Across the spectrum of insider threat scenarios, account compromise is in a category by itself. Unlike data theft or fraud or sabotage, employees whose email accounts have been hacked are widely considered to be negligent or unwitting victims rather than malicious perpetrators.

Still, the harm such compromises can cause is significant since they’re usually precursors to instances of actual data theft, fraud, sabotage or other malfeasance once the attacker has gained access to the network.

And when the account in question belongs to the organization’s most trusted employees, their privileged access to systems and corporate ‘crown jewels’ means the financial, legal and reputational damage will be altogether worse.

The FBI has extensively studied what it calls “business email compromise” and has created a web page with detailed definitions of the problem, a list of information resources and a section called “How To Protect Yourself.” It’s worth a read.

What’s important to keep in mind is that account compromise is not a one-dimensional problem – and nor is the solution. Instead, mitigation involves a combination of measures involving people, process and technology. Here are some tried and true recommendations for each area.


Account compromises are a growing problem mainly because of the weakest link: people. According to IBM’s Cyber Security Intelligence Index report, 95% of all successful cyber breaches are caused by human error. And with more employees now working remotely using a hodge-podge of devices and non-secure networks, the chances of an attack against an unwitting or negligent user will increase proportionally.

The most impactful way to reduce account compromise risk, therefore, is to focus on the human element, ensuring all staff and management remain vigilant and can recognize potential compromise attempts – for instance a spear-phishing attack. Much can be accomplished through continuous training and education programs. And practicing good security hygiene, such as strengthening passwords and keeping software up to date, will pay immediate dividends.


Security policies must be clear, and repeatedly messaged across all departments. Then, the right processes must be implemented to support those policies, and relevant staff trained to carry them out. Implementing and enforcing strong access control procedures and conducting regular penetration testing and red-teaming simulations are good practices, as are requiring multi-factor authentication and even old-school phone confirmations to verify fund transfers. And a key requirement is ensuring that the security team knows how to respond to potential account compromise incidents as they emerge, since time is of the essence.


Even businesses with the most prepared workforce and sound security processes will suffer account breaches, but the right cybersecurity tools will add much-needed layers of defense. For those account compromise attempts that do succeed, however, early detection and response are crucial.

Many of the same technologies organizations use to detect external threats and malicious insiders – like user entity behavior analysis (UEBA) and security information and event management (SIEM) tools – can be employed to find compromised accounts as well.

The CYDERES Insider Threat Detection & Response (ITDR) solution is one recent entry into the field. Through the ingestion of security data into our CYDERES Cloud Native Analytics Platform (CNAP), ITDR can analyze a wealth of network and user telemetry for signals of insider threat activity, including account compromise.

Like other tools, ITDR detects the behaviors most commonly associated with credential takeovers (or insiders being managed) by outside parties, including unusual login volumes, logins from pre-defined high-risk locations and geographically/temporally impossible login sequences. These cases often lead to data exfiltration, sabotage or ransom attempts.

But ITDR takes detection and response several steps further than traditional SIEM, UEBA and SOC combinations. For one thing, it’s a 24/7 managed service, so there’s no software to buy and no learning curve for SOC staff. Another key differentiator is CYDERES’s use of so-called Bayesian models to provide additional analytic context – thus filtering out many of the false-positive alerts and other noise generated by most SIEMs. It’s the model that does the risk scoring and prioritizing, not the SOC analyst.

ITDR additionally can ingest and analyze any number of non-network data sources, enabling it to, for example, give more weight to events involving privileged vs. non-privileged users, reveal additional types of employee attitudes and stressors and even assess seemingly mundane information such as the dates an employee is out of the office – a prime time for being impersonated.

Since there is rarely malicious intent on the part of the compromised accountholder, the ITDR model also was designed to ingest and analyze more qualitative data that could reveal other potentially risky shortcomings, such as a tendency towards carelessness or even outright negligence. Such information is applied to model nodes with names like [Unwillingness to comply with established rules and procedures].

ITDR analytic results are risk-scored and prioritized using this additional context, and then triaged further by a CYDERES analyst, so that the customer knows exactly which incident alerts need the most immediate attention.

The alerts and related evidence can be used to launch investigations and recover from breaches, but they also form the basis for complying with legal and audit requirements associated with such activity – and for reducing future account compromise risk via policy and control changes.

#   #   #

Note: This blog post is one in a series of CYDERES insider threat profiles. We recently covered IP theft, and will address fraud and sabotage in future posts. For more information, please click on this link to view our two-minute ITDR intro video.