#NITAM: Preventing the Recruitment of Insider Threat Actors

Written by

Increasingly, organizations must be aware of cyber-threats from within their network perimeters as well as those looking to penetrate defenses from the outside. There is a growing trend being observed whereby threat actors are exploiting existing employees for their knowledge and access to an organization’s data. These employees are most commonly known as insider threats.

This risk has significantly heightened since the COVID-19 crisis and the shift to hybrid working. Luke Walker, senior threat intelligence analyst at Searchlight Security, explained: “Remote work makes insider threat more of a risk by increasing both the chance of employees deliberately undermining the security of the company, or being tricked into doing so.

“Working from home makes people feel as if they are not being watched as closely; therefore, employees with a grudge are more likely to take an opportunity to either steal company data themselves or hand it over to cyber-criminals. For most employees, logging onto their company’s infrastructure from home is easy, they just enter their credentials into the virtual platform. Unfortunately, it is just as easy for them to hand over their credentials to a threat actor to do exactly the same thing.”

This year’s National Insider Threat Awareness Month, led by the US National Counterintelligence and Security Center (NCSC) and National Insider Threat Task Force (NITTF), focuses on preventing employees from stepping on this path, using the theme ‘Critical Thinking in Digital Spaces.’ This campaign is designed to “help individuals become less susceptible to various types of risks, to include social engineering, solicitation by adversaries, (foreign and domestic) and information designed to malign.”

In this article, Infosecurity explores how malicious cyber actors target employees and what orgnaizations can do to mitigate this threat.

How Are Employees Targeted?

Firstly, it is important to emphasize that most insider threat employees are not maliciously motivated by aims such as harming their employers. Speaking to Infosecurity for the September 2022 edition of the Intosecurity podcast, Lisa Forte, partner at Red Goat Cyber Security, noted that “in almost all the cases, the US-CERT found that the insider was struggling in some way before they committed the attack, such as financially.”

Therefore, cyber threat groups often seek to entice employees with financial inducements, which can be direct contact, such as communicating via social media or advertising these offers on the dark web and legitimate channels. “Cyber-criminals approach employees privately or even advertise that they are looking for employees in particular organizations. The ransomware group Lapsus$, for example, infamously posted a recruitment call on its Telegram channel for insiders in telecoms companies, software and gaming corporations, call centers and server hosts,” said Searchlight Security’s Walker.  

“Cyber-criminals approach employees privately or even advertise that they are looking for employees in particular organizations"

Javvad Malik, lead security awareness advocate at KnowBe4, concurred, noting: “In times of economic uncertainty, many employees are lured by offers of money.”

Sometimes, staff are unwittingly tricked into becoming insider threat actors. Walker explained: “Working remotely, many people don’t know their colleagues as well as they would in the office, and those in large companies, in particular, are at risk of being compromised by a cyber-criminal masquerading as another member of staff. For example, Twitter’s incident in 2020 – where notable accounts were hijacked by a cryptocurrency scam – was executed by tricking an employee into handing over credentials using a (voice phishing) vishing attack.”

On other occasions, employees can be lured or even emotionally blackmailed into playing this part by being hoodwinked into believing they are in a romantic relationship. John Bambenek, principal threat hunter at Netenrich, commented: “Romance scams turned extortion is a popular tactic. People succumb to criminals seducing them virtually, usually, there is some sexting going on, and then the evidence is used against them.”

In terms of the types of employees targeted, Forte emphasized that there is “no common demographic profile of the perpetrators.” The only consistent characteristic is the ability to access sensitive information. “For theft to occur, you have to have access to things that are worth stealing like intellectual property or research and development,” she pointed out.

Actions Organizations Can Take

Identifying and preventing insider threats is a significant challenge for organizations, as it involves employees who have legitimate access to their systems and data. Nevertheless, there are a number of actions that can be taken to mitigate this risk.

An important area is access management, limiting the systems employees are able to access as much as possible, and continuously monitoring this space; for example, when roles and responsibilities change. “Organizations should be implementing basic security hygiene controls to ensure employees are only able to access data and systems that are necessary for their roles and responsibilities (i.e. the ‘need to know’ principle), networks are segregated to prevent unauthorized access and checks and controls are periodically performed to ensure security policies are being enforced,” commented Michael DeBolt, chief intelligence officer at Intel471.

With cyber threat actors increasingly communicating with target employees via legitimate social media platforms and the dark web, it is also vital that organizations have a mechanism for monitoring such channels to anticipate possible threats.

“All organizations should monitor marketplaces, forums, and social media channels for chatter about their company, cyber-criminals looking for insider knowledge, or disgruntled employees making unsavory comments – which could indicate an imminent attack. This monitoring has to extend to the dark web, as this is where cyber-criminals typically conduct their reconnaissance on organizations, believing they are out of the reach of law enforcement and cybersecurity teams,” said Walker.

As previously highlighted, many insider threat actors are not maliciously motivated and are tempted into taking such steps due to issues like financial troubles and stress. Therefore, looking after the well-being of employees is an important preventative measure, such as developing employee assistance programs. Lisa Forte stated: “If you have an employee who’s struggling financially, or in other interpersonal issues, you have ways of helping that person before it gets to a point where it can damage your organization.”

Last but not least is education – ensuring staff are fully aware of the tactics cyber-criminals may use to induce them into becoming insider threat agents and the potential consequences of doing so. Jamie Akhtar, CEO and co-founder of CyberSmart, said: “Your people need to know how to spot threats and which online behaviours are harmful. This should be coupled with clear cybersecurity policies so your staff know exactly what’s expected of them and what to do should the worst happen.”


Insider threats cover a broad spectrum, from maliciously motivated employees aiming to sabotage their employers to those experiencing personal troubles who are tempted by financial offers from cybercrime groups. Organizations must be aware of these different threats and take multifaceted actions to reduce the risk of these incidents occurring. In particular, there must be a greater focus on the human element, identifying and mitigating the different motivations at play before cyber-criminals can exploit them.

What’s hot on Infosecurity Magazine?