Preventions

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

A social media policy is a set of rules that governs how employees should use social media platforms in connection with their work. It outlines acceptable and unacceptable behaviors, helps employees understand the consequences of misuse, and serves as a deterrent by promoting accountability, raising awareness of risks, and ensuring consistent enforcement.

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

Windows Group Policy can be used to prevent specific accounts from accessing Registry Editor. This can prevent them from reading the registry or making modifications, if their permissions allow, using this utility.

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge.

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.

Group Policy can be used to disable printing for specific user accounts.

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file.

Various methods can be used within Exchange to prevent internal emails being auto-forwarded to remote domains. This can prevent exfiltration via email auto-forwarding rules.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Domain Name System (DNS) filtering allows the blocking of domain resolution for specific domains or automatically categorized classes of domains (depending on the functionality of the software or appliance being used). DNS filtering prevents users from accessing blocked domains, regardless of the IP address the domains resolve to.

Examples of automatically categorized classes of domains are ‘gambling’ or ‘social networking’ domains. Automatic categorizations of domains are typically conducted by the software or appliance being used, whereas specific domains can be blocked manually. Most DNS filtering software or appliances will provide the ability to use Regular Expressions (RegEx) to (for example) also filter all subdomains on a specified domain.

DNS filtering can be applied on an individual host, such as with the hosts file, or for multiple hosts via a DNS server or firewall.

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.

Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed.

On mobile devices managed by Microsoft Intune, and where Protected Apps are being used, it is possible to apply app protection policies to protect corporate data on mobile devices. This functionality can prevent users from copying and pasting corporate data into personal apps.

The financial approval process is a structured procedure used by organizations to review and authorize financial transactions. It includes segregation of duties, authorization levels, and documentation and audit trails to prevent financial abuse and ensure adherence to policies and budgets.

Applying spending limits to corporate cards can control the amount of funds a subject could spend legitimately or illegitimately.

An enterprise-managed browser is a web browser controlled by an organization to enforce security policies, manage employee access, and ensure compliance. It allows IT administrators to monitor and restrict browsing activities, apply security updates, and integrate with other enterprise tools for a secure browsing environment.

First stage bootloaders such as BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) or second stage bootloaders such as GNU GRUB (GNU GRand Unified Bootloader) and iBoot, generally provide the ability to configure a bootloader password as a security measure. This password restricts access to the computer’s firmware settings and, in some cases, the boot process.

When a bootloader password is set, it is stored in a non-volatile memory within the firmware. Upon powering on the system (and the bootloader settings being selected) the bootloader prompts the user to enter the password before allowing access to the firmware settings, thereby preventing unauthorized users from altering system settings or booting from unauthorized devices.

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files.

Only allow necessary protocols to communicate over the network. Implement strict access controls to prevent unauthorized protocols from being used. Typically these controls would be implemented on next-generation firewalls with Deep Packet Inspection (DPI) and other network security appliances.

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a CD/DVD drive.

In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

Open the following policies and set them all to Enabled:

CD and DVD: Deny execute access,

CD and DVD: Deny read access,

CD and DVD: Deny write access

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a floppy disk.

In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

Open the following policies and set them all to Enabled:

Floppy Drives: Deny execute access

Floppy Drives: Deny read access

Floppy Drives: Deny write access

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.

In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

Open the following policies and set them all to Enabled:

Removeable Disk: Deny execute access

Removeable Disk: Deny read access

Removeable Disk: Deny write access

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

• Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
• Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
• Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
• Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
• Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

MDM solutions require employees to register their personal devices with the organization's MDM system before gaining access to corporate networks and applications. This process ensures that only approved and known devices are permitted to connect.

Once a device is enrolled, the MDM system can enforce security policies that include:

• Access Control: Restricting or granting access based on the device's compliance with corporate security standards.
• Configuration Management: Ensuring that devices are configured securely, with up-to-date operating systems and applications.
• Remote Wipe and Lock: Allowing the organization to remotely wipe or lock a device if it is lost, stolen, or if suspicious activity is detected.
• Data Encryption: Enforcing encryption for data stored on and transmitted by the device to protect sensitive information.
• Application Control: Managing and restricting the installation of unauthorized applications that could pose security risks.

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

Using Group Policy on Windows it is possible to block the ability for users to modify the system date/time.

In the Group Policy Editor, navigate to:
Computer Configuration -> Windows Settings -> Security Settings → Local Policies → User Rights Assignment → Change the system time

Remove any users or groups that do not need this permission.

The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). While this does not prevent local system tampering, it ensures that any changes are temporary and will only last until the next synchronization.

Alternatively, hosts can be configured to use an internal or external Network Time Protocol (NTP) server, that can synchronize the system time.

Mail flow rules can be used within Microsoft Exchange to reject outbound emails to specific domains, such as domains associated with personal email, including gmail.com, outlook.com, and yahoo.com.

1. Log in to Exchange Admin Centre (https://admin.exchange.microsoft.com)
2. Click “Mail flow” on the navigation menu, then the “Rules” tab
3. Click “+ Add a rule” then “Create a new rule”
4. Give it an appropriate name, such as “Block outbound to gmail.com”
5. Set “Apply this rule if" to “The recipient” and “Domain is” then add the domain “gmail.com”
6. Set “Do the following” to “Block the message” and either “Reject the message and include an explanation” (if you want to notify the sending mailbox), or “Delete the message without notifying anyone” (if you do not want to notify the sending mailbox)

It is important to note that this could cause operational disruption if emailing from within the organization to the listed blocked domains is expected. It is possible to configure the “Except if” condition of the rule to whitelist outbound emails based on properties such as the sending mailbox, subject line, or other conditions.

Regulation Awareness Training equips staff with the knowledge and understanding required to comply with legal, regulatory, and policy obligations relevant to their roles. This includes, but is not limited to, export controls, international sanctions, anti-bribery laws, conflict-of-interest rules, antitrust regulations, and data protection requirements.

The training should be customized according to the specific risks of different roles within the organization, ensuring that employees in high-risk areas—such as legal, procurement, sales, finance, engineering, and senior management—receive in-depth education on how to recognize and avoid behaviors that could lead to regulatory violations. Scenarios that could result in inadvertent or intentional breaches should be addressed, alongside practical advice on how to report concerns and escalate issues.

