TIPS #27: The Wolf in Sheep’s Clothing

Issue: Malicious insiders have target objectives, organization-specific process knowledge, and clear motives, posing a serious threat. They often evade security postures that are more oriented to external threats.  

A malicious insider is a person who seeks to use their access to harm an organization. As CISA notes, malicious insiders aim to “disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to information and technology systems.” Malicious insiders may be employees or third-party contractors, consultants, or partners with access to company systems. They may act alone or collude with an external threat actor voluntarily via recruitment or due to coercion. 

Malicious Insider Means, Motives, and Opportunities 

Malicious insiders may leverage their organizational knowledge and access to steal or modify sensitive data, sabotage digital or physical IT infrastructure, or commit espionage, money laundering, or fraud: 

• Means: Varied, and include misuse of authorized access to company systems, Dark web services (Initial Access Brokers, etc.), social engineering, malware, and subversion.  

• Motive: Personal grievance due to perceived lack of recognition or a specific incident like termination; personal gain (often financial); or fear of coercion including extortion or physical threats. 

• Opportunity: Access to inadequately secured company systems and resources, employees who are not trained to recognize insider threats, and organizations without adequate governance.  

For example, a company employee may secretly work for a competitor, performing corporate espionage and stealing intellectual property:  

• The means are misuse of authorized access. 

• The motive is personal gain. 

• The opportunity is access to company recruitment, onboarding, and day-to-day functional/operating systems like HR, Finance, Sales, and etc. – which are not adequately monitored, secured, and governed. 

External Threats Steal the Spotlight 

In many organizations, security tools including EDR, IAM, NDR, and DLP are more oriented to observing, detecting, and responding to external threats than internal ones. This leaves them at risk from malicious insiders: all eyes are looking outward without considering what’s happening inside the network. Without strong internal data handing, access, and monitoring controls- contextualized to the individual business process, purpose, and risk timing- malicious insiders have opportunities to commit crimes without detection. 

Adding to the challenge, AI is fueling mass data collection and elevating malicious insider threats. Internal AI tools like Retrieval Augmented Generation (RAG)-based copilots often lack proper data security and privacy controls, increasing the risk of insider data theft and sabotage of processes depending on AI output. Malicious insiders may subvert these systems by poisoning or otherwise manipulating internal AI models to meet their objectives, as researchers at UT Austin (supervised by Symmetry Systems CEO and Co-Founder Dr. Mohit Tiwari) discovered in 2024. As agentic AI enters the picture, there are also new security and observability challenges which intersect with insider threats.  

Impact: Malicious insider threats slip past defenses and cause long-term damage.  

Malicious insiders can do serious harm given their high level of access and familiarity with company systems, strong motivation, and specific objectives. Insider IP theft, operational disruptions, and data breaches cause financial losses, regulatory and legal ramifications, and reputational damage. Subversive insider threats may go unnoticed for years, compounding the effects.  

Case Study: Bad Leaver 

Take the high-profile case of former Uber executive, Google engineer, and Waymo co-founder Anthony Levandowski. In 2016, Levandowski was leaving Google to found self-driving car company Otto (acquired by Uber later that year) when he stole confidential trade secrets related to Google’s self-driving car program (now known as Waymo) to benefit himself and his new company (motive). He downloaded thousands of files from an internal password-protected server using his employee access (means) without Google’s initial awareness (opportunity).  

Google began investigating Levandowski after Uber’s acquisition of Otto and learned about the data theft. Waymo eventually filed a civil suit against Uber, which agreed to pay Waymo $245 million in company equity and not to use Waymo’s technology schematics. Levandowski faced separate federal charges and in 2020 pled guilty to one count of trade secret theft.  

Other high-profile cases of malicious insiders include: 

• Employee Self-Interest: The 2008 case of MF Global trader Evan Dooley, who placed unauthorized commodities trades using the company’s order entry system from his own account on a personal device, costing the company over $141 million and a stock price decrease of over 90%. 

• Bad Leaver and Team Coercion: The 2015 case of UCSD researcher Dr. Paul Aisen, who conspired with competitor university USC to steal Alzheimer’s research program assets and bring them to USC using Aisen’s insider access, in addition to attempting to coerce other UCSD researchers.   

Action: Adapt your cybersecurity posture to mitigate malicious insider risks and quickly respond to insider threats.  

Most organizations are still oriented towards “endpoint-first” detections.  Today’s disparate IT(C) systems require an evolution to an “identity-first” security posture that reflects threat actor Tactics, Techniques, and Procedures (TTPs) of credential abuse through available services. 

1. Identity Security 

Malicious insiders abuse trust, credentials, and access to accomplish their objectives. 1Kosmos helps companies secure access with zero trust strategies including advanced biometric MFA, passwordless authentication, and tools that facilitate least privilege principles. 

Mitigating malicious insider risks also requires strong asset management practices, active directory (AD) risk reduction, and risk-aligned access controls. SPHERE identifies and eliminates over-privileged access to protect critical data.  

2. Data Security 

It’s essential to develop and maintain strong data security policies and practices that protect against malicious insider activities. Symmetry Systems’ data security posture management (DSPM) platform gives you full visibility into data, its location, who can access it, and how it’s being used- protecting against insider threats.  

3. Vendor and Partner Risk Management 

Your security program should be aligned to assess and manage third party risks from vendors and partners. Hyperproof centralizes vendor and partner risk management within broader GRC objectives, giving you tools to conduct vendor due diligence and assessments, contract reviews, and risk remediation.  

4. Securing AI Integrations 

As discussed, AI models can amplify malicious insider activities and present a target for misuse and abuse. To secure your AI integrations, start by reviewing OWASP’s AI Security and Privacy Guide and AI Exchange for an overview of AI security and privacy best practices.  

Next, monitor and test AI models and integrations to mitigate insider risks. Bishop Fox assesses and AI integrations from training to production, testing user experience, guardrails, content filtering controls, and model behavior. 

5. Incident Response 

Malicious insider threats can leave behind long-lasting damage, from the moment of the compromise to months and years later. Surefire Cyber helps companies create, assess, and implement comprehensive incident response plans to respond to and recover from incidents. 

6. Posture Management 

An active, well-aligned cybersecurity posture lowers the risk of malicious insider incidents and mitigates impacts. SolCyber helps you facilitate complete security posture management with a range of active and passive managed security services.