Flashpoint Year In Review: 2022 Insider Threat Landscape

This blog is part of our 2022 Year In Review, an intelligence retrospective highlighting the most significant trends of the past year—plus insight into 2023.

Default Author Image
December 15, 2022

From January 1 to November 30, 2022, Flashpoint observed 109,146 total instances of insider recruiting, insider advertising, or general discussions involving insider-related activity. Of these, 22,985 were unique. The majority of these posts were on mid-tier English-language Telegram channels.

Warning signs in 2022 are consistent with those observed years prior. Potential insider threats may exhibit technical and nontechnical behaviors prior to negatively impacting their organization.

Insider threat landscape

To increase their chances of success, threat actors will often seek the aid of disgruntled, or malicious employees within the organizations they are targeting. After all, why waste resources navigating through security measures when you can get someone on the inside to circumvent them for you?

As such, the tactic of recruiting insiders has become immensely popular amongst hackers aiming to breach systems and/or commit ransomware attacks. Here’s what we saw unfold in the insider threat landscape in 2022.

Breakdown of insider threats

This year, Flashpoint collected and researched:

  • 109,146 total posts advertising insider services
  • 22,985 total unique posts from individuals in illicit and underground communities
  • 3,964 total channels
  • 11,376 total authors

Looking at the total number of unique insider posts in 2022, the number of identified insider threat posts ranged from a low of 1,299 in February to a high of 2,585 in July—averaging 2,090 posts per month. Flashpoint assesses that the growth from 2022 Q1 to later in the year was primarily due to the overall growth of illicit and underground communities. For example, Telegram communities experienced an increase of 200 million active users from April 2022 to November 2022—and Flashpoint continues to identify new Telegram channels and groups related to insider threats, fraud methods, data leaks, and other illicit content.

However, the threat actor group LAPSUS$ might also be partly responsible for the growth of insider threats on Telegram. LAPSUS$ successfully recruited insiders in large operations who were able to provide access to corporate virtual private networks (VPNs) or help bypass multi-factor authentication.

In terms of insider threat activity, an organization conducting business within the telecommunications industry is most at-risk. This is then followed by retail and financial organizations:

Insider threat warning signs

Potential insider threats may show both technical and nontechnical behavior prior to negatively impacting their organization. Although these actions may not directly implicate an employee as a malicious insider, they could provide the basis for monitoring their activity or additional investigations to determine if they pose an elevated risk.

Nontechnical signs of insider activity

The following are nontechnical warning signs that may be associated with insiders:

  1. Financial distress: Significant changes in financial obligations—such as increasing debt, increasing prices, or lower wages—could prompt an employee to become an insider threat. Insiders can sell their services to other threat actors via forums or chat services, or they can create a financial opportunity for themselves within their organization.
  2. Leaving the company: Employees who leave an organization due to unfavorable circumstances pose an increased insider threat risk.
  3. Odd working hours: Actors may leverage atypical working hours to pursue insider threat activity because less security is staffed at those times. By pursuing an atypical schedule, threat actors are able to maintain their standard work activity during working hours while pursuing illicit activity at other times.
  4. Poor performance: Poorly performing employees may be suffering from unexpected changes in their personal lives or having issues with their position in the organization. This could lead them to act out against their companies in the form of being an insider.
  5. Unexplained financial gain: Employees experiencing unexplained financial gains could be displaying signs associated with being an insider. They may be actively receiving funds for their illicit activity, supplementing their normal income.
  6. Unusual overseas travel: Unusual and undocumented overseas travel may indicate that an employee is being recruited by or servicing a foreign state or state-sponsored actor.

Technical signs of insider activity

The following are technical warning signs that may be associated with insiders:

  1. Irregular activity: Employees accessing data outside the scope of their job function may be testing the limits of their access so they can abuse their position.
  2. Irregular downloads: The most common exfiltration techniques rely on an insider to first locally download sensitive files. Downloading raw data and conducting high volumes of downloads is irregular for most positions and could indicate insider threat activity.
  3. Unauthorized devices: Employees utilizing unauthorized devices for work pose a greater risk of losing or selling that data because it is outside enterprises’ networks.

Mitigating against insider threats

The following mitigation measures can be deployed by organizations to identify insider warning signs and curb insider threat activities before they harm an organization. 

  • Assess threats: Creating threat profiles for employees allows for better ongoing monitoring and risk assessment of an enterprise’s employees, ideally helping organizations identify insider threats before they actualize. 
  • Conduct security awareness campaigns: Conducting insider threat awareness campaigns is important to help combat insider proliferation. Including insider threat awareness campaigns alongside security training can help instill a culture that detects and defends against malicious insiders.
  • Data loss prevention: Data loss prevention (DLP) tools are designed to protect sensitive data from being lost, stolen, and misused. Three primary DLP tools organizations can use are at the endpoint, network, and storage levels. Network DLP monitors all network communications, such as email and file transfers, to alert on suspicious activity. Endpoint DLP tools monitor end-user devices including laptops and defend against malicious use of data. Storage DLP tools monitor data at rest and can be used with on-premises and cloud-based storage architectures.
  • Engage potential insider threats: Engaging employees who are displaying insider threat risks signs can enable the organization to correct the issue and prevent them from harming the organization.
  • Monitor behavior: Monitoring user behavior is essential to defending against potential insider threats because it enables IT and information security employees to create baselines of activity and detect anomalous activity across an enterprise.

The 2023 insider threat landscape

Analysts assess that in 2023, it is likely that extortionist groups will continue to recruit insiders to assist with their cyberattacks. Human error is a significant security threat for organizations, and employees are often targeted by threat actors as potentially the weakest link in their security posture.

Social engineering attacks, such as phishing, are a common method for threat actors to acquire an insider’s credentials and sensitive information. However, extortionist groups such as LAPSUS$ and “LockBit” have recruited employees to compromise their organization’s security for monetary benefits. These groups benefit from the insider acting on their behalf by providing initial access and the ability to conduct reconnaissance on the enterprise environment. The employee benefits financially and may claim to have provided access unwittingly. 

Extortionist groups often broadcast their intention to recruit on their Telegram channels, leak sites, deep and dark web (DDW) forums, and other mediums. Such advertisements allow employees to contact them if they are willing to work as accomplices.

Flashpoint further assesses that it is very likely that Telegram will remain the most prominent medium for insiders and threat actors to identify and begin working with each other. Our analysts will continue to monitor, identify, and join insider threat channels in 2023 to provide further insights.

Monitor and protect against insider threats with Flashpoint

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Begin your free trial today.