To accommodate varying learning styles and operational needs, Regulation Awareness Training can be delivered through multiple formats:

• eLearning Modules: For general staff, to provide flexible, scalable training on compliance topics, which can be completed at the employee's convenience.
• Instructor-led Sessions: For higher-risk roles or senior management, where more interactive, in-depth training may be necessary to address complex regulatory requirements and nuanced decision-making.
• Scenario-based Workshops: To reinforce learning with real-world examples and role-playing exercises that help employees internalize regulatory concepts.

By fostering a culture of compliance and accountability, Regulation Awareness Training helps minimize the risk of breaches, whether intentional or accidental, and strengthens the organization’s ability to identify, prevent, and respond to regulatory infringements.

Microsoft Information Protection (MIP) sensitivity labels are powerful tools for preventing unauthorized access, data leakage, data loss and other types of insider events through classification and protection of sensitive content. When applied to documents, emails, and other content, MIP labels embed metadata that enforces encryption, access control policies, and usage restrictions — all of which persist even if the content is shared or moved outside the organization’s environment. This proactive protection mechanism helps to ensure that data loss, misuse, or regulatory breaches are minimized, regardless of where or how the data is accessed.

Persistent Protection through Azure Rights Management (Azure RMS)
One of the key features of MIP labels is their ability to enforce encryption and access control via Azure Rights Management (Azure RMS). When a document or email is assigned a sensitivity label such as Highly Confidential, it triggers policies that encrypt the file, limiting who can open it and what actions can be performed. For example, a Highly Confidential document might be encrypted so that only authorized users in specific security groups can access it. Additionally, these policies may prevent recipients from forwarding, printing, copying, or even accessing the document offline, ensuring that sensitive data cannot be shared beyond authorized channels.

Automatic and Recommended Labeling
MIP labels also support automatic and recommended labeling. Labels can be automatically applied based on content that is identified as sensitive (such as credit card numbers, Social Security numbers, or intellectual property). This reduces reliance on users to manually select the correct label, ensuring that content is always classified according to its sensitivity level. For example, a file containing financial data or personally identifiable information (PII) may automatically receive a Confidential label, which immediately triggers encryption and access controls. By applying labels automatically, organizations can minimize the risk of human error in classifying sensitive content and ensure that protective measures are consistently applied.

Enforcing Access Governance and User Restrictions
MIP labels are directly integrated with Azure Active Directory (Azure AD) and Microsoft 365 security groups, allowing organizations to enforce access governance. Each label can define the users or groups who are permitted to access certain types of content. For example, a document labeled Confidential may be restricted to a specific department or team, preventing unauthorized users from viewing or editing it. Access to content labeled with higher sensitivity, such as Highly Confidential, can be further restricted to executives or security professionals, ensuring that only authorized individuals can access critical business data. These policies persist even when the content is shared outside the organization or accessed on non-corporate devices.

Blocking Unauthorized Sharing and Transfers
Through integration with Microsoft Defender for Office 365 and Data Loss Prevention (DLP) policies, MIP labels can enforce automatic blocking of unauthorized sharing or transfer of sensitive content. For example, when a document is labeled as Internal Use Only, any attempt to share it externally via email, cloud storage, or external USB devices can be blocked automatically by DLP policies. Labels can also be configured to restrict sharing links to specific people or groups and can enforce expiration on shared links. This ensures that sensitive data remains within the organization and cannot be accessed by unauthorized individuals or systems.

Policy Enforcement in Microsoft Teams and SharePoint
MIP labels are integrated across key collaboration tools like Microsoft Teams and SharePoint, providing seamless protection in the cloud. In these environments, sensitivity labels govern sharing permissions, access rights, and file handling. For instance, if a file is labeled as Confidential, it might be restricted from being shared externally via Teams or SharePoint. These platforms can also prevent file download and sharing for users in unmanaged or non-compliant environments, ensuring that sensitive data cannot be accessed outside the organization's controlled infrastructure. MIP labels also enable policies that enforce restrictions on guest access, preventing external parties from viewing or editing sensitive content unless explicitly permitted.

Blocking Label Downgrades and Enforcing Label Change Justification
To prevent unauthorized downgrading of content labels, MIP provides mechanisms to block label downgrades without proper justification. For example, a user may not be allowed to change a document’s label from Confidential to Public without providing an explicit justification. Such actions are logged and may trigger alerts for review by security teams. This ensures that users cannot bypass sensitive information protection policies by reclassifying content to a lower sensitivity level. Moreover, any label changes are auditable, helping organizations track and monitor potential attempts to circumvent security protocols.

Preventing Exfiltration in Cloud and Endpoint Contexts
MIP labels integrate with Microsoft Defender for Endpoint and Defender for Cloud Apps, providing protection against exfiltration of sensitive data through cloud and endpoint channels. By applying labels to sensitive documents, organizations can enforce controls that restrict their movement across corporate boundaries. For example, when a file labeled Confidential is accessed from an unmanaged device or through a risky application, it may be blocked from being downloaded or printed, preventing potential exfiltration. Additionally, organizations can configure conditional access policies to prevent data access based on the device’s compliance or security status, ensuring that sensitive information is protected even when users access it from external sources.

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

Key Prevention Measures:

Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

• Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
• Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
• Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
• Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

Benefits:

PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.

The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate.

A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. This form of screening involves the systematic analysis of publicly available digital content—such as social media profiles, posts, comments, blogs, forums, and shared media—to assess potential risks associated with an individual.

Social media screening is typically conducted to identify indicators of reputational risk, conflicting motives, or behavioral patterns that may suggest the potential for insider threat activity. Content of concern may include public expressions of hostility toward the organization, affiliation with extremist or high-risk groups, or engagement with topics unrelated to the subject's role that could indicate potential misuse of access.

Trusted service providers specializing in OSINT and digital risk intelligence may be engaged to perform this screening on behalf of the organization. These providers use automated tools and analyst-driven review processes to ensure consistent, legally compliant, and policy-aligned assessments of online behavior.

When implemented as part of pre-employment screening or ongoing risk monitoring, social media screening can serve as a proactive measure to detect insider threat indicators early. To be effective and ethical, such programs must follow applicable privacy laws, data protection regulations, and internal governance standards. When responsibly executed, social media screening enhances the organization's ability to identify individuals who may present an elevated risk to information security, personnel safety, or corporate reputation.

An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.

Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.

Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.

Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.

A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.

Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.

This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.

Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.

An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.

Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.

In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.

Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses.

Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat.

Mental Health and Personal Struggles

• Trigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.
• Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.
• Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation.

Negative Statements or Discontent with the Company

• Trigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.
• Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.
• Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization).

Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)

• Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.
• Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.
• Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment.

