Master insider threat investigation — understanding the three insider archetypes and their motivational and behavioural signatures, correlating UEBA anomaly alerts with DLP events and access logs to build a defensible forensic timeline, maintaining proper chain of custody for digital evidence, and navigating the legal and HR framework that distinguishes insider threat investigation from standard incident response.
Insider Threat Investigation
An insider threat is a security risk originating from within the organisation — a current or former employee, contractor, or business partner who misuses authorised access. Unlike external attackers, insiders already have legitimate credentials, making their activity harder to detect against a background of normal authorised access.
Insider threat investigations are legally and ethically sensitive in ways that external breach investigations are not. Evidence must be collected carefully, chain of custody maintained from the first action, and HR and Legal involved before meaningful investigation begins. The technical investigation builds the factual record that supports any disciplinary or legal action — but that record is only useful if it was gathered according to proper procedure.
Why Insider Threats Are Harder to Detect Than External Attacks
Every detection technique in this curriculum — anomalous process spawning, external IP connections, authentication from unexpected locations — works because an attacker's behaviour differs from the normal baseline of the system they're attacking. An insider's behaviour differs much less sharply from normal, because normal for that individual includes legitimate access to the systems they're misusing. A sales manager who copies the entire customer list to a USB drive on their last day was already authorised to access that customer list. The anomaly is the copy, the volume, the destination, and the timing — all subtle deviations rather than the bright-line signals of an external attack.
Detecting an external attacker in your systems is like noticing a stranger has broken into your house — the presence of someone unknown is itself the alarm. Detecting an insider threat is like suspecting a family member has been stealing from the household over months. They have a key, they live there, they are expected to open drawers and use the kitchen. You can only detect the problem by noticing patterns in what they do, when they do it, and where things end up — not by their presence, which is entirely normal. This is why insider threat investigation is fundamentally about behavioural analysis and data movement, not access control violations.
Insider Threat Indicators
Behavioural Resignation announced, disciplinary action, grievances filed, financial stress Access Accessing systems or data outside normal job function Volume Downloading/copying unusually large amounts of data Timing Activity outside business hours, especially nights and weekends Destination Data moving to personal email, personal cloud storage, or USB Searches Searching for data unrelated to current projects or responsibilities
Insider Threat Investigation in Practice
User and Entity Behaviour Analytics flags deviations from an individual's normal baseline — access volume, timing, scope, and destination all measured against personal history.
UEBA Alert: Anomalous Data Access User: [email protected] Risk Score: 87/100 (HIGH) Anomaly: Downloaded 4.2 GB in past 48 hours (baseline: 180 MB/week = 23x normal) Anomaly: Accessed 340 files outside normal department scope (HR, Finance, Legal) Anomaly: Activity between 23:00-02:00 on three consecutive nights # Context from HR integration: Sarah submitted resignation notice 5 days ago # Correlation of technical indicators + offboarding context = high confidence
Trace where the data went — DLP logs, proxy logs, and email gateway show the complete picture of outbound data movement across all channels.
# DLP alert log — email gateway: 23:14:02 sarah.johnson → [email protected] Attachment: client_contracts_2026.zip (148 MB) DLP Rule: CONFIDENTIAL data egress via personal email -- BLOCKED 23:45:17 sarah.johnson → dropbox.com Volume: 2.1 GB upload DLP Rule: Large upload to personal cloud storage -- LOGGED (not blocked) # Email attempt was blocked -- Dropbox upload was only logged # 2.1 GB to personal Dropbox confirmed exfiltrated # Note: DLP policy gap -- Dropbox should have been blocked, not just logged
A forensic timeline correlates events from all sources into a chronological narrative — the foundation of any legal or disciplinary proceeding.
May 10 09:00 Sarah submits resignation (2-week notice, last day May 24) May 10 19:34 First after-hours access -- HR and Finance file shares May 11 23:14 Email attempt: client_contracts.zip to personal Gmail (BLOCKED by DLP) May 12 00:02 2.1 GB upload to personal Dropbox account (logged, not blocked) May 12 23:55 USB device inserted (SanDisk Cruzer, S/N: 4C530001) May 13 02:10 347 files copied to USB drive E: via Event 4663 May 14 08:59 Sarah badged into office -- physical access logged # Complete multi-channel exfiltration: email (blocked), cloud (succeeded), USB (succeeded) # Timeline spans resignation to final week -- pattern of deliberate collection
Digital evidence must be preserved correctly to be admissible in disciplinary or legal proceedings. A forensic image taken before the workstation is wiped is the difference between a provable case and an unprovable allegation.
