Installing Crypto Mining Software

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Monitor AWS CloudTrail logs to detect unauthorized creation, modification, or deletion of compute, storage, network, or management resources. Unauthorized resource activity may indicate insider preparation for data exfiltration, illicit compute use, or unauthorized persistent access.

Where to Configure/Access

• AWS CloudTrail Console: https://console.aws.amazon.com/cloudtrail/
• AWS CloudWatch Logs Console (for log streaming and alerting): https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups

Detection Methods

Monitor CloudTrail API event types such as:

• RunInstances (EC2 instance creation)
• CreateVolume (EBS volumes)
• CreateBucket (S3 buckets)
• CreateFunction / UpdateFunctionCode (Lambda functions)
• CreateCluster (ECS/EKS clusters)

Configure event selectors to capture management events across all regions.

Set metric filters and alarms for suspicious activity through CloudWatch.

Indicators

• Unapproved resources provisioned without matching Infrastructure as Code deployments.
• Resources created manually via console or CLI outside approved automation frameworks.
• Resources missing mandatory organizational tags (e.g., project ID, owner).

Monitor Azure Activity Logs and Azure Resource Graph for detection of unauthorized creation, modification, or deletion of resources in Azure subscriptions. Unapproved deployments may signal insider staging, misuse of compute, or persistence attempts.

Where to Configure/Access

• Azure Activity Logs (via Azure Portal): https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activitylog
• Azure Resource Graph Explorer: https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ResourceGraph/queries

Detection Methods

Monitor for critical resource operation event types:

• Microsoft.Compute/virtualMachines/write (VM creation)
• Microsoft.Storage/storageAccounts/write (Storage)
• Microsoft.KeyVault/vaults/write (Key Vaults)
• Microsoft.Authorization/roleAssignments/write (Role Assignments)

Deploy Azure Monitor or Sentinel queries for operational drift and unauthorized resource creation.

Indicators

VMs or services deployed outside managed resource groups.

Use of non-standard SKU types (e.g., GPU-enabled VMs).

Resources missing mandatory tags such as cost center or compliance level.

Establish and monitor baseline system performance metrics for all critical endpoints, servers, and cloud workloads to detect deviations that may indicate unauthorized activities, such as crypto mining, data staging, or malware execution. Deviations from expected resource usage profiles can serve as an early indicator of operational misuse, compromise, or unauthorized software deployment.

Detection Methods

• Collect and baseline key performance metrics (e.g., CPU utilization, GPU load, memory consumption, disk I/O, and network throughput) for each system class based on normal operational workloads.
• Continuously monitor and analyze live system telemetry against established baselines using security information and event management (SIEM), endpoint detection and response (EDR), or cloud-native monitoring tools.
• Set threshold alerts for resource utilization that significantly exceeds normal variance ranges over sustained periods without corresponding change tickets, scheduled tasks, or workload justifications.
• Correlate performance anomalies with process monitoring to identify unauthorized or unexpected processes consuming system resources.
• Integrate anomalous performance detections into insider threat investigation workflows, focusing on unexplained deviations, especially on systems not expected to experience significant workload fluctuations (e.g., office endpoints, file servers, idle cloud instances).

Indicators

• Sustained CPU or GPU utilization significantly above baseline norms, particularly during non-peak operational hours.
• Persistent high memory usage, disk I/O, or network traffic inconsistent with documented business activities.
• Systems exhibiting performance profiles typical of known unauthorized activities (e.g., high sustained CPU with low disk I/O suggestive of mining workloads).
• Lack of approved change requests or business justification corresponding with the onset of anomalous resource usage.
• Anomalies clustered around users, departments, or system groups known for prior boundary-testing or policy violations.

Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, 

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

Monitor Google Cloud Audit Logs to detect unauthorized creation or modification of compute, storage, and IAM resources. Subjects creating GCP resources without authorization may be staging infrastructure for exfiltration or persistent insider access.

Where to Configure/Access

• Google Cloud Logging (Audit Logs): https://console.cloud.google.com/logs
• Admin Activity Logs Documentation: https://cloud.google.com/logging/docs/audit

Detection Methods

Monitor Admin Activity logs for key methods:

• compute.instances.insert (VMs)
• storage.buckets.create (Buckets)
• compute.disks.insert (Persistent disks)
• iam.serviceAccounts.create (Service Accounts)

Use Log-Based Metrics and Cloud Monitoring alerting for policy violations.

Monitor project and folder-level activity for resource creation.

Indicators

• VMs or services created in unauthorized folders or projects.
• New service accounts with high privileges.
• Missing mandatory labels (environment, owner, compliance status).

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.

Monitor Oracle Cloud Infrastructure (OCI) Audit Logs to detect unauthorized system or service creation. Unauthorized provisioning in OCI can indicate insider threat activity aimed at illicit compute use, data staging, or security control bypass.

Where to Configure/Access

• OCI Audit Console: https://cloud.oracle.com/audit
• OCI Audit Documentation: https://docs.oracle.com/en-us/iaas/Content/Audit/Concepts/auditoverview.htm

Detection Methods

Analyze Audit Events such as:

• LaunchInstance (Compute instance creation)
• CreateBucket (Object Storage creation)
• CreateVolume (Block Volume creation)
• CreateVcn (Virtual Network creation)

Configure Object Storage log exports and integrate with SIEM tools (e.g., Splunk, QRadar) for real-time detection.

Indicators

• Compute or storage resources created in unauthorized compartments.
• VCNs created without associated security lists or network ACLs.
• Instances launched using high-compute shapes without approved business justification.

Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.