Hearsay and Indirect Reports

• Trigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.
• Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.
• Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems.

Implementation Considerations

• Collaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.
• Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.
• Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.

Multi-Factor Authentication (MFA) is a critical component of a comprehensive security strategy, providing an additional layer of defense by requiring more than just a password for system access. This multi-layered approach significantly reduces the risk of unauthorized access, especially in cases where an attacker has obtained or guessed a user’s credentials. MFA is particularly valuable in environments where attackers may have gained access to user credentials via phishing, data breaches, or social engineering.

For organizations, enabling MFA across all critical systems is essential. This includes systems such as Active Directory, VPNs, cloud platforms (e.g., AWS, Azure, Google Cloud), internal applications, and any resources that store sensitive data. MFA ensures that access control is not solely dependent on passwords, which are vulnerable to compromise. Systems that are protected by MFA require users to authenticate via at least two separate factors: something they know (e.g., a password), and something they have (e.g., a hardware token or a mobile device running an authenticator app).

The strength of MFA depends heavily on the factors chosen. Hardware-based authentication devices, such as FIDO2 or U2F security keys (e.g., YubiKey), offer a higher level of security because they are immune to phishing attacks. These keys use public-key cryptography, meaning that authentication tokens are never transmitted over the network, reducing the risk of interception. In contrast, software-based MFA solutions, like Google Authenticator or Microsoft Authenticator, generate one-time passcodes (OTPs) that are time-based and typically expire after a short window (e.g., 30 seconds). While software-based tokens offer a strong level of security, they can be vulnerable to device theft or compromise if not properly secured.

To maximize the effectiveness of MFA, organizations should integrate it with their Identity and Access Management (IAM) system. This ensures that MFA is uniformly enforced across all access points, including local and remote access, as well as access for third-party vendors or contractors. Through integration, organizations can enforce policies such as requiring MFA for privileged accounts (e.g., administrators), as these accounts represent high-value targets for attackers seeking to escalate privileges within the network.

It is equally important to implement adaptive authentication or risk-based MFA, where the system dynamically adjusts its security requirements based on factors such as user behavior, device trustworthiness, or geographic location. For example, if a subject logs in from an unusual location or device, the system can automatically prompt for an additional factor, further reducing the likelihood of unauthorized access.

Regular monitoring and auditing of MFA usage are also critical. Organizations should actively monitor for suspicious activity, such as failed authentication attempts or anomalous login patterns. Logs generated by the Authentication Service Providers (ASPs), such as those from Azure AD or Active Directory, should be reviewed regularly to identify signs of attempted MFA bypass, such as frequent failures or the use of backup codes. In addition, setting up alerts for any irregular MFA activity can provide immediate visibility into potential incidents.

Finally, when a subject no longer requires access, it is critical that MFA access is promptly revoked. This includes deactivating hardware security keys, unlinking software tokens, and ensuring that any backup codes or recovery methods are invalidated. Integration with the organization’s Lifecycle Management system is essential to automate the deactivation of MFA credentials during role changes or when an employee departs.

Azure Conditional Access provides organizations with a powerful tool to enforce security policies based on various factors, including user behavior, device compliance, and location. These policies can be configured through the Azure Active Directory (Azure AD) portal and are typically applied to cloud-based applications, SaaS platforms, and on-premises resources that are integrated with Azure AD.

To configure Conditional Access policies, administrators first define the conditions that trigger the policy, such as:

• User or group membership: Applying policies to specific users or groups within the organization.
• Sign-in risk: Assessing user sign-in risk levels, such as unfamiliar locations or suspicious behaviors, and enforcing additional controls like MFA.
• Device compliance: Ensuring only compliant devices (those managed through Intune or similar tools) can access organizational resources.
• Location: Restricting access based on trusted or untrusted IP addresses and geographic locations, blocking risky or suspicious login attempts.

Once conditions are set, administrators can then specify the actions to take, such as requiring MFA, blocking access, or allowing access only from compliant devices. For example, an organization could require MFA when accessing Microsoft 365 or other cloud applications from an unmanaged device or high-risk location.

Conditional Access policies are configured through the Azure AD portal and can be applied to a variety of platforms and services, including (but not limited to):

• Microsoft 365 (e.g., Exchange, SharePoint, Teams)
• Azure services (e.g., Azure Storage, Azure Virtual Machines)
• Third-party SaaS applications integrated with Azure AD

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

Implementation Approaches

• Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
• Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
• Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
• Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
• Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

Operational Principles

• Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
• Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
• Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
• Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

Establish and maintain processes where all policy violations, including those perceived as minor or low-impact, are addressed consistently, proportionately, and promptly. By reinforcing that even small infractions matter, organizations deter boundary testing behaviors and reduce the risk of escalation into more serious incidents.

Implementation Approaches

• Develop clear disciplinary guidelines that outline expected consequences for different categories of violations, ensuring minor infractions are not overlooked.
• Empower first-line supervisors and managers with authority and tools to address minor violations at the earliest opportunity through corrective conversations, formal warnings, or minor sanctions as appropriate.
• Track policy violations centrally, including minor incidents, to identify repeat offenders or emerging behavioral patterns across time.
• Communicate the rationale for enforcement to the workforce, framing minor violation enforcement as a measure to protect operational integrity rather than bureaucratic punishment.
• Conduct periodic reviews of enforcement actions to ensure consistency across departments, teams, and levels of seniority, minimizing perceptions of favoritism or uneven discipline.

Operational Principles

• Proportionality: Responses to minor violations should be appropriate to the severity but still reinforce the boundary.
• Visibility: Enforcement actions should be visible enough to deter others, without unnecessarily shaming or alienating individuals.
• Predictability: Personnel should understand that violations will predictably result in consequences, eliminating ambiguity or assumptions of tolerance.
• Escalation Readiness: Organizations should be prepared to escalate interventions for individuals who demonstrate patterns of repeated minor violations.

Threat intelligence feeds that include indicators of insider tactics—rather than just malware or phishing IoCs—can inform policy decisions, access design, and targeted monitoring. These feeds allow organizations to anticipate adversarial interest in recruiting, coercing, or planting insiders, and to mitigate the tools and behaviors those insiders are likely to use.

Prevention Measures:

Subscribe to threat intelligence services that provide curated insider threat profiles, including:

• Recruitment patterns used by foreign intelligence services.
• Behavioral precursors to sabotage, data theft, or access misuse.
• Indicators from anonymized insider case disclosures (e.g., DFIR reports, industry reporting, national CERTs).

