Youattest Logo

Insider Threat Part 2: How Insiders Assemble & Recent Examples

Protecting against the insider is often protecting people against themselves. At at higher level, it’s protecting an organization (company) from their own employees and contractors.

In our first blog we discussed the type of insiders and why they “cheat” (or rather, what motivates them).

Today, we’ll explain how they assemble and provide some recent examples. Future blogs will discuss what we can do to reduce the exposure from insiders and the risk of financial consequences.

To start, there are four types of insider personas (we briefly named them in the last episode):

  • The goof
  • The pawn
  • The collaborator
  • The lone wolf

Looking at these personas, they are mostly self-explanatory, but there are some nuanced differences. The lone wolf is the classic example of a thief only out for themselves. They operate in the shadows, cover their tracks, and rarely discuss their escapades. The good news is that they can be caught with good technology and non-technical controls. The challenge is finding – or catching them – in the act.

The second group encompasses both the goof and the pawn. While these are technically different, their impact is similar – unaware of their impact (risk) of helping a malignant third party. Goofs do it purely by accident, whereas pawns are manipulated into helping. In the world of insider threats, goofs are normally innocent of malicious intent, whereas pawns might actually be held liable for facilitating a crime.

Finally, collaborators. These are the most dangerous to organizations, as they have a stake in stealing, doing harm to perfectly running businesses, and, in the recent publicized case at Twitter, raising hundreds of thousands in illicit Bitcoin.

The wildcard: consultants

All of this is made more difficult by a contingent workforce. Now more than ever, organizations need flexibility over managing fixed costs, and the way to do that is through working with third parties. Whether temporary (single project) or semi-permanent (outsourcing), managing and monitoring access of trusted third parties is difficult. This is often why organizations utilize VDI (virtual desktop infrastructure) to prevent data from “leaving” the organization.

Side-note: with work from home / work from anywhere, this problem is compounded, with long phone support wait times and underwhelming alternatives like chatbots and live chat (again, with long wait times).

Why are we talking about these?

Each of the personas requires a unique way to accomplish their (malicious) tasks.

In the world of identity management and governance, you must know what is allowed at that specific point in time. Remove access too soon, and you’ll impact productivity (both in the employee and the helpdesk, if this isn’t a sunk cost). Same goes for restrictive access which blocks one’s ability to do their job.

The other end of the spectrum is not removing access. This is where the insider threat comes into play – for those who are merely bored or “playing around”, reviewing healthcare data (HIPAA violation), student data (FERPA), or customer data can be perfidious.

Recent examples

To illustrate how and why each are perilous, we can look at how they were (impacted – leveraged) in attacks.

There continues to be a flurry of misuse of credentials. The cornerstone case is Twitter, but, as we’ve seen with Steve Wozniak’s lawsuit against Google (YouTube), there are a wide variety of Bitcoin scams around the internet.

The most dangerous – and perilous – examples are of IP theft. With a race towards a COVID-19 vaccine, China has been in the news for attempting to hack into life sciences companies. Has this been successful? It is unsure at this time.

But there are many examples of Chinese insiders that have been successful. This is often the case in high technology, aerospace, defense, and life sciences. One Monsanto employee was indicted in 2019:, and another for stealing secrets from Avago and Skyworks, his former employer:

Finally, insiders are notorious for selling equities prior to crashes. In 2020, two senators (who often have equity interests in organizations they are aware of or support), sold shares in companies prior to the March stock market crash:

In a more publicized and specific example, three now-former executive sold shares in Equifax a month before the hack was disclosed:

What could have prevented it?

Yet again, the enabler for misuse was improper credentials at that specific time.

In speaking with a security leader, he noted the challenge with granting and managing permissions. A shining example is Salesforce – who knows what type of access someone needs? The security team – no. The Salesforce administrator – no. The IT helpdesk – nope.

So who is the authority on Salesforce access rights? The employee’s direct manager.

But this is difficult to scale.

That’s why YouAttest’s forthcoming workflow allows access approvals in the same easy-to-use interface as the auditing tool.

YouAttest automates the creation and review of these access reviews. To learn more about YouAttest, please register for our next webinar, Insider Threat and Access Reviews. Or write us @