytics (UBA). Monitoring for abnormal data downloads or unusual access patterns can provide early warning before major damage occurs.
- Develop a clear incident response playbook for insider threats. Most organizations focus on external attacks, but insider threats require a different approach, especially when employee cooperation is necessary.
- Periodically test your DLP controls. It’s not enough to buy the tools; you need to validate that they stop unauthorized transfers in real scenarios.
Final Thoughts
Catching an insider threat is never pleasant. Insider threat incidents are difficult to manage, but swift action by the right people makes the difference. In my client’s case, careful validation of data deletion allowed them to contain the incident and avoid serious disruption.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