Use these feeds to inform:

• DLP tuning based on exfiltration paths observed in real incidents.
• Risk-based access policies that factor in job function, department, or geographic anomaly exposure.
• Targeted internal education on known techniques (e.g., false flag account creation, side-channel messaging, Git repo exfiltration).

Examples of Insider-Focused TI Sources:

• CERT Insider Threat Center
• Mandiant reports on insider-aligned TTPs
• Verizon DBIR insider incident breakdowns
• Public sector alerts (e.g., FBI on DPRK IT workers or contractor placement)
• Industry-specific ISACs with insider incident advisories

Disable proxy configuration changes on Windows via Group Policy. This prevents users from manually altering proxy settings in Internet Explorer/Edge and applies to system-wide proxy use (affecting Chrome and other apps that rely on WinINET settings).

Group Policy sets the following registry key:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] "Proxy"=dword:00000001 

This disables UI access to change proxy settings in the Internet Options panel and applies across applications using WinINET.

Policy Enforcement Notes:

• This policy applies per-user. Use loopback processing or enforce via user GPO linked to OUs if applying domain-wide.
• Chrome and Edge Chromium both honor system proxy settings unless explicitly overridden by command-line flags or extension policies.
• If managing via Intune or MDM, use the Policy CSP - Proxy or custom ADMX ingestion for equivalent enforcement.

Supported Versions:

• Windows 10 (all editions that support Group Policy, typically Pro, Enterprise, and Education)
• Windows 11 (same Group Policy-capable editions)
• Windows 8.1 / 8
• Windows 7
• Windows Server 2008 R2 through 2022 (when user policies apply)

Notes on Support:

• This setting applies only to versions that still use WinINET-based Internet Settings (i.e., Internet Explorer settings that are system-wide).
• It does not prevent proxy changes via third-party tools that bypass WinINET unless additional controls are enforced (e.g., application whitelisting, restricted registry access).
• Edge (Chromium) and Chrome will respect these proxy settings if they’re not configured independently (e.g., via extension or policy override).
• On Windows Home editions, this registry key may not take effect unless equivalent settings are configured via other methods, as Group Policy-based enforcement is not fully supported.

Group Policy can be used to prevent the Snipping Tool from running on a Windows system.

User Configuration > Administrative Templates > Windows Components > Tablet PC > Accessories then enable “Do not allow Snipping Tool to run”.

Static code analysis integrated into CI/CD pipelines provides a critical prevention mechanism against anti-forensic behaviors embedded in code, scripts, and infrastructure definitions. By enforcing automated review of logic patterns prior to deployment, organizations can detect concealed execution paths, scheduling abuse, and evasive constructs before they reach production.

This control is especially vital in mitigating deferred execution techniques, where the subject inserts code that activates long after submission—typically to evade scrutiny or delay attribution. Static analysis enables defenders to identify high-risk patterns at rest, before runtime, reducing reliance on reactive detection and shortening investigative timelines.

Detection of Time-Based Execution Logic:
Flag conditional statements that compare system time or date against hardcoded thresholds or calculated values.
Examples:

• if (datetime.now() > target_date)
• if time.time() > 1723468800 (UNIX timestamp obfuscation)

Abnormal Delay Functions and Sleep Calls:
Block or escalate the use of delay functions exceeding operational thresholds. Focus on calls intended to stall execution post-deployment.
Examples:

• sleep(3600)
• Start-Sleep -Seconds 1800
• Thread.sleep(900000) (in Java)

Embedded Scheduler References in Scripts:
Detect scripting logic that attempts to create or modify scheduled tasks, cron jobs, or background triggers.
Examples:

• echo '0 4 * * * /usr/bin/script.sh' >> /etc/crontab
• schtasks /create /tn "Update" /tr C:\temp\payload.exe /sc once /st 23:59
• at now + 1 minute /interactive "cmd.exe"

Identification of Obfuscation and Dynamic Constructs:
Scan for base64-encoded, concatenated, or dynamically constructed commands that attempt to evade static detection of time or scheduling logic.
Examples:

• eval(base64.b64decode(payload))
• task_command = "schtasks" + " /create /sc daily"
• exec("sleep " + str(delay_seconds))

CI/CD Blocking and Exception Escalation:
Treat the above patterns as rule violations within CI/CD pipelines. Enforce blocking behavior unless a security-reviewed exception is filed. Ensure exception cases are logged, tagged, and auditable.

Pre-Deployment Artifact Scanning:
Apply static analysis not only to source code but to bundled artifacts such as container images, compiled scripts, or deployment templates (e.g., Terraform, CloudFormation) to catch embedded logic in infrastructure as code (IaC).

Cross-Team Code Review and Signature Expansion:
Maintain shared detection signatures across DevSecOps, application security, and insider risk teams. Regularly review triggered matches to refine accuracy and discover new anti-forensic variants.

Attestation of Safe Logic by Departing Engineers:
Require final code audits for subjects flagged for departure or termination. Mandate re-review of any automation, CI/CD jobs, or privileged scripting authored by the subject.

On Windows, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at C:\Windows\System32\drivers\etc\hosts.

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, Windows would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution. This prevention can be deployed through Group Policy by overwriting the existing hosts file.

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.

On Linux, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at etc\hosts.

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, the operating system would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution.

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.

A Non-Disclosure Agreement (NDA) is a legally binding contract that defines the confidentiality obligations of a subject, typically during onboarding, project initiation, or third-party engagement. NDAs establish explicit boundaries around the handling of proprietary, regulated, or sensitive information, clarifying what constitutes unauthorized disclosure and reinforcing the subject’s duty of confidentiality.

NDAs are most effective when implemented in conjunction with structured policy enforcement, clear data classification, and role-based access controls. While an NDA alone does not prevent disclosure, its presence introduces enforceable consequences and strengthens the organization’s posture in disciplinary, contractual, or legal proceedings.

Security vetting is a structured eligibility assessment that evaluates a subject’s trustworthiness, reliability, and suitability for access to sensitive systems, data, or facilities. Clearances formalize access tiers and are governed by predefined standards, typically incorporating criminal history, financial stability, foreign affiliations, and behavioral indicators. This prevention mechanism is designed to proactively reduce insider risk by screening out high-risk individuals prior to access, and by introducing revocation or suspension pathways in response to changes in risk posture.

Security clearance processes are not static, they must be sustained through periodic revalidation. When managed with transparency, procedural fairness, and alignment to access governance, clearance programs reduce organizational exposure to sensitive resource misuse or disclosure by unauthorized or high-risk subjects.

