Welcome to the second part of our blog post focusing on insider threats that can be overlooked by many CISOs. But, first of all, let us have a quick recap on the main points that we raised in part one of the blog post.

Recap: The scale of the problem

As we saw in our first blog post on insider threats and the Rule of Three, the Ponemon report in 2020 provided some interesting data points that help to accurately quantify and qualify the insider risk:


  • 34% of businesses around the globe are impacted by insider threats.
  • During the last 2 years the number of insider incidents have increased by 47%.
  • The average annual cost of insider threats has increased by 31% to $11.45M over the last 2 years.

In addition, insider threats are broken down into three distinct categories:


  • Malicious insiders
  • Negligent insiders
  • Infiltrators

In part one, we talked about how the technology deployed to deal with the insider threat, must deter, detect, and disrupt. We covered it at length just how effective deception technology is when addressing the first of these 3 requirements. Here we address rules two and three: Threat Types and Threat Activities, and how getting real-time business intelligence about them in an automated manner gives CISOs the critical insight they need to rapidly detect insider threats.

Threat Types & Threat Activities

In the first part of our blog post we covered in some depth rule number one (Mitigation Goals). The focus now will be on rules two and three: Threat Types and Threat Activities.

Rule number two encompasses threats from negligent users, malicious insiders, and compromised credentials. How can deception technology be used to effectively mitigate the risk posed by all three threat types? The key here is to detect all three threat types very early on in the threat cycle before any disruption has been caused to business.

The next step would be to ensure that the threat can be remediated quickly in order to bring down incident response times in addition to incident detection times. These two metrics are key for any CISO.

The use of compromised credentials is going to prove to be problematic to detect for existing toolsets. The reason is that a lot of existing tools will use baselining, signatures, or behavioural analytics to detect the threat type. But a malicious insider armed with a compromised account will bypass these types of defence approaches.

Deception is agnostic as to threat types; it lures the insider into the deception environment. This is done by socially engineering the insider by crafting lures that will appeal to them. It is very difficult to overlook a piece of information that provides that attacker what they are looking for, a piece of information that leads to a system that might hold the information they are looking for. The key here is to socially engineer the attacker.

The CounterCraft Cyber Deception Platform will alert the analyst only when an active lure has been touched by a malicious insider. This addresses a number of key points for the CISO. These high-fidelity alerts mean that far fewer resources need to be deployed to action alerts. The analyst is not being swamped and overwhelmed with false positives.

The analyst is also not having to waste time on analysing the alert to work out what is going on. Fewer alerts will result in quicker response times and the first responder will have a clear understanding of what the threat is and where it is.

Deception is about getting the right data to the right person at the right time. The use of deception technology will also provide the CISO with the ability to detect the malicious activity far earlier in the threat cycle, and will allow for continuous monitoring to help an organisation to understand if they are dealing with a single insider or a more sophisticated threat where they have a number of employees acting together.

Real-Time Business Intelligence to Qualify and Quantify the Insider Threat

The CounterCraft Cyber Deception Platform provides something that is very critical when an organisation is trying to accurately map out its risk profile to insider threats. The high interaction deception assets that are provided allow you to understand what the ultimate goal of the insider is. It could be fraud, but equally, it could be all three activities that are listed as rule number three.

Many solutions only have the ability to track one particular threat type, but in our experience, it has been very important for our clients to track all three types and to do so simultaneously. This provides a strategic and tactical advantage to the CISO in helping them accurately to quantify and qualify the insider threat to their organisation.

We believe in providing real-time business intelligence in an automated manner on how the insiders are seeking to bypass existing security controls and how they are collaborating with other potential insiders within the organisation.

Final Word

If you are looking to accurately map out your insider risk profile and to detect such behaviour before it leads to lasting financial harm to your organisation, then think about deploying deception technology.

Not only will it lead to better detection of such threats —you will detect them using fewer resources and you will be able to respond to them before they result in sustained financial harm for your organization.

If you want to learn more about the CounterCraft solution, please reach out to our team of consultants. We’d be delighted to tell you more.

Author: Nahim Fazal, Head of Cyber Threat Intelligence