Skip to main content

Insider Threat Detection and Hunting

The insider threat is when legitimate users of a system turn and do harm. They are very difficult to catch.

The insider threat is when legitimate users of a system do harm. Whether they are exfiltrating data or causing denial of service.  Because they are legitimate users of a system, it makes it very difficult to catch them.

DETECTING: Your typical SIEM and monitoring solutions aren't always best placed to detect the Insider as they are most often doing what they are legitimately permitted to do. However, as part of our Insider Threat Prevention service, we fine-tune what is permitted to make the detection more sensitive in key areas. Our experience over the years has resulted in many use cases around Insider Threat to form the basis of our detection regime. We don't need a SIEM to do what we do, we have caught threat actors with little more than some event logs and a spreadsheet.

HUNTING: Once we suspect insider activity, we start to chase them down looking for evidence of nefarious activity. Insider Threat Hunting is far more difficult than normal threat hunting as the majority of the insider's activity is legitimate. This ties in with our Forensic Readiness Review service.