# Insider Threat Leading to Data Breach

**Scenario: Insider Compromising Sensitive Data**

A multinational corporation detects **unusual data access patterns**, suggesting a potential **insider threat**. Instead of relying only on **Indicators of Compromise (IOCs)** or external attack TTPs, the security team applies the **Pyramid of Adversary Profiling** to analyze **the adversary’s identity, motives, and execution methods**, allowing for proactive mitigation.

#### **Applying the Pyramid of Adversary Profiling**

1️⃣ **Who (Adversary Identity)**

* An internal employee with **privileged access to sensitive financial and intellectual property data**.
* Behavioral analysis shows recent signs of **dissatisfaction**, including abrupt **access requests beyond normal duties**.

2️⃣ **Why (Motivation & Intent)**

* The insider is motivated by **financial gain** or **revenge**, intending to sell **sensitive corporate data** on the dark web.
* Alternatively, the adversary may be **coerced by external threat actors** to exfiltrate data.

3️⃣ **What (Targeted Assets)**

* The insider is attempting to extract **customer data, trade secrets, and upcoming product designs**.
* The primary focus is on **file servers, cloud storage, and corporate email archives**.

4️⃣ **How (Execution Methods)**

* The attacker abuses **legitimate access privileges** to copy data **to external storage or personal cloud services**.
* **Stealth techniques** such as **slow data exfiltration over time** are used to avoid triggering anomaly detection.
* The insider also attempts to **disable security logs** to cover their tracks.

5️⃣ **When (Attack Timing)**

* Activity spikes **outside business hours**, when security monitoring is less active.
* The adversary may time the breach before **resignation or contract termination** to avoid immediate suspicion.

#### **How This Approach Strengthens Defense**

✅ **Early Behavioral Detection** – Instead of waiting for **IOC-based alerts**, monitoring **user behavior and privilege escalation** helps detect anomalies early.\
✅ **Mitigating Insider Risk** – Implementing **role-based access control (RBAC), just-in-time access, and real-time user behavior analytics (UBA)** limits data exposure.\
✅ **Understanding Long-Term Threats** – The **adversary’s motive and methods** are analyzed, allowing security teams to **predict and prevent similar incidents**.\
✅ **Adaptive Security Controls** – Unlike traditional **Pyramid of Pain** approaches that rely on external attacker tactics, this model focuses on **internal adversaries**, improving **corporate cybersecurity resilience**.