Psychological assessments are structured evaluations used to identify mental health conditions, behavioral risk factors, or psychosocial stressors that may elevate the likelihood of a subject engaging in insider threat activity. These assessments can surface early indicators such as emotional instability, unmanaged stress, aggression, paranoia, or deteriorating cognitive function, each of which may impair judgment or increase susceptibility to coercion.

When integrated into workforce risk governance, psychological assessments serve as a proactive prevention mechanism, enabling tailored support, role reassignment, or clearance review before adverse actions occur. This approach is especially relevant in high-trust roles and sensitive access environments.

Microsoft Litigation Hold is a built-in compliance feature within Microsoft 365 that preserves mailbox content, even if a subject attempts to delete or alter messages. When enabled, it ensures that emails, calendar items, and other mailbox content remain discoverable and immutable, regardless of user-side deletion or modification attempts.

Organizations can apply Litigation Hold to specific subjects, role types, or high-risk populations, and define custom hold durations (e.g., indefinite or time-bound).

Randomized, routine verification of physical identity credentials is a necessary preventive control in environments where access is gated by visual or badge-based authentication. Unverified presence within secured areas increases organizational tolerance for impersonation, tailgating, and badge misuse—especially where behavioral drift has eroded expectations of enforcement.

Identity challenge programs mitigate this drift by reinforcing that possession of an ID badge is not proof of authorization. When implemented effectively, they also surface expired, misused, or cloned credentials before they enable preparatory actions such as unauthorized access, lateral movement, or physical data collection.

Human-led or Automated challenge mechanisms

Credential Verification Points (CVPs): 

Assign roving or fixed-position security personnel equipped with access control readers capable of validating badge status and presenting the registered photo of the assigned individual. Personnel should challenge any subject whose badge fails to scan or whose appearance does not match the system photo.

Automated Robotic Challenge Systems: 

Deploy robotic guard platforms with integrated badge readers, cameras, and two-way audio connected to a live remote security agent. These systems can autonomously perform credential challenges without requiring direct physical confrontation. They are especially valuable in high-risk or high-traffic areas where human intervention may be inconsistent or prone to social engineering.

Implementation considerations

Separation of Challenge and Enforcement: 

Where feasible, separate the individual performing the challenge from the individual initiating an enforcement action. This reduces risks associated with escalation—such as confrontation with hostile subjects—or familiarity bias from onsite personnel.

Policy Integration: 

Embed the challenge expectation within the Acceptable Use Policy and physical security policy. Clarify that possession of a badge does not exempt any individual from verification.

Audit and Alerting: 

Log all challenge events (successful, failed, bypassed) to a centralized system. Include metadata such as badge ID, photo match result, time, location, and outcome. Flag repeat failures or unverified entries for investigative review.

This prevention mandates a standardized, enforceable identity verification process for all service desk interactions involving password resets, account unlocks, or access changes. It requires the use of multi-factor authentication (MFV), out-of-band confirmation (OOB), and structured workflow enforcement to ensure caller legitimacy. The process reduces susceptibility to impersonation, prevents policy bypass under pressure, and ensures auditability for investigative review.

Prevention Measures

All verification must use at least two distinct factors:

• A knowledge factor (e.g., pre-set PIN or a dynamic question).
• A possession factor (e.g., one-time passcode sent to a pre-registered corporate channel such as email or SMS).

For high-risk accounts, apply out-of-band confirmation:

• Perform a callback to a pre-registered phone number.
• Or request confirmation via an internal messaging platform (e.g., Microsoft Teams or Slack).

Verification steps must be enforced within the IT Service Management (ITSM) platform:

• Each verification checkpoint is prompted and must be completed before proceeding.
• Agents cannot override or skip steps manually.
• All actions must be logged automatically with time, actor, and outcome.

Escalation protocols must be followed when:

• Verification fails.
• A request seems inconsistent or suspicious.
• The subject is flagged in HR systems as inactive, offboarded, or under restriction.

Logs must include:

• Requestor’s claimed identity.
• Verifier’s identity.
• Verification methods used.
• Outcome of each step.

Service desk staff must undergo regular training and social engineering simulations:

• Focus on red flags such as urgency, executive name-dropping, or vague justifications.
• Reinforce the principle: verification is mandatory, regardless of pressure.

Establish policy and procedural authority to contact subjects under formal investigation during periods of authorized or unauthorized leave. This mechanism ensures that investigative continuity, containment actions, and required interviews can proceed despite absence from duty.

Prevention Measures

• Amend internal HR and Acceptable Use Policies (AUPs) to include a clause permitting investigative contact with aliased subjects during leave, where the subject is materially involved in an active investigation.
• Require that all leave requests undergo a check against the Alias Register prior to approval, with flagged cases routed to Legal and the Insider Threat Investigation Team for review.
• Define conditions for permissible contact, such as limiting outreach to official communication channels and ensuring legal oversight for medical or protected leave scenarios.
• Include escalation pathways for unreachable or non-compliant subjects, particularly in AWOL scenarios or when delays introduce operational risk.
• Formalize the policy via the Acceptable Use Policy Advisory Panel (AUPAP) to ensure defensibility and alignment with employment law and organizational governance.

Deploy and enforce the use of Endpoint Network Access Agents (such as Zscaler Client Connector, Cisco AnyConnect Secure Mobility Client, or similar tools) to ensure continuous network policy enforcement, traffic inspection, and behavioral visibility across all user environments, including remote, hybrid, and guest networks.

Key Prevention Measures:

• Mandatory Agent Deployment: Require persistent agent installation across all managed endpoints, using device posture checks to validate status and prevent circumvention.
• Controlled Network Access: Prevent outbound traffic unless routed through approved inspection points—eliminating unmonitored internet connectivity and forcing adherence to network governance policies.
• VPN Configuration Lockdown: Restrict VPN usage to sanctioned clients and configurations. Enforce full-tunnel routing, disable split-tunneling, and block execution of unauthorized VPN applications or browser-based VPN extensions.
• Policy-Based Access Control: Apply conditional access rules based on endpoint compliance, user identity, and network context—ensuring secure posture is maintained regardless of location.
• Tamper Protection and Lockout: Detect and respond to agent disablement, configuration drift, or telemetry loss through auto-remediation or access revocation mechanisms.
• Cross-Network Consistency: Extend enforcement capabilities to unmanaged and public networks, reducing blind spots introduced by subjects switching to guest Wi-Fi, personal hotspots, or external connectivity paths.