Preserve (before any system action) Export and SHA-256 hash all relevant log files Create forensic image of workstation (dd or FTK Imager) Screenshot and export DLP alerts with full timestamps Export email gateway logs with message headers Document (every investigative step) Record each action with analyst name, timestamp, tool used Note who accessed evidence and what they did with it Keep a signed chain of custody form updated throughout Involve (before investigation begins) HR: disciplinary process ownership Legal: employment law, potential criminal referral, civil action Management: access revocation decision and timing
What You Need to Know
Three Insider Threat Archetypes — Different Motivations, Different Signatures
Not all insider threats look alike. The three primary archetypes differ in motivation, behaviour pattern, and the log signatures they generate. Understanding which archetype you're dealing with changes both the investigation approach and the appropriate response.
Motivated by competitive advantage at a new employer, spite, or financial gain. Typically active in the weeks before departure. The most common insider threat type.
Behavioural triggers: Resignation submitted, termination notice, recruitment contact from competitors confirmed.
Technical signature: Sudden volume spike in data access and download, files accessed outside normal job scope, data movement to personal channels (personal email, USB, personal cloud) concentrated in the pre-departure window.
Response: Preserve evidence, engage HR and Legal, restrict access to sensitive systems during notice period (standard in many organisations for departing employees in sensitive roles).
Motivated by grievances — passed over for promotion, disciplinary action, perceived unfair treatment. May sabotage systems or steal data as retaliation. Lower volume, higher intent to cause damage.
Behavioural triggers: HR complaint filed, performance improvement plan initiated, public conflict with management.
Technical signature: Unusual access to configuration files, backup systems, or administrative interfaces. May attempt privilege escalation. Deletions or modifications to operational data. Access at unusual hours.
Response: Preserve evidence, HR involvement critical, consider access restriction before confrontation (employee may accelerate damage when confronted).
Not intentionally malicious — their credentials have been stolen and an external attacker is acting through their account. The account behaviour is malicious, but the employee is a victim.
Distinguishing from true insider: Impossible travel (login from two locations simultaneously), unfamiliar device user agents, access patterns inconsistent with the individual's actual work role and hours, access from the account to systems the employee has never used.
Response: Treat as external account compromise (IR03 playbook) — credential reset, session revocation, MFA review. Do not involve HR in disciplinary proceedings until compromised vs malicious actor is confirmed.
A legitimate employee doing something unusual but authorised — a finance staff member downloading the full year's accounts for audit, an IT administrator querying systems they don't normally touch for a legitimate project, a manager accessing HR records for a specific authorised task.
Resolution: Out-of-band verification with the employee's manager (not the employee themselves — this preserves covert investigation if the alert is real). If the activity is explained by a legitimate business task, document the explanation and close the alert with no action.
The risk of acting on UEBA alone: A UEBA alert is a starting point, not a conclusion. Confronting an employee over legitimate business activity creates legal exposure and destroys trust. The investigation must corroborate the UEBA finding with independent evidence from DLP, proxy, and access logs before any action.
Exfiltration Channel Reference — Detection Per Vector
| Channel | Detection Source | Key Evidence Fields | DLP Response |
|---|---|---|---|
| Personal email (Gmail, Outlook.com) | Email gateway / DLP | Recipient address, attachment filename, file size, DLP classification match | Block + alert (CONFIDENTIAL+); log only (INTERNAL) |
| Personal cloud storage (Dropbox, Google Drive, OneDrive personal) | Proxy logs / DLP / CASB | Destination domain, upload volume, authentication account, session duration | Block upload of classified content; alert on volume threshold |
| USB drive | Windows Event 4663, USBSTOR registry | Device serial number, file paths written, user account, timestamp | Block write to non-approved USB devices (Intune/endpoint policy) |
| AirDrop / Bluetooth | Endpoint security agent | Target device, files transferred, session time | Disable AirDrop on managed devices via MDM policy |
| Printing | Print server logs | Document name, pages, printer, user, timestamp | Watermarking on classified documents; print audit policy |
| Screen capture / photography | Difficult — HR/physical observation | External camera usage, unusual device presence in secure areas | Clean desk policy, CCTV in server/secure areas |
Evidence Standards — What Makes a Forensic Case
The technical investigation's purpose is to produce evidence that is accurate, complete, and legally defensible. A technically compelling case that was gathered without proper authorisation or chain of custody may be entirely unusable in disciplinary or legal proceedings. The legal framework must be understood before the investigation begins — not after the evidence has been gathered incorrectly.
