Identifying Insider Threats with Dark Web Monitoring

What are insider threats?

In the cybersecurity landscape the focus is often on external attacks – malicious hackers, state-sponsored cybercriminals, or hacking groups. However, one of the most significant and often overlooked risks to organizations comes from within – insider threats.

An insider threat refers to risks posed by individuals within an organization who have access to its systems, data, or resources and use this access intentionally or unintentionally to harm the organization. These insiders can be current or former employees, contractors, vendors, or partners with legitimate access to critical information.

While external hackers often rely on breaking through firewalls or exploiting vulnerabilities, insiders already have trusted access, making them positioned to cause damage and disruption to a business. Because these individuals typically operate within the security perimeter, detecting and preventing insider threats can be more challenging than defending against external attacks.

If you’d like to learn more about insider threats and how you can combat them with dark web intelligence, download our mitigation guide.

Types of insider threats

When talking about the different types of insider threats a business may face, there are two categories, malicious and unintentional.

Malicious insiders

These individuals intentionally exploit their access for personal gain, to harm the organization, or in some cases, to further a third party’s interests. Motivations for malicious insider activities can vary and may include:

• Financial gain: Selling sensitive data such as intellectual property, customer information, or trade secrets to competitors or cybercriminals.
• Revenge: Disgruntled employees may seek to damage the company’s reputation or disrupt operations, often following demotion, termination, or perceived unfair treatment.
• Espionage: Insiders may act on behalf of competitors or foreign governments, stealing proprietary information or trade secrets.

Unintentional insiders

Unintentional insider threats arise when individuals, through negligence, mistakes or lack of awareness, compromise the security of an organization. This can include:

• Phishing: Employees clicking on malicious links or attachments in emails, inadvertently downloading malware or giving attackers access to internal systems.
• Weak passwords: Using easily guessable or repeated passwords can lead to unauthorized access.
• Misconfigurations: IT personnel may misconfigure systems, leaving sensitive data exposed to outsiders.
• Lost or stolen devices: Laptops, smartphones, or other devices containing confidential data can be lost or stolen, putting the organization’s data at risk.

While these threats aren’t malicious in intent, they can be just as damaging as deliberate attacks. According to studies, human error is one of the leading causes of data breaches, making it critical for organizations to address unintentional insider threats.

The impact of insider threats

Whether it’s malicious or unintentional, the damage caused by insider threats can be huge, leading to:

• Financial loss: Theft of intellectual property, fraud, and sabotage can result in significant financial losses for businesses. According to a study by Ponemon Institute, the average cost of insider threats for organizations was over $700,000.
• Reputation damage: Insider breaches can erode customer trust and tarnish an organization’s reputation, especially if sensitive data, such as customer records, or trade secrets are exposed.
• Legal and compliance issues: Data breaches caused by insiders can lead to regulatory fines, lawsuits, and loss of certifications or licenses, especially in industries that handle sensitive information like healthcare, finance, or government.

Real life cases of insider threats

Insider threats are a threat to all organizations across the globe, so here are some examples of how insider threat attacks have happened.

Edward Snowden and the National Security Agent (NSA)

Edward Snowden, a former NSA contractor, is one of the most prominent examples of an insider threat when it comes to cybersecurity. Snowden gradually became disillusioned with the surveillance programs he was involved in at the NSA. He attempted to raise his concerns through internal channels, but his warnings were ignored. On May 20, 2013, Snowden flew to Hong Kong after taking medical leave from his job at an NSA facility in Hawaii. In early June of the same year, he leaked thousands of classified documents to journalists revealing the extensive scope of government surveillance operations. His actions exposed controversial intelligence practices, including the mass collection of phone records and internet data, sparking widespread debate about privacy. Snowden’s case showcases the significant risk that insider threats pose to even the most secure organizations, particularly when individuals with legitimate access to sensitive information misuse their privileges. 

Snowden’s actions also emphasize the human factor in cybersecurity. Insider threats are often motivated by personal or ideological reasons, which can be difficult to detect. 

Pegasus Airlines

The data leak at Pegasus Airlines serves as an example of how employee negligence can lead to serious cybersecurity breaches. In March, 2023, a misconfigured element of  Amazon Web Services (AWS) used by the airline resulted in the exposure of sensitive personal and operational data. This included passenger flight details, employee information, and even code source related to Pegasus Airline’s software. The breach was traced back to human error, where employees failed to properly configure access controls, leaving the cloud storage publicly accessible for a significant period. The exposed data left Pegasus Airlines and its passengers vulnerable to potential misuse by cybercriminals. 

This incident highlights the role of employee negligence as a critical factor in cybersecurity threats. The data breach wasn’t caused by a sophisticated cyberattack, but rather by a simple misconfiguration that went undetected. 

The NHS

In 2022, a phishing campaign exploited compromised NHS email accounts to distribute malicious emails to a wide range of recipients, both within and outside the organization. These phishing contained fake links to login pages and malicious attachments designed to collect login credentials and infect the system with malware. The compromised NHS email addresses gave these phishing attempts a sense of legitimacy, making it more likely that recipients would fall for the scam.

The attack exposed the NHS’s vulnerability to phishing schemes and the broader challenges healthcare organizations face in cybersecurity. 