This control directly mitigates multiple behaviors associated with Network Obfuscation, including the use of unauthorized VPNs, evasive browser extensions, and transitions to unmonitored networks.

Implement controls to restrict or monitor financial transactions based on Merchant Category Codes (MCCs)—a globally standardized classification system defined under ISO 18245. MCCs are four-digit codes used by card networks (e.g., Visa, MasterCard, Amex) to categorize merchants by the primary type of goods or services they provide. These codes are assigned by acquiring banks and transmitted as part of the transaction metadata every time a payment card is used.

By enforcing MCC-based restrictions, organizations can block or flag high-risk purchases based on merchant intent, even when the vendor name appears benign or spending limits are not exceeded. MCC enforcement is a widely accepted control in government and private-sector purchasing policies, and provides a scalable way to mitigate insider financial misuse.

Key Prevention Measures:

Block High-Risk MCCs

Deny transactions associated with high-risk merchant categories, such as:

• 7995 – Gambling Transactions
• 4829 – Money Transfer / Wire Services
• 5967 – Direct Marketing / Teleservices
• 6012 – Quasi-Cash Transactions (e.g., crypto platforms, money orders)

Enforce Pre-Authorization Blocking

Use payment card controls to prevent transactions at blocked MCCs from completing, rather than relying solely on post-spend reviews or reconciliation processes.

Define Role-Based MCC Profiles

Assign permitted MCCs based on a subject’s job function. For example, limit access to travel-related MCCs for field staff only, and restrict electronics purchases for non-technical roles.

Alert on Suspicious Behavior

Monitor for attempts to circumvent MCC restrictions, including:

• Repeated declined transactions at blocked MCCs
• Unusual bursts of transactions across diverse or unrelated MCCs
• Usage at misclassified vendors or ambiguous MCCs

Apply MCC Rules Across All Payment Types

Ensure enforcement covers physical corporate cards, virtual cards, and integrated expense platforms to eliminate alternative channels for misuse.

Embed in Acceptable Use Policies

Reference MCC-based restrictions directly in your AUP to ensure clear policy authority, support investigative actions, and withstand scrutiny in HR or legal contexts.

MCC blocking provides a precision-level control against subtle or distributed forms of financial misuse. It is particularly effective where insiders seek to extract or redirect funds through legitimate-looking merchants operating under general-use MCCs.

Network segmentation is a defensive architecture technique that restricts subject movement across enterprise infrastructure by logically or physically isolating systems into discrete zones. This is typically implemented using subnets, VLANs, firewall zones, and identity-aware access policies. In the context of insider threat, segmentation plays a critical role in constraining a subject's network visibility and access paths, even when they operate from a position of legitimate trust. By limiting lateral movement and enforcing strict boundaries between business functions, environments (e.g., development vs. production), and data classifications, segmentation reduces the risk of escalation, reconnaissance, or unauthorized data access. Effective segmentation requires technical enforcement at multiple layers (network, identity, endpoint), continuous telemetry, and alignment with organizational role structures.

Prevention Measures

Subnet-Based Segmentation
Use IP subnets to separate network segments by functional role (e.g., 10.10.10.0/24 for finance, 10.10.20.0/24 for development). Assign subnets according to department, data sensitivity, or risk profile, and apply routing controls between them using next-hop access policies or firewalls. Disable inter-subnet routing by default.

VLAN Isolation
Implement Virtual LANs to enforce broadcast domain isolation at Layer 2. VLANs should align with organizational trust boundaries—e.g., separate VLANs for HR, DevOps, guest Wi-Fi, and contractor endpoints. Switches and access ports should enforce 802.1Q tagging, and trunk ports must be tightly controlled to prevent unauthorized VLAN hopping.

Layer 3 ACLs and Route Maps
Apply router- or firewall-level Access Control Lists (ACLs) to explicitly permit or deny traffic between segments. Use route maps or policy-based routing (PBR) to enforce asymmetric flows or direct high-risk traffic through monitoring or decryption layers.

Host-Based Segmentation and Agent Policies
Deploy host firewalls or Endpoint Detection and Response (EDR) platforms capable of enforcing intra-host segmentation rules. Define policy-based isolation (e.g., deny RDP or SMB outside known ranges) and log all policy violations for cross-correlation with identity and behavior.

Zero Trust Segmentation
Extend segmentation beyond IP and port boundaries using software-defined per-session enforcement. Implement policy engines (e.g., Zscaler, Illumio, or Azure Firewall with Just-in-Time access) that grant access based on identity, device state, time, and justification, rather than static address rules.

Network Access Control (NAC) Enforcement
Integrate NAC (e.g., Cisco ISE, Aruba ClearPass) to dynamically assign VLANs or access profiles based on user role, device posture, or endpoint risk score. This prevents subject-controlled or unmanaged endpoints from reaching sensitive segments even if physically connected.

Firewall Zones and Traffic Inspection
Use next-generation firewalls to define security zones and inspect traffic at L7. Enforce inter-zone inspection with TLS decryption and application control policies to prevent tunneling, lateral file movement, or unauthorized data egress.

Logging and Alerting on Cross-Segment Access
Establish telemetry for segment-to-segment communication. Trigger alerts on:

• First-time cross-subnet flows by user or host.
• Failed connection attempts across segments.
• Traffic volume anomalies between normally-isolated zones.

Correlate these with role-based access expectations and investigate for drift, reconnaissance, or misconfiguration.

Maintain a centralized, enforceable inventory of all enterprise-issued assets, with strong identity attribution. Assets such as laptops, mobile devices, removable media, and developer hardware, must be provisioned through a controlled process, with their issuance, reassignment, and return tied to a single authoritative system. Failure to implement this control undermines visibility, frustrates post-incident reconstruction, and enables subjects to operate untracked or pseudonymously, without an authoritative means to attribute an asset to a subject. 
 

Centralized asset inventory is not merely a logistical requirement, it is a foundational investigative control that enables attribution and identification across an organization's population.
 

Centralized Provisioning
All enterprise assets must be provisioned through a formal request-and-approval process managed by a single system of record (e.g., ServiceNow, Lansweeper, or equivalent). No devices should be issued without a documented change entry.

Persistent Identifiers
Each asset must be recorded with at least one hardware identifier (e.g., serial number, MAC address) and one software-level identifier (e.g., hostname, device GUID). These identifiers must persist across asset lifecycle events (provisioning, reassignment, decommissioning).

Subject Binding
Asset records must be explicitly bound to a subject using identity fields sourced from centralized systems. Required fields include:

• Active Directory username (sAMAccountName)
• Email address
• HR-assigned employee ID
• Manager or business unit affiliation
• Employment status (e.g., contractor, full-time, intern)

System Integration with HRIS
Asset inventory systems must integrate with the organization’s HR information system (HRIS) to ensure accurate identity attribution. Identity records must update automatically upon onboarding, transfer, or termination.

Access Enforcement
Devices not present in the inventory system must be blocked from:

• Network access (via NAC or DHCP enforcement)
• Corporate VPN or remote access platforms
• Enterprise SSO and SaaS authentication flows

Lifecycle Auditing
Asset inventory records must log all changes, including:

• Provisioning events
• Subject reassignments
• Transfers between business units
• Decommissioning or disposal actions

These logs must be exportable for investigative review and retained per incident response policy.

Inventory Reconciliation
A quarterly reconciliation process must occur between the asset management system and identity directory. Any orphaned, duplicate, or unassigned assets must trigger formal review.

Investigator Considerations

• During an insider threat investigation, asset-to-identity linkage provides immediate context on who possessed what device at any given time. It allows correlation of device telemetry (e.g., EDR data) with human actions.
• Unregistered or misattributed assets may indicate provisioning bypass, unauthorized hardware introduction, or deliberate obfuscation—each of which may constitute preparatory behavior.

Enforce a centralized, actively maintained inventory of all user, system, and service accounts. Each account must be uniquely attributed to a subject or defined function, with metadata sourced from authoritative identity and HR systems. Weak or incomplete attribution enables unmonitored access, account misuse, and persistence beyond employment. Without a reliable inventory, investigative attribution becomes unreliable, particularly when subjects operate across multiple domains or identities.

Accounts are not always inherently self-explanatory. Their investigative value is determined by how clearly they map to real individuals, roles, and system relationships.

Key Prevention Measures

• Maintain a central identity directory using platforms such as Active Directory, Azure Active Directory, Okta, or equivalent enterprise identity provider.
• Integrate identity directories with the organization's HR information system (HRIS) to import employment status, department, and manager hierarchy.
• For every account, record the following fields: directory username, full legal name, email address, employee ID (if applicable), employment type (e.g., contractor, intern, vendor), business unit, and account purpose.
• Tag account types explicitly as either user, administrative, service, shared, or application-integrated.
• Require all account creation events to originate from a change-managed workflow in platforms like ServiceNow, Jira Service Management, or Access Request systems such as SailPoint or Saviynt.
• Prohibit manual account creation on production systems without approved and logged justification.
• Implement monthly account attestation campaigns requiring managers to confirm active accounts for all direct reports and escalate unverified entries.
• Detect and disable orphaned accounts (no associated subject) and stale accounts (no login activity over defined threshold) through automated tooling.
• Apply role-based access control to ensure each account has scope-limited privileges in accordance with documented duties.
• Ensure terminated accounts are disabled immediately upon HR status change using automated identity lifecycle hooks.
• Retain logs of account provisioning, modification, and deactivation actions in a tamper-evident system.

Investigator Considerations

• During investigations, clear account attribution enables rapid correlation between login activity and subject behavior across systems.
• Unattributed or misclassified accounts may be a sign of policy bypass, lateral movement, or deliberate obfuscation.
• Reuse of service accounts for interactive logins can indicate misuse or circumvention of monitoring controls.
• Accounts with no ownership in the inventory system should be considered high-priority investigative targets for manual review and historical correlation.

Maintain a centralized, enforceable inventory of all software permitted for use on enterprise-managed systems. Unauthorized or unmanaged software increases the risk of tool misuse, data movement, lateral exploitation, and unmonitored communication, each of which may enable or conceal insider activity.
 

A software inventory is not passive documentation; it is a dynamic enforcement boundary. Effective control requires both technical constraint (e.g., allowlisting) and structured visibility into what applications are deployed, by whom, and for what purpose.

Key Prevention Measures

• Deploy endpoint management platforms capable of full software inventory visibility, such as Microsoft Intune, JAMF (macOS), Tanium, CrowdStrike Falcon, or ManageEngine Endpoint Central.
• Enforce application allowlisting using tools like Microsoft Defender Application Control (WDAC), AppLocker, or third-party EDR integrations.
• Maintain a centralized, queryable list of all approved applications, including version ranges, installation context (user vs. system), and business justification.
• Log every software install event with metadata including hostname, username, install timestamp, and installation method.
• Require all application installations to originate from approved enterprise repositories or deployment platforms (e.g., SCCM, Intune, JAMF).
• Prohibit local administrator rights for population members except under time-limited, auditable exceptions.
• Detect and flag installation of encryption tools, anonymizers, remote desktop clients, or developer toolchains on non-technical endpoints.
• Conduct monthly reconciliations between installed applications and the approved software list, using EDR or inventory tools.
• Investigate installation of communication platforms not sanctioned by enterprise IT (e.g., Signal, Telegram Desktop, third-party file transfer clients).
• Automatically remove or isolate endpoints found running prohibited software, and require investigation before rejoining corporate networks.

Investigator Considerations

• Software inventory logs are a high-value artifact for understanding preparatory behavior, such as staging exfiltration tools or side-channel communication clients.
• Discrepancies between allowed software and observed installations often indicate circumvention of standard IT channels.
• Repeated installations of the same unapproved tool across multiple devices or subjects may reflect behavioral drift or informal tool adoption within a team.
• Software changes shortly before a known incident window may indicate staging activity, particularly if correlated with anomalous file or network activity.

Establish and enforce strict classification, ownership, and access scope limitations for all service accounts. These non-human accounts often hold elevated privileges and operate without the same oversight as user accounts. When left ungoverned, they create blind spots in forensic reconstruction, increase the risk of lateral movement, and enable subjects to access sensitive systems without attribution.
 

Service accounts must be treated as operational identities, not technical abstractions. Without rigorous control, they are a frequent vector for privilege misuse, staging, and exfiltration behaviors.

Key Prevention Measures

• Maintain a centralized inventory of all service accounts using identity providers such as Microsoft Entra ID, Okta, or on-premises Active Directory.
• Require each service account to have a documented business owner responsible for its purpose and review.
• Record the account's assigned system or integration point, authentication method, and intended function.
• Tag all service accounts explicitly in directory metadata as non-human.
• Block service accounts from interactive login, remote desktop sessions, and GUI-based authentication.
• Use conditional access policies to restrict service account access to predefined IP ranges and service endpoints only.
• Require credential rotation on all service accounts using platforms such as CyberArk, HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
• Implement just-in-time provisioning and session expiration for elevated service accounts using Privileged Access Management (PAM) tools.
• Audit all service account permissions monthly to ensure least-privilege alignment with documented needs.
• Automatically disable service accounts not used within a defined operational window unless a justified exemption is recorded.
• Generate alerts when service accounts are used outside expected time windows, from unauthorized locations, or to access sensitive resources unrelated to their documented function.

Investigator Considerations

• Service accounts used interactively are red flags during insider threat investigations, often indicating evasion of attribution or misuse of automation.
• Misclassified or shared service accounts inhibit incident reconstruction and may obscure which subject initiated a given action.
• High-volume data access by service accounts should be correlated with staging or exfiltration windows.
• Accounts with privileged access but no assigned owner should be considered security gaps and reviewed as priority investigative artifacts.

Develop and maintain a formal inventory of sensitive operational data assets, including what they contain, where they reside, and who can access them. Data exposure cannot be investigated, let alone prevented, without reliable knowledge of what exists and how it is governed.

Organizations that lack structured data inventories often discover exposure only after the fact, unable to attribute access accurately or determine the scope of loss. This prevention ensures that sensitive data types, such as intellectual property, regulated records, internal communications, and technical documentation, are defined, tracked, and access-scoped across their lifecycle.

Key Prevention Measures

• Maintain a centrally managed register of sensitive data assets, using data governance tools such as Collibra, Alation, Microsoft Purview, or OneTrust.
• Require all critical data sets to have a designated business owner responsible for classification and access authorization.
• Define categories for sensitive data, such as customer PII, financial records, product roadmaps, security configurations, and internal source code.
• Record the physical or logical location of each data set, including cloud buckets, on-premises storage, network shares, or SaaS platforms.
• Integrate classification tags into the file system, DLP policies, and access control platforms using metadata or content-based detection.
• Prohibit storage of classified data types in untracked systems, unmanaged cloud storage, or personal workspaces.
• Link access permissions to roles via identity systems and enforce least privilege through ACLs, IAM policies, or RBAC mechanisms.
• Require quarterly reviews by business unit leaders to confirm active access permissions and decommission unneeded entitlements.
• Log all access to designated sensitive repositories, retaining identity, timestamp, access type, and action taken.
• Configure alerts for abnormal access behavior, including large data downloads, access outside normal business hours, or first-time access to restricted folders.

Implement a comprehensive organizational change management framework that governs all modifications to infrastructure, systems, applications, configurations, and access policies. Without formal change control, subjects may introduce unauthorized changes that bypass controls, enable persistent access, disrupt availability, or conceal malicious activity under the guise of routine maintenance. Effective change management provides structured oversight that makes all changes attributable, reviewable, and auditable.

A mature change management program includes: centralized change request submission, classification by operational risk, dual authorization for sensitive modifications, enforcement of scheduled implementation windows, post-change validation, and configuration state reconciliation. This applies equally to on-premises infrastructure (e.g., network ACLs, hypervisors, firewalls), cloud-native resources (e.g., AWS security groups, Azure NSGs, GCP IAM), DevOps pipelines, and identity/access control systems.

Organizations should implement their change processes using industry-aligned ITSM platforms or integrated DevSecOps workflows. Common software platforms include ServiceNow, Jira Service Management, BMC Helix, Freshservice, and integrations with CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Terraform Cloud) that enforce policy-as-code for configuration control.

Change Request and Classification

• All changes must be submitted through a centralized Change Management System (CMS)
• Requests must include: category (e.g., network, identity, application), scope, justification, risk, and implementation window

Changes must be classified based on business impact (e.g., segmentation, access control, availability)
 

Approval and Oversight

• High-impact or trust boundary changes require dual approval (technical and business approver)
• Separation of duties must be enforced between requestor and approver
• Emergency changes must be time-bound, documented, and retroactively reviewed

Implementation and Validation

• Changes must occur within approved maintenance windows
• Pre-change state (e.g., config snapshots, baselines) must be captured
• Post-change verification must confirm success and be documented
• Any deviations from approved scope or schedule must be logged and reviewed

Auditability and State Monitoring

• Change records must be immutable, timestamped, and retained according to policy
• All changes must be linked to authentication and privileged session records
• Configuration drift detection must identify unapproved or out-of-band modifications

Policy and Governance

• Change management controls must be embedded in formal policy
• Internal audits must compare CMS records to infrastructure state (at least) quarterly
• Administrators and approvers must receive annual secure change training
• Non-compliant changes must be investigated and result in corrective or disciplinary actions

An AI Usage Policy is a formally adopted organizational policy that governs the appropriate, sanctioned, and secure use of artificial intelligence systems, tools, and models by members of the population. It is designed to preempt misuse, establish accountability, and reduce ambiguity around the use of generative models, AI-enhanced tooling, and decision-automation systems within the organizational environment.

A comprehensive AI Usage Policy mitigates insider risk by codifying restrictions on data input, model interaction, model deployment, and tool integration, especially in contexts involving sensitive data, proprietary logic, or externally facing automation. In the absence of such guidance, subjects may unintentionally or deliberately disclose confidential information to public models, delegate sensitive decisions to unsanctioned systems, or introduce unmanaged shadow AI tooling into operational workflows.

Key Prevention Measures:

• Policy Enumeration: The AI Usage Policy must follow an enumerated structure, allowing investigators and stakeholders to precisely reference policy clauses when documenting or responding to AI-related infringements.
• Permitted Use Cases: Clearly define which AI tools are approved, for which functions, and under what conditions. Distinctions should be made between internal, sanctioned AI deployments and public, third-party platforms (e.g. ChatGPT, Copilot).
• Data Input Restrictions: Prohibit the entry of regulated data types (e.g. PII, PHI, classified content) into external or non-controlled AI systems. This restriction must be backed by enforceable policy language and reinforced through data labeling and access classification.
• Model Interaction Safeguards: Where use of generative AI is permitted, require integration into systems that log prompts, maintain user attribution, and support retrospective investigation in the event of policy violation or data leakage.
• Tool Approval Workflows: Require that new AI-enabled tools undergo formal security, legal, and operational review before deployment. This ensures visibility and governance over the introduction of capabilities that could affect risk posture.
• Change Control and Oversight: Governance responsibility should reside with a designated internal body, empowered to interpret, update, and enforce AI policy clauses in alignment with evolving capabilities and threats.