Digital Evidence Admissibility Requirements
- Authorisation: The investigation must be authorised by appropriate stakeholders (legal counsel, HR, management) and consistent with the employee's employment agreement and applicable law. The company's acceptable use policy and employment contract typically grant the right to monitor company systems — but limits vary by jurisdiction.
- Authenticity: Evidence must be proven to be what it claims to be. Cryptographic hashing (SHA-256) of log files and disk images at the time of collection, with hashes recorded in the chain of custody document, proves the evidence has not been modified.
- Integrity: No modification to the original evidence after collection. Use write blockers when imaging disks. Never investigate from the original device — always work from a forensic copy. The original must remain in a sealed, access-controlled location with chain of custody documentation.
- Completeness: Evidence must capture the full picture, not just the incriminating portions. Selectively preserving only damaging evidence while discarding context that might exculpate is improper and creates legal exposure.
A complete chain of custody document for the Sarah Johnson insider investigation — every action documented with analyst, timestamp, and purpose.
CHAIN OF CUSTODY — Case: CORP-2026-IT-047 Subject: [email protected] (HR Manager) Opened: 2026-05-14 09:15 UTC by J. Harrington (SOC Lead) Authorised: Legal (R. Chen) and HR (M. Williams) approval confirmed 09:22 UTC 09:30 J.Harrington Exported UEBA alert data for sarah.johnson (2026-05-10 to 14) SHA-256: a3f2b1c4... [hash of exported file] 09:45 J.Harrington Exported DLP logs for sarah.johnson (same period) SHA-256: d5e6f7a8... 10:15 J.Harrington Forensic image of CORP-PC-031 (Sarah's workstation) Tool: FTK Imager 4.7 SHA-256 of image: 9b8c7d6e... Original drive sealed in evidence bag #E-2026-047-01 Witness: M. Williams (HR) 10:45 J.Harrington Working from forensic image only -- original never touched again Analysis workstation: FORENSIC-WS-01 (isolated, not domain-joined)
From UEBA Alert to Legal Hold — Complete Investigation
Alert origin: UEBA system fires on sarah.johnson — risk score 87/100 based on 23x volume spike, out-of-scope file access (Finance and Legal), and three consecutive nights of 23:00–02:00 activity. UEBA system's HR integration flagged her resignation submitted 5 days prior as a contextual risk factor.
09:22 — Authorisation obtained: SOC Lead briefs Legal and HR. Investigation authorised under company acceptable use policy. Decision made to investigate covertly rather than immediately restrict access — covert investigation allows more complete evidence collection and reveals all channels used.
10:15 — Evidence preservation: Forensic image of Sarah's workstation taken. All relevant log exports (UEBA, DLP, email gateway, proxy, USBSTOR registry, Event 4663) gathered and SHA-256 hashed. Chain of custody form initiated. Original workstation sealed with HR witness.
Timeline reconstruction: May 10 (resignation day) at 19:34 — first after-hours login to file server HR and Finance shares. May 11 at 23:14 — email attempt blocked by DLP (client contracts ZIP to personal Gmail). May 12 at 00:02 — 2.1 GB Dropbox upload (logged but not blocked — policy gap identified). May 12–13 — USB insertion, 347 files copied including RESTRICTED-classified salary data and client contracts.
Classification of data exfiltrated: USB: 347 files including 23 RESTRICTED-classified salary files and 89 CONFIDENTIAL client contracts. Cloud: 2.1 GB — contents unknown (upload logged, not inspected). Email: blocked, contents preserved in email gateway quarantine for evidence.
14:30 — Legal assessment: RESTRICTED salary data + client contracts = potential breach of employment agreement and possibly trade secret statute. Legal counsel advises: (1) preserve all evidence, (2) issue legal hold on Sarah's accounts and devices, (3) consider civil action for misappropriation of trade secrets. HR advises: access revocation effective immediately (final day was May 24 — revocation accelerated to today).
DLP gap identified: Dropbox uploads were logged but not blocked. Policy updated to block Dropbox uploads of any volume for all users (or restrict to business-approved Dropbox accounts). The email attempt was correctly blocked — the cloud upload gap was the failure. Post-incident: all CASB (Cloud Access Security Broker) policies reviewed for similar logging-only gaps on other cloud services.
Core Concepts Summary
You've covered the theory. Now apply it hands-on in the simulated environment.
Start Lab — IR09 Insider Threat→← Return to all labs