Insane = (insider threat * same threat)^you not having any knowledge of what is happeningSteps of attackInitial AccessExecutionPersistencePrivilege escalationClean upWhat could the insider do (Possible Risk of Happening)Attempt to Disable or modify cloud firewallsManipulate cloud workloadsDeploy assets in unused cloud regionManipulate cloud accounts or authentication types.Accessing cloud accounts without authorisationDiscovering creds in fileAbusing cloud metadata API for Privilege escalationData Collection Insider will collect sensitive data and assets this mostly focuses on Cloud storage, secrets and API keysExfiltration of data: Threat actors look to exfiltrate data from the environment which may involve encryption of data, setting up another network that may not be monitored/loggedImpact: The end goal of the attack may vary but may always include either of the 2getting critical dataAccess to unauthorized or even authorized assets that may be used to cause damage to the organization

Common Types of Insider Threats

Well-intentioned usersDisgruntled usersUnnoticed usersTypes of Insider Threats can be broken down into 4 CategoriesRoles and PrivilegesHere is an examplesolutionWhat do you need to logAPI request made to the cloudRequest made through the browserTrack assets metrics and use behavioural analytic on logsCorrelate data of accounts based on its useRecent Incident