Here are five basic scenarios for organizations to monitor, in order to identify when trusted insider credentials may have been compromised:

Working hours are not only a strong indicator of an efficient employee but also an indicator of a compromised credential. Over time, employees tend to adopt a consistent work-hour routine. This could manifest in both the specific hours workers arrive and checkout, but also with the durations of the morning working sessions, behaviors on “depressing Mondays,” on holidays, etc. Using a baseline behavior pattern, identifying subtle changes in work hours could be the key to identifying whether a credential has been compromised.

When you see an employee accessing internal databases from two different continents in a very short time frame, you have another strong indicator of a compromised credential. Pinpointing a user’s location based on network data can be very unreliable. Geo-locations gathered from multiple data sources and representing various kinds of interactions can potentially result in a high rate of false positives. This requires profiling engines to be both selective and reliable in the data they take into account.

Why would someone who is currently in the office be connected to another internal asset using a remote protocol or application? Obviously, there is no need for this since all allowed assets should be accessible from an employee’s original domestic station. That’s why scenario 3 asks the question: “Why would you use that remote connection anyway?” This is extremely important since remote protocols are often used by an external attacker seeking to manipulate data from a distant location, or by a trusted insider as a way to mask an action he doesn’t want on record from his own trusted credential.

Uncommon use of organizational tools and department-dedicated resources is another great way to detect when an insider’s trusted credential is actually being abused. Identifying a user using either a file-share or a CRM his colleagues don’t typically access, could help detect when he himself, or someone using his own rights, is trying to reach a sensitive company resource.

Password reset protocols vary from service to service, but to an extent provide a golden opportunity for an attacker to take control of an unused trusted credential. For example, an account used routinely to conduct automated processes is due to a password change. An attacker, with some kind of insider access, can target this account and use the mandatory password policy to force a password change and abduct this account for his own purposes. Now in the hands of a malicious attacker, this account could now mask any future action.