During the phishing campaign, 139 NHS email Accounts were compromised, and their cloud-based security platform detected 1,157 phishing emails. The majority of the emails were fake new document notifications with malicious links to credential harvesting sites, which were specifically seeking information from Microsoft 365 users. Its nhs[.]net domain serves “tens of millions” of email users, and provides infrastructure for 27,000 organizations including hospitals, health clinics, social-work organizations, suppliers and others. And while credential harvesting is “small potatoes,” as far as attacks go, “those credentials can be recycled in subsequent attacks with more dangerous results.”

Spotting and mitigating insider threats

Tracking insider threats is a challenge for organizations because of the trusted access, the broad range of motivations, and the gaps in monitoring cybersecurity teams may have. So, how can insider threats be identified and stopped?

One effective strategy for mitigating insider threats is using dark web monitoring and threat intelligence:

Monitor dark web forums for malicious insiders

Security teams should be monitoring for employees using dark web networks such as Tor to communicate with the wider cybercriminal underworld or to leak data. Malicious insiders using the dark web are more likely to be technically capable, serious about their malicious intentions, and better able to access the tools they need to execute their attack. They should therefore be seen as a high-priority threat.

By monitoring dark web forums, organizations can identify indicators that it is their organization being targeted, such as their brand name being used, leaked company data, or corporate email addresses. They can also gather intelligence that could help them in their investigation of a malicious insider, such as employee contact details or an indicator of which department the employee is in.

At Searchlight Cyber, we typically observe malicious insiders using dark web hacking forums to:

• Advertise their employment at a company to attract cybercriminals interested in paying for insider threat services.
• Offer initial access into a corporate environment for cybercriminals to bid on.
• Sell data or intellectual property that the malicious insider has already stolen from the company.
• Ask for guidance from cybercriminals on how they can exploit the company.
• Buy malware or other tools to execute an attack on the organization.

Monitoring for recruitment posts targeting employees

Organizations should also be monitoring the dark web for cybercriminals who are looking to recruit insiders for their operations. Cybercriminals routinely post adverts on dark web forums offering handsome payouts to employees who can provide them with privileged access. This is a major source of insider threat as, according to the Verizon 2023 Data Breach Investigation Report, 89 percent of malicious employees are motivated by financial gain.

Monitor Tor traffic to and from the company network

Traffic between Tor and the company network can also provide an early warning sign of insider threats. Many large organizations will have traffic coming from Tor to their network, especially public facing infrastructure like their website. This can be benign traffic, where people are simply viewing the website from the dark web, but it is certainly worth monitoring for signs of cybercriminal reconnaissance. For example, dark web traffic to non-browsable web content like VPN portals can indicate that criminals are scanning ports for vulnerabilities. Monitoring for anomalous traffic activity, such as a large number of connections, or inconsistencies in data request vs response can help security teams to identify if their network is being probed or attacked by cybercriminals.

However, connections from the company network to the Tor network are a very reliable data point for discovering insider threat because, in most organizations, there is virtually no good reason why an employee would be connecting to the dark web.

Monitor clear and deep web hacking sites

Organizations should also be monitoring for signals of insider threat on the clear and deep web hacking websites, as well as messaging services such as Telegram. These sites are more accessible for users with less technical capability so are popular for malicious insiders conducting “lower level” cybercrime such as fraud. However, more serious cybercriminal operations also use these sites to find malicious insiders who might not frequent the usual dark web forums where they operate.

Clear web sites are those that can be accessed via a regular browser, where individuals quite brazenly discuss cybercriminal activity. Meanwhile, deep web hacking forums refer to the likes of BreachForums or Cracked – sites that you are able to visit via regular browsers but which require credentials to post, creating a barrier for non-criminals.

Build threat models, run tabletop exercises, and threat hunt

Beyond identifying incidents that specifically relate to them, monitoring externally for insider threats can help security teams to build out their intelligence and improve their readiness for attacks.

Many security teams have to consider malicious insiders with privileged access as part of their threat model and collect intelligence on the hypothesis that they have an insider threat.

Standing intelligence requirements for this threat model could include:

• Identifying the assets that malicious insiders are likely to target.
• Identifying areas of weakness – such as uncontrolled access – and possible countermeasures.
• Identifying potential trigger events for an attack – such as employee layoffs.
• Learning from previous incidents and public reporting of insider threats and leveraging that understanding to inform defense and detection capabilities.

Meanwhile, threat hunting teams concerned about insider threat can proactively use the intelligence gathered by monitoring the dark web to investigate on the assumption that the insider is within their business. For example, they could pivot on the profile of an insider advertising their access within an organization to identify whether this is one of their employees. Alternatively, threat hunters could pivot on the profiles of the cybercriminals that interact with the post to identify their capabilities based on their wider dark web activity. Even if companies aren’t resourced to conduct threat hunts, the dark web posts could be leveraged as inspiration for table top exercises. For example, taking the scenario: “what if the employee in this post was within our business? How would we respond to this incident?” Having a predefined game plan in place can have a major impact once a real-life threat is identified.

Dark web monitoring tools can alert security teams when corporate data surfaces in forums or marketplaces. This early detection enables companies to take swift action, such as resetting compromised credentials, strengthening access controls, or launching internal investigations.

Ultimately, these tools provide a defense in safeguarding sensitive information from both intentional and unintentional insider threats, and help detect malicious activity before it escalates and causes damage to an organization.