Insider Threat Case: Daniel and His Spouse

In support of September's National Insider Threat Awareness Month (NITAM), an annual campaign and in support of the Australian Government Security Vetting Agency (AGSVA) and the Australian Signals Directorate (ASD), it is crucial to highlight how insider threats can unfold from trusted individuals, including those holding high-level clearances. One powerful example is the case of Daniel, an IRAP Assessor, and his spouse, whose coordinated actions were uncovered through forensic analysis of their chat conversations.

This case demonstrates how trusted insiders can misuse their access and positions for personal gain, often hiding their actions through encrypted messaging platforms. In this instance, a simple conversation between Daniel and his spouse revealed a clear plan to undermine their employer, transfer sensitive information, and sabotage internal systems.

The Uncovered Conversation

In a chat conversation recovered from Daniel's work laptop, both Daniel and his spouse discuss their dissatisfaction with the employer and lay out plans to remove critical information and prepare for their exit:

"Wtf is she serious? Who has time for that bullshit of weekly updates?"

"Get everything out and clear computers."

"What they don’t realise is, I’m not back in the office ever lol."

"I’m going into the office tonight and cleaning it out."

"Call the other party if you can and move very fast with moving things over and leaving."

"Why is he even there? I thought she said it was just a one-day thing... bull-f**ing shit.*"

"If he’s going to be there every day, I’m moving out before he can do anything." [About the plan to steal the business]

This exchange shows clear contempt for their employer and the calculated steps they took to sabotage the organisation while remaining employed. The messages indicate their awareness of the ethical and legal implications, yet their focus remained on executing their plans without detection.

What Happened Next

The next steps in this insider threat unfolded rapidly. Immediately after this conversation, a series of damaging actions took place that had significant consequences for the employer:

1. Removal of Email Forwarding Rules: Daniel used his account to remove several email forwarding rules from the company's Microsoft 365 subscription, disrupting communication channels. This included a rule that forwarded emails automatically to a competitor.
2. Account Deletion: Daniel deleted a co-conspirator's user account, causing the immediate loss of all stored emails and files.
3. Transfer of Data: Daniel created a spreadsheet titled "Asset Register" and saved it on a USB connected to his company laptop. He accessed the competitor’s SharePoint site and reviewed confidential information related to strategic projects.
4. Mass Deletion of Emails: He deleted 13 email accounts that were responsible for receiving security alerts from the SIEM, which monitored the IT environments of the employer's clients. These accounts were later found to be irrecoverable.
5. Further Deletions and Transfers: Daniel deleted several important emails related to ongoing projects, including a security risk management plan. The day after the conversation, he began mass-deleting customer contact information, downloading thousands of files from the company's SharePoint site, and transferring them to the competitor’s OneDrive account.
6. Mass Data Download and Google Search: He searched for ways to create archive folders in Outlook, which led to the creation of an email archive file. The file was later deleted, and its contents remain unknown.
7. Mass Deletion of Files and Data: Daniel continued to delete critical files, including quotes, proposals, staff timesheets, and confidential pricing tables, many of which were related to Australian Government panel members.

These actions, executed on the same day as the chat conversation and the following day, had far-reaching implications for the employer, including the loss of critical business data and confidential information. The information Daniel downloaded to his laptop was automatically synced to the competitor’s SharePoint site, transferring valuable proprietary data in the process.

Comparison to Government Guidance on Insider Threats

The Countering Insider Threat guidelines provide several risk indicators and personas that align directly with Daniel and his spouse's behaviour:

Red Flags and Risk Indicators:

• Accessing systems outside normal hours: Daniel's plan to access company systems after hours and "clean them out" fits the common warning sign of abnormal system use.
• Conflicts of interest: The conversations clearly show Daniel’s disillusionment with his employer and plans to transition business to a competitor, which constitutes a serious conflict of interest.

Negligent and Malicious Insider Acts:

• Daniel's actions went far beyond negligence—he was a malicious insider who deliberately used his position of trust to cause harm, delete key files, and benefit a competitor.

Family Involvement:

• The document also highlights how third parties (including family members) can influence or assist insiders. In this case, Daniel's spouse was not just aware of his plans but was actively encouraging him to undermine his employer, showing how insider threats can involve family collaboration.

Why Chat Forensics Is Key to Insider Threat Detection

In this case, the forensic recovery of chat in slack file space on his laptop's hard drive provided critical evidence to understand Daniel’s intent and actions. By analysing the deleted chat conversations between Daniel and his spouse on Daniels's laptop, I uncovered a clear plan to sabotage the employer. This shows the importance of chat forensics in insider threat cases, as many insider actions are hidden through encrypted messaging platforms or deleted after the fact.

The conversations exposed Daniel’s motivations, revealing not just his desire to leave the company but also his detailed plans to erase data and move company information to a competitor. Without the forensic recovery of these conversations, it would have been difficult to prove the full extent of Daniel and his spouse’s involvement in the scheme, ultimately accepted as fact by the Court.

Conclusion: The Need for Comprehensive Insider Threat Management

This case highlights how insider threats can emerge even from individuals with trusted clearances and high-level responsibilities. The involvement of family members in encouraging and facilitating insider activities further complicates the detection and mitigation of such threats.

The Countering Insider Threat guidelines and the Information Security Manual (ISM) Control ISM-1625 stress the need for proactive monitoring, timely forensic analysis, and robust internal controls. Vetting and clearances are not enough—organisations must implement a comprehensive Insider Threat Mitigation Program, as required by ISM Control ISM-1625, to detect and address insider risks before they cause significant damage.

This insider threat case poses a direct challenge to businesses: What are you doing to prevent similar incidents in your organisation? The lessons learned here reinforce the need for organisations to act decisively and implement trusted insider threat management strategies aligned with ISM Control ISM-1625 and government guidance to safeguard their operations from internal risks.

Here is a related article on another chat analysis relating to Insider Threats: https://www.dhirubhai.net/pulse/behind-clearance-can-you-really-trust-your-nathan-joy-srnrc/?trackingId=gdn8BqwWR8auXR8XXJjirg%3D%3D

Author Bio

Nathan Joy is a seasoned cybersecurity professional with over two decades of experience safeguarding Australian Government agencies and cloud vendors. As the first IT security manager in the Australian Government to implement the ASD Top 4 controls, Nathan played a pivotal role in pioneering robust cybersecurity practices within our nation. His dedication to innovation was recognised by the prestigious SANS Cyber Security Innovation Award, and he even had the honour of briefing the Whitehouse, Homeland Security, and the NSA on Australia's groundbreaking approach. Nathan's expertise extends to all cloud deployment models (IaaS, PaaS, SaaS) and is further validated by his IRAP assessor endorsement from the Australian Signals Directorate (ASD) since 2011. The views and opinions expressed in this article are Nathan's own and do not reflect the official position of the ASD or the Australian Cyber Security Centre (ACSC).