Mandiant: How To Protect Against Insider Threats in the Age of Third-Party and Nation-State Threats

If the past six months have been any indication, U.S. organizations are under direct fire on every cyber front. Not only do organizations have to protect their valuable data against run-of-the-mill attackers, they now have to worry about advanced threats and nation-state-backed hacker groups.


But even still, the threat can be right at home. Organizations have seen a rapid insider threat evolution during the pandemic via third-party providers and malicious insiders, which can cause corporate and economic espionage, data theft and backup destruction.

In this Q&A, Jon Ford, Managing Director of Mandiant, spoke with us about third-party risk, how organizations can work internally to identify insider threats, and how very real nation-state-planted insider threats are.

With a cybersecurity and IT talent shortage, it is very rare that a mid-size or even large organization has enough resources in-house. Outsourcing is very common. But what are the risks that third-party contractors pose?

Legitimate access rules the cyber landscape. The increasing number of malicious insider incidents is particularly troubling for organizations of all sizes because insiders are, by definition, those we trust most. Malicious insider events impact organization reputation, customer trust and investor confidence. 2020 saw increased transformation projects, both planned and thrust upon organizations, and this need shows no sign of slowing.

Third-party contractor risk should be considered as a subset of supply chain risk. Organizations contracting support are asked to trust and provide appropriate accesses to fulfill contractual obligations. But we should not limit risk discussions to information technology or third party contractors, as any individual provided access to information technology, operational technology, physical security, or sensitive information introduces malicious insider risk. Third-party contractors and organization employees pose the same risks to reputation impact, customer trust and investor confidence through theft or destruction of intellectual property, blackmail and extortion of companies, and facilitating corporate or nation-state espionage.

Third party access via APIs, service accounts, and other mechanisms (e.g., MFDs or printers) such as maintenance systems (e.g., laptops) present risks both from a malware perspective as well as a insider threat or a combination therein. In most cases these are unintentional insider threats. However, due diligence in these investigations can reveal true intentional insider threat risk as well.

How should companies mitigate those risks?

  1. Visibility

  2. Mandiant recommends organizations invest in purpose-built insider threat data loss prevention solutions which can detect, alert, and block (if necessary) malicious behavior as well as work while both being connected and disconnected to the internet.

  3. Least Privilege

  4. In both production and development networks, Mandiant recommends organizations implement user access controls across all environments on their networks to ensure users, developers, and administrators only have the necessary access to perform their assigned responsibilities.

  5. Limit and audit users who can create accounts in on-premise networks and cloud environments

  6. Logging

  7. Mandiant recommends logging and event aggregation sent to a Security Information and Event Management (SIEM) system. This provides a level of mitigation if a malicious insider attempts to clear logs, because separate, streamed logs to another system would be available.

  8. Network Segmentation

  9. Mandiant recommends organizations investigate their network segmentation, and limit unnecessary traffic to highly sensitive environments from lesser trusted environments. This will help prevent an insider from moving laterally or connecting from an internal network segment to a cloud environment. Additionally, all systems that do not need to be publicly facing should be segmented from public access and restricted as much as possible.

  10. Offboarding

  11. Mandiant continues to remind clients who may have to terminate employees or contractors to not give advance notice, limit communications, and remove network access immediately. This is also true if an employee voluntarily resigns or retires. Additionally, all SSH keys, PEM files, MFA, service passwords, and application passwords the individual had access to should be rotated for all environments (e.g., developer and production), and unenrolled in the case of MFA services each time when an employee or contractor with these accesses leaves the organization.

  12. Assess

  13. Mandiant recommends organizations have an insider threat program assessment conducted with defined, key outcomes of actionable, organization-specific risk mitigation recommendations, prioritized intelligence requirements based on the current and horizon intelligence landscape, and roadmaps for all maturity levels of insider threat security programs. Assessing annually with different tools can reveal varied areas of focus and identify gaps in capabilities that could be rectified.

How can companies identify insider threats within their own workforce?

Unless resources and business needs suggest, Mandiant recommends focusing on identifying malicious insider threats investments to core areas of concern, referred to as Crown Jewels. This includes key personnel as well. However, organizations should change legacy thought processes of who malicious insiders have traditionally been and how to defend against them. Mandiant has observed malicious insiders being less individuals and more groups working together with the watchers, including system administrators and insider threat team members.

Mandiant recommends insider threat security teams should have deep technical experience and tailored training to identify and disrupt the most significant malicious insider threats. Mandiant recommends investment in insider threat specific DLP, UEBA, and AI solutions which are designed to detect and block malicious insider activity. Also, Mandiant recommends having a third party perform assessments on at least an annual basis to ensure the existing people, processes, and tools are adequate and efficient, and that organizations are being evaluated against current insider threat landscapes and risks.

What are the roles of other departments inside an organization, outside the security team, in identifying and mitigating insider threats?

A highly successful insider threat security program cannot be a force-fit or a minimal investment. The program must align to organizational culture, have cross-stakeholder investment and be accountable to the board of directors. Departments like HR, Corporate Investigations/Counterintelligence, Cyber Threat Intelligence, Fraud, Privacy, and Legal Counsel can support an insider threat program through internal and external tippers. Leadership and HR can support an inclusive reporting culture, such as “See Something, Say Something.”

We've heard of advanced nation-state programs where they are planting individuals inside top organizations. How big of a concern is this? How can high-value organizations defend against these types of advanced adversaries?

While China is used in the example here, each nation state has its own version. According to the United States Senate Committee on Homeland Security and Governmental Affairs: China maintains more than 200 talent recruitment programs – the most prominent of which is the Thousand Talents Plan. Launched in 2008, the Thousand Talents Plan incentivizes individuals engaged in research and development in the United States to transmit the knowledge and research they gain in the U.S. to China in exchange for salaries, research funding, lab space, and other incentives. China unfairly uses the American research and expertise it obtains for its own economic and military gain. In recent years, federal agencies have discovered talent recruitment plan members who downloaded sensitive electronic research files before leaving to return to China, submitted false information when applying for grant funds, and willfully failed to disclose receiving money from the Chinese government on U.S. grant applications.


The concern in areas of research, intellectual property, and government has been seen as a focus for multiple nations. A defense for security teams to consider is to establish an intelligence led Insider Threat Program and assessing it annually for processes, people, and tools with an emphasis on nation-state recruiting and intellectual property protection, to ensure adequate coverage for areas of focus are seen in the environment.


###