Access to Critical Environments (Production and Pre-Production)

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

Azure Conditional Access provides organizations with a powerful tool to enforce security policies based on various factors, including user behavior, device compliance, and location. These policies can be configured through the Azure Active Directory (Azure AD) portal and are typically applied to cloud-based applications, SaaS platforms, and on-premises resources that are integrated with Azure AD.

To configure Conditional Access policies, administrators first define the conditions that trigger the policy, such as:

• User or group membership: Applying policies to specific users or groups within the organization.
• Sign-in risk: Assessing user sign-in risk levels, such as unfamiliar locations or suspicious behaviors, and enforcing additional controls like MFA.
• Device compliance: Ensuring only compliant devices (those managed through Intune or similar tools) can access organizational resources.
• Location: Restricting access based on trusted or untrusted IP addresses and geographic locations, blocking risky or suspicious login attempts.

Once conditions are set, administrators can then specify the actions to take, such as requiring MFA, blocking access, or allowing access only from compliant devices. For example, an organization could require MFA when accessing Microsoft 365 or other cloud applications from an unmanaged device or high-risk location.

Conditional Access policies are configured through the Azure AD portal and can be applied to a variety of platforms and services, including (but not limited to):

• Microsoft 365 (e.g., Exchange, SharePoint, Teams)
• Azure services (e.g., Azure Storage, Azure Virtual Machines)
• Third-party SaaS applications integrated with Azure AD

A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.

Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.

This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.

Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.

An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.

Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.

Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.

Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

Multi-Factor Authentication (MFA) is a critical component of a comprehensive security strategy, providing an additional layer of defense by requiring more than just a password for system access. This multi-layered approach significantly reduces the risk of unauthorized access, especially in cases where an attacker has obtained or guessed a user’s credentials. MFA is particularly valuable in environments where attackers may have gained access to user credentials via phishing, data breaches, or social engineering.

For organizations, enabling MFA across all critical systems is essential. This includes systems such as Active Directory, VPNs, cloud platforms (e.g., AWS, Azure, Google Cloud), internal applications, and any resources that store sensitive data. MFA ensures that access control is not solely dependent on passwords, which are vulnerable to compromise. Systems that are protected by MFA require users to authenticate via at least two separate factors: something they know (e.g., a password), and something they have (e.g., a hardware token or a mobile device running an authenticator app).

The strength of MFA depends heavily on the factors chosen. Hardware-based authentication devices, such as FIDO2 or U2F security keys (e.g., YubiKey), offer a higher level of security because they are immune to phishing attacks. These keys use public-key cryptography, meaning that authentication tokens are never transmitted over the network, reducing the risk of interception. In contrast, software-based MFA solutions, like Google Authenticator or Microsoft Authenticator, generate one-time passcodes (OTPs) that are time-based and typically expire after a short window (e.g., 30 seconds). While software-based tokens offer a strong level of security, they can be vulnerable to device theft or compromise if not properly secured.

To maximize the effectiveness of MFA, organizations should integrate it with their Identity and Access Management (IAM) system. This ensures that MFA is uniformly enforced across all access points, including local and remote access, as well as access for third-party vendors or contractors. Through integration, organizations can enforce policies such as requiring MFA for privileged accounts (e.g., administrators), as these accounts represent high-value targets for attackers seeking to escalate privileges within the network.

It is equally important to implement adaptive authentication or risk-based MFA, where the system dynamically adjusts its security requirements based on factors such as user behavior, device trustworthiness, or geographic location. For example, if a subject logs in from an unusual location or device, the system can automatically prompt for an additional factor, further reducing the likelihood of unauthorized access.

Regular monitoring and auditing of MFA usage are also critical. Organizations should actively monitor for suspicious activity, such as failed authentication attempts or anomalous login patterns. Logs generated by the Authentication Service Providers (ASPs), such as those from Azure AD or Active Directory, should be reviewed regularly to identify signs of attempted MFA bypass, such as frequent failures or the use of backup codes. In addition, setting up alerts for any irregular MFA activity can provide immediate visibility into potential incidents.

Finally, when a subject no longer requires access, it is critical that MFA access is promptly revoked. This includes deactivating hardware security keys, unlinking software tokens, and ensuring that any backup codes or recovery methods are invalidated. Integration with the organization’s Lifecycle Management system is essential to automate the deactivation of MFA credentials during role changes or when an employee departs.

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

Key Prevention Measures:

Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

• Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
• Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
• Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
• Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

Benefits:

PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review.