Malicious Insider Leaking Information to the Unauthorized Third Parties

by | Apr 26, 2020 | Adversary Research, Case Study

The Challenge

A technology company’s (the Client) proprietary information was leaked to unauthorized third parties presumably from an identified disgruntled employee. The Client required assistance in determining with certainty whether such actions could be directly attributed to a specific employee within its organization and whether mitigation controls could be put in place to prevent further leaks.

Why Nisos

The Client sought expert assistance from a partner that could not only conduct mobile forensics but also potentially deploy monitoring software, review web applications and firewall logs, and come up with innovative methodologies to retrieve the employee’s company-owned device without alerting the employee in question.


Once selected to assist, we were granted full access to the Client’s internal network telemetry, worked with physical security to obtain the necessary surveillance footage, and worked with Legal and Human Resources departments to review complaints to narrow down to a person of interest.


Upon reviewing the released content in concert with HR records, several persons of interest came into focus. A review of firewall and VPN logs narrowed our focus to one individual who used their personal third-party file share to violate corporate policy, exfiltrated the sensitive data, and provided unauthorized access to a third party. We worked with the Client’s information technology team to run a “malicious” program on all company-owned devices at the location of the employee, resulting in a requirement for all employees at that location to turn in their devices so as not alert the malicious insider.

In doing so, we were able to isolate the employee’s company-owned device to conduct the necessary mobile forensics that further proved collusion with numerous other unauthorized external parties. Working with the physical security team, we were able to correlate security device logs of his file share activity with video surveillance and mobile forensics of the employee using his phone to take photos of the computer screen and sending them to the unauthorized third parties via encrypted chat.


In coordination with Client’s HR and legal departments, the Client leveraged the investigation to terminate the employee without further consequences. We also provided significant guidance to the Client on how to configure their monitoring systems to alert on data exfiltration from unauthorized third-party file sharing sites as well as policy changes to allow enforcement of device policies in their BYOD environment. The client admitted this investigation saved significant resources and money by preventing further leaks and was also the catalyst for building a more robust insider threat program tackling such issues incoordination with engineering, legal, and human resources.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks