Insider Data Theft: A Real Investigation Without Hollywood
Cybersecurity
Real insider cases are quieter than the training videos. USB exfil, personal Gmail uploads, Dropbox sync, abnormal print jobs, and the post-resignation behaviour pattern that quietly precedes most departures. Plus the legal handling people get wrong.
By Arjun Raghavan, Security & Systems Lead, BIPI · July 5, 2024 · 8 min read
Insider investigations are not the cinematic thing the training videos imply. There is rarely a single act of obvious malice. There is usually a leaving employee, a final two weeks of slightly elevated curiosity, a couple of USB events, and a Gmail tab open at lunch. The job of the investigator is to assemble that quiet picture without panicking the organisation or violating the rights of the person under review.
The behaviour pattern that precedes most cases
Most insider data theft begins with a resignation that has not yet been announced, or a performance conversation that did not go well. The behaviour shift is subtle: a person who has worked normal hours for two years starts logging in at 22:30 on a Sunday. A salesperson with no engineering need pulls down the entire product roadmap from Confluence. An engineer who has never used the CRM exports a 12 MB customer contact list. By itself, each event is innocuous. Together, they form the timeline.
Behavioural baselining is the only way to see this. UEBA tools (Microsoft Sentinel UEBA, Splunk UBA, Exabeam) score deviation against an individual's own history, not a population average. If you do not have one, you can build a reasonable baseline in a notebook over 90 days of Okta, Box, GitHub, and CRM logs.
Exfiltration channels, in priority order
Rank them by frequency, not severity. The order I see most often:
Microsoft Purview, Netskope, and Zscaler will surface upload-to-personal-domain events if configured. Without DLP, the proxy logs and the EDR file-access telemetry are your sources. CrowdStrike, SentinelOne, and Defender for Endpoint all record USB insertion and file-write-to-removable events; you just need the data retained long enough to query backwards from the resignation date.
The print-activity signal people forget
Print servers keep job logs. A spike in pages printed in the final week, particularly for someone who has never been a heavy printer user, is one of the clearest signals in the playbook. PaperCut, Equitrac, and even the Windows print spooler event log will give you per-document, per-user counts. Cross-reference against the document names and you usually find customer lists, pricing documents, and source designs going home on paper.
Pulling the timeline together
Build the timeline before you build the conclusion. A spreadsheet with five columns (timestamp, source system, action, asset, confidence) is enough. Populate it from Okta sign-ins, EDR file events, DLP alerts, proxy uploads, GitHub audit logs, badge-in/badge-out, and email send logs. Sort chronologically. Patterns emerge that no single tool will show you.
Legal handling, which is where most teams fail
Three rules. First, do not interview the subject before HR and legal are in the room; you can destroy a case by tipping them off, and you can create a hostile-environment claim by doing it badly. Second, image the laptop before you confront. The moment they suspect, the device gets wiped. KAPE on Windows or UAC on macOS gives you a defensible triage image in under an hour. Third, preserve cloud evidence with a legal hold in Google Workspace or Microsoft Purview eDiscovery, because once the account is suspended the unread message in Drafts will eventually be purged.
If the matter goes to litigation, chain of custody is everything. Hashes on every image, signed evidence logs, and a single named custodian per artifact. Forensic reports written assuming a hostile cross-examination read very differently from internal IR reports, and you should write to the higher bar from day one.
What the playbook should leave behind
A good insider case leaves the organisation with three things: the affected data is contained or revoked, the behaviour gaps that allowed the exfil are closed (personal Dropbox blocked at the proxy, webmail-upload DLP rule deployed, print quotas enforced), and a quiet improvement to the offboarding process so future leavers are watched as a matter of routine, not as an exception. The goal is never to catch one person. It is to make the next person's path obvious before they take it.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.