Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



Insider Risk Insights - DTEX Blog

The Facebook Whistleblower and the Insider Threat Kill Chain

The reverberations from Facebook whistleblower Frances Haugen’s campaign will be felt for months to come. While the focus needs to be on the degree of transparency of the company’s internal research on the risks posed by the social network, it’s worth examining this story from an insider threat perspective.

Before we do, let me be clear that we acknowledge this as an exceptional insider threat case. Haugen acted within the rights afforded to her through the Dodd Frank Act of 2011, which protects whistleblowers who know of possible securities law violations from retaliation from former employers. To provide sufficient evidence of Facebook’s alleged wrongdoing, according to numerous media reports, Haugen meticulously gathered tens of thousands of documents over many months while on the job with the intent of bringing them to light.

With that as a backdrop, let’s specifically look at this through the lens of the Insider Threat Kill Chain with employee privacy in mind. As the insider equivalent of Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework, the Insider Threat Kill Chain encompasses the five steps present in nearly all insider incidents: Reconnaissance, Circumvention, Aggregation, Obfuscation and Exfiltration.

Based on thousands of insider threat investigations and incidents, DTEX finds that visibility into the entire kill chain — not just one or two steps — is imperative. In fact, the earlier phases of the Kill Chain hold the answers to some of the most important questions – both for incidents that have yet to fully unfold and for those that have already occurred.

Our research conducted and released in partnership with Ponemon Institute during Insider Threat Awareness Month found that nearly half of companies find it impossible or very difficult to prevent an insider incident at the earliest stages of the Insider Threat Kill Chain. More specifically, 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated (i.e., when Haugen was gathering her evidence), a key indicator of intent of an incident.

In order to fully understand any insider incident, visibility into the nuance and sequence of human behavior is pivotal. This visibility must be achieved in a way that protects employee privacy. Often, even tech organizations don’t know that an incident has occurred up until (or after) step five of the Kill Chain – exfiltration. However, if businesses fill the gaps with the right behavioral intelligence telemetry and designate a cross-functional team inclusive of legal, IT, security, privacy and HR to analyze and evaluate these types of risks as they emerge, they can be detected and deterred during an earlier stage of the kill chain much before any real damage is done.

Organizations need to take a human approach to understanding & detecting insider threats, as human elements are at the heart of these risks. This includes monitoring people-centric threats through sequential behaviors, which is known as human telemetry. By focusing on the most critical common denominator in all cyber security attacks – the humans driving day-to-day operations – DTEX is identifying these dynamic “Indicators of Intent” to gain real-time awareness about a workforce’s activities to mitigate areas of risk without invading personal privacy.”

Workforce Cyber Intelligence & Security is a new approach to enterprise workforce data collection and analysis that focuses on understanding how, when, why, where and for how long employees and third parties interact with data, machines, applications and their peers as they perform their job responsibilities. DTEX’s Workforce Cyber Intelligence & Security platform was designed for today’s modern, distributed workforce model and provides complete visibility into user and account activity – keeping all data anonymous to protect privacy, and only shining a light on abnormal or inefficient behaviors that indicate risks and areas for operational improvement.

To view the full The State of Insider Threats 2021: Behavioral Awareness & Visibility Remains Elusive Report, please visit: To take a virtual tour of the DTEX Workforce Cyber Intelligence & Security platform, please visit: