• August 01, 2023
  • 5 min read

Threat Models: Malicious Insider

John Hetherton

Head of Compliance

What is Threat Modeling?

Threat modeling involves understanding the intricacies of your system, identifying vulnerabilities, prioritizing potential threats, and devising proactive mitigation plans. By incorporating threat modeling at the inception of a project, companies can adopt a secure-by-design approach rather than reacting to incidents post-breach.

This blog post is the first part in a five-part series that will cover threats from the following, a:

  1. Malicious Insider
  2. Supply Chain Attack - Managed Services ( learn more here )
  3. Accidental Cloud Misconfiguration ( learn more here )
  4. External Attacker ( learn more here )
  5. Malicious Administrator

Key Terms in Threat Modeling:

  • Asset: Anything of value that belongs to an organization, such as data or software
  • Threat: A cause of an unwanted incident that may result in harm to a system or organization (malware, natural disaster, exploit code)
  • Threat Agent: An entity that discovers and/or exploits vulnerabilities.
  • Vulnerability: A weakness or gap in security that threats can exploit. (unpatched system, insecure code, overly permissive access, stored plaintext credentials)
  • Controls: Safeguards or countermeasures to prevent, detect, counteract, or minimize security risks.

Our Scenario

For this Series, we will use a relatively simple cloud-based stack to demonstrate the concepts. This stack is typical for most web applications, with resilience over two different regions and a three-tier architecture comprising web, application, and data storage tiers. For example, the application is assumed to run in a public cloud, leveraging the networking facilities typically provided.

The system we will consider is representative of the infrastructure you would see in the real world. It is an internet-facing application handling sensitive health and credit card information. The application is a typical three-layer architecture with web, application, and data storage layers and is hosted in a public cloud across data centers in the US and EU.

The Threat Actor: Disgruntled - Internal User (non-Admin)

The Insider Threat is internal users with malicious intent, as opposed to users who may pose a threat through naivety or by accident. These individuals, often disgruntled employees, may be driven by financial gain,  ideology, or negative feelings towards the organization or specific individuals within it.

The Threats:

Staff Access - Staff could access, view, download, and misuse large datasets of sensitive data, including credit card and health data, to commit fraud or extortion.


  • Access to data is available with only username and non-complex password
  • Access to data is overly permissive
  • Access to functionality is overly permissive, including view and download functions
  • Data in the Database is stored in plain text
  • There is no monitoring or logging of user activity in place

Attack Vectors:

  • Standard staff login to the internal application view


To safeguard against the Insider Threat, you should implement these robust mitigation strategies:

  1. Access Control / Authorization: Implement strict access control policies. The use of a least privilege policy will limit users to only the resources necessary for their job role; this should include data and functionality. Implementation will depend on the way the application handles authentication and authorization. OWASP has a great guide on the considerations.
  2. Two-Factor Authentication (2FA): Implement 2FA to validate the identity of the staff with privileged access. Ideally, hardware keys with Fido U2F, such as those available from Yubico.
  3. Data Encryption: Encrypt all sensitive data both at rest and in transit, using tools from companies like Evervault . The data should only be decrypted and available to specific applications and authorized roles.
  4. Logging: Implement logging which is sufficiently detailed to allow for the reconstruction of the events which led to a breach. Native tooling from AWS, like Cloudwatch and Cloud Trails, is a good place to start ingesting infrastructure and application logs.
  5. Monitoring: Implement monitoring to identify unusual patterns of behavior and notify security teams. There are many SIEMs on the market to enable deep visibility into user behavior, including tools like GuardDuty from AWS.
  6. Data Loss Prevention (DLP): Network and Endpoint DLP solutions can help organizations identify and block egress of sensitive leaving an organization. End point has become even more important given the switch to remote work.
  7. Policies: Document policies and procedures which cover best practices, such as those in PCI DSS, ISO 27001, or NIST, and publish them to staff.
  8. Regular Auditing: Regular system and access audits will help identify and rectify any anomalies in a timely manner.
  9. Develop an incident response plan and practice it to ensure that in the event of an incident, relevant roles understand their responsibilities. There are excellent AWS-published playbooks for AWS environments that can be referenced as a start for specific IR scenarios.

A holistic layered approach is essential to protect sensitive information effectively. Encryption plays a critical role in mitigating the risk of high-impact data breaches, safeguarding users' data, preserving the company's reputation, and avoiding regulatory fines. By adopting these comprehensive mitigation strategies, organizations can fortify their defenses against Insider Threats and ensure the safety of their invaluable data assets.

John Hetherton

Head of Compliance

Related Posts