Inside Out Security Blog   /  

Inside the World of Insider Threats, Part I: Motivation

Inside the World of Insider Threats, Part I: Motivation

As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in some way involved in the Sony meltdown—see Did North Korea Really Attack Sony? from Schneier. The larger point is that the Sony breach opens the door to a public discussion on a specific topic—malicious insiders —one which many companies have been very reluctant to discuss or comment.

Let’s put Sony in the undecided category for now while we wait for more information, and instead focus on lessons from actual verified insider cases.

Great idea, but where do we find these case files?

Thankfully, Carnegie Mellon University’s Computer Emergency Response Team (CERT) has been collecting insider incident data from the US Secret Service and their own consulting practice. Over the years, they’ve amassed a hefty database of 700 well-documented insider incidents that they’ve been actively analyzing as part of their research. One conclusion worth pointing out is that the underlying motivations differ between internal and external attackers. It’s still important to keep in mind, though, that the same IT controls stopping insiders also stop outsiders!


Since CMU CERT is a research organization, it has its own unified theories on insider data crime, which you can, if you’d like, read more about in these serious academic papers. However, as anyone who’s ever read any mysteries or watched crime shows knows, it always boils down to a question of means, motive and opportunity in establishing guilt.

Motives are especially interesting to explore in the world of insider data theft—what are the reasons that trusted employees break bad?

The folks at CMU CERT have looked into this question. Of the 700 cases, they analyzed a smaller set of only those that actually went to trial. Based on this subset, they came up with four motivation categories (see the graphic):insider-threat

  • theft for financial gain
  • theft for business advantage (IP theft)
  • IT sabotage
  • and a miscellaneous with various and sometimes unclear motives.

Stealing for money is the most obvious motive ─ though it covers less than half the cases. The CERT team discovered that this type of fraud was more likely done by lower level, non-technical employees, usually in cooperation with outsiders.

These were employees typically with financial problems who were using their authorization level as a data entry operator or customer support rep to modify credit histories, adjust benefits, or create false login credentials— all for a fee.

According to CERT, their activities were eventually spotted through an examination of log activity, particularly system change and file access logs. However, there was often a very long delay between the actual crime and its detection.


With the Sony breach on everyone’s mind, we know that non-financially motivated theft can be just as devastating as those driven by dollar signs. What’s interesting about the IT sabotage category is that it’s committed as an act of revenge by the proverbial “disgruntled employee”.

The source of the disgruntlement? The CMU CERT researchers note that the triggering event can be “termination, disputes with the employer, new supervisors, transfers or demotions, and dissatisfaction with salary increases or bonuses”.

Not surprisingly, IT sabotage is committed by technically oriented employees—mostly males—who have figured out how to take over someone else’s credentials. Effectively, these are tech savvy dudes who steal the passwords of other users and then throw the virtual monkey wrench into the IT machinery. This might involve writing a script or program to delete massive amounts of data, or even setting up a backdoor account to launch an attack much later.

The saboteurs were ultimately identified through the monitoring of remote access logs, file access logs, database logs, application logs, and email logs. But the CERT folks points out that since these are more sophisticated thieves than the financially motivated data robbers, they’re good at hiding their tracks by deleting or modifying the log files themselves.

Motivation and Environment

There’s more to motivation than I can fit into this post. The CERT team has come up with some provocative ideas about how environmental factors—perceived risk in getting caught, corporate culture—can shape motivation. There may even be precursor events that point to employees who are data thieves in the making.

We’re getting into “Majority Report”-like precrime territory, but there’s evidence to suggest that the insiders test and probe the company defenses long before the actual attack.

We’ll be taking up this and other topics in my next post in this insider threat series.

Image credit: Evaneleven

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works