The Insider Threat You Didn’t Hire

Credential compromise and MFA bypass have redefined the insider threat. The attacker logging in with stolen session tokens looks identical to your most trusted employee — and most insider threat programmes are not built to catch them.

Insider threat programmes were built around a behavioural model: watch employees who show signs of grievance, flag unusual data egress, tighten offboarding. That model addresses roughly half of the actual insider threat landscape today. The other half is external actors who have acquired insider-level access without ever appearing on a payroll.

Mandiant’s M-Trends 2024 report documented a median attacker dwell time of ten days inside a network before detection — enough time to accomplish most strategic objectives. What has changed is how they get in. Valid account abuse, using legitimate credentials rather than zero-day exploits, was the most frequently observed initial access technique in Mandiant investigations for the third consecutive year. They are not breaking in. They are logging in.

The bypass techniques making this possible are not exotic. Adversary-in-the-middle phishing kits — Evilginx2, Modlishka — are openly available and proxy authentication sessions in real time, capturing session tokens after a legitimate MFA completion. The attacker who imports that cookie into a browser holds the same authenticated access as the real user, including any MFA-verified privilege. The MFA event happened. It just did not authenticate the right person.

Two incidents illustrate precisely how this gap gets exploited. In September 2022, an attacker targeted an Uber contractor with repeated MFA push notifications late at night, then sent a WhatsApp message posing as Uber IT support and asked the contractor to approve one. The contractor did. Within minutes, the attacker had access to Uber’s internal Slack, AWS console, Google Cloud, and its HackerOne vulnerability database — including details of unpatched vulnerabilities not yet publicly disclosed. Access vector: a push notification and a social engineering message.

Two weeks later, Cisco disclosed a nearly identical incident. A threat actor compromised an employee’s credentials through phishing, then used push notification fatigue — flooding the employee with approval requests — to gain VPN access. Once inside, they moved laterally across the corporate network and exfiltrated data before detection. In both cases, MFA completed. In both cases, it authenticated the attacker.

Verizon’s Data Breach Investigations Report 2024 found stolen credentials involved in 44 per cent of all analysed breaches — a significant proportion involving authentication circumvented not through the authentication mechanism itself, but through the session management layer above it. That is precisely where most security programmes have not extended their controls.

Closing this gap requires changes at several levels. First, migrating to phishing-resistant MFA. FIDO2 hardware keys and device-bound passkeys are not vulnerable to adversary-in-the-middle proxy attacks — the cryptographic challenge-response is domain-bound and device-bound simultaneously. CISA has formally recommended all critical infrastructure organisations treat phishing-resistant MFA as their authentication floor. This is no longer aspirational. It is the baseline.

Second, authentication cannot remain a one-time gate at login. Behavioural biometrics, device health attestation, network context, and periodic re-authentication triggers need to be evaluated throughout active sessions to catch session token theft after the initial event. Microsoft’s Continuous Access Evaluation and Okta’s CAEP implementation are production-ready today.

Third, insider threat tooling calibrated only to employee behavioural norms misses compromised account activity when attackers successfully mimic normal behaviour initially. User behaviour analytics rules need to flag access from new device fingerprints, geolocation anomalies, and impossible travel — even when MFA completed successfully in the associated session. And push fatigue attacks are preventable: requiring users to match a displayed number in the authentication prompt, and including contextual signals such as location, device, and requesting application in the push, gives employees enough information to recognise a fraudulent request before approving it.

Insider threat programmes focused exclusively on employee behaviour have a detection gap that is growing larger, not smaller. Organisations that do not integrate credential compromise monitoring, continuous session validation, and adversary-in-the-middle-aware detection into their insider threat frameworks will keep experiencing breaches from attackers they inadvertently credentialed — and they will not find them until the damage is done.

The architecture to address this exists. The gap is not capability. It is the organisational will to expand the insider threat programme’s mandate beyond its original employee-centric scope. An external actor with insider access is an insider threat. Security programmes need to start treating them as one.

Sources: Mandiant M-Trends 2024 (Google Cloud Security); Verizon Data Breach Investigations Report 2024; CISA Phishing-Resistant MFA Guidance (2023); Microsoft Security Blog on AiTM phishing detection (2023); FIDO Alliance FIDO2 Technical Brief (2023).