Infosec Archives - Prism Infosec

Most organisations focus their cybersecurity efforts on external threats; they invest in firewalls, intrusion detection, and endpoint protection. Insiders however are already on the networks, they are trusted and know where to find the corporate data stores. Preparing to manage that sort of threat is very different.

That’s where red team insider threat simulations come into play. These exercises mimic the actions of a malicious or compromised employee to test how resilient an organisation truly is when the attacker is already inside.

Insider threats are hard to detect. Unlike external attackers, insiders already have access to systems, credentials, and sometimes even elevated privileges; they don’t need to try and bypass external controls, they don’t need to conduct noisy reconnaissance, and they often don’t need to rely on malicious software.

When we test these sorts of scenarios, our simulations help answer crucial questions:

Can security tools detect abnormal internal behaviour?
Are data access policies and least privilege enforced?
How quickly can the SOC respond to an insider attempting data exfiltration?
Do employees know how to report suspicious behaviour from colleagues?

When we design these scenarios, we often need to consider the type of insider we are playing:

Compromised Employee Scenario: This simulation assumes a legitimate user’s credentials have been stolen (via phishing or password reuse). The red team uses these credentials to move laterally, escalate privileges, and access sensitive systems, just as a real attacker would — without triggering alerts.

Rogue Insider with Intent: In this simulation, the red team acts as a disgruntled employee with legitimate access. The goal is to test how much damage a single individual can do from within without raising red flags.

Privileged Abuse Scenario: Red teams mimic an administrator abusing their elevated access. This tests both technical controls and oversight mechanisms.

Social Engineering Internally: Sometimes the threat isn’t technical at all. Red teams may simulate internal social engineering — convincing employees to reveal credentials or grant inappropriate access.

Building on these, and what makes these scenarios valuable, is understanding what the detection and response capabilities are like in relation to them:

Logging & monitoring: Are internal actions logged, and are alerts in place?
Data loss prevention (DLP): Can sensitive files be transferred to USB, personal email, or cloud apps?
Behaviour analytics: Are unusual login times or large file transfers detected?
HR + Security alignment: Are behavioural red flags being communicated and followed up?

Insider threat scenarios are uncomfortable for many organisations. Many are aware they have blind spots, and they will struggle to detect and prevent these sorts of threats, however, it is for precisely these reasons that they should be included and tested.

If you would like to know more, please reach out and contact us:

Prism Infosec: Cyber Security Testing and Consulting Services

The TIBER-EU framework is designed to help organisations improve their Cyber resiliency.

It has multiple stages: initiation (scoping, procurement, planning), threat intelligence, penetration testing (red teaming), purple teaming (attack replays, additional untested control tests, variances in attack methodologies working alongside the Blue team), and closure (reporting, remediation plans, attestation).

As a framework, TIBER can be used by any organisation, even though it was created for financial institutions. However, using the framework does not make your organisation compliant for the regulator or with DORA unless it is supported by an EU TIBER regulator team, and a TIBER test manager.

This information was presented and discussed at the NBB (National Bank of Belgium) TIBER-BE TLPT (Threat-Led Penetration Testing) launch event. The morning session was only for institutions who are, or will be undergoing a TIBER to inform of them of the framework. Prism Infosec were invited to the event as suppliers, and joined other suppliers and the institutions to mingle and attend relevant presentations.

The NBB TIBER-BE team discussed their implementation of TIBER and how it will align with DORA. At present additional guidance on the TLPT element of DORA is still pending (and has been since February), though is expected at some point in June, which should help clarify the TLPT phase, requirements and implementation in greater detail. Until that arrives, DORA compliant TLPT exercises cannot begin.

During the TLPT launch event there were a number of presentations. These included a keynote from the newly formed Belgian Cyber Force, a presentation on NIS2, the Belgian Cyber Fundamentals (CyFun) framework (looks like the UK’s Cyber Essentials) and was linked to the Belgian Centre for Cybersecurity who have a role similar to the UK’s NCSC and can support Belgian entities during cyber incidents.

We also had a presentation on how one multinational Belgian organisation had implemented their own internal red team, what they learned along the way and importantly, how they measured and showed to the board how the organisation’s maturity and capability to defend itself improved over time.

The panel discussion contained a number of useful insights, from a variety of c-suite level individuals, some of which had been through TIBER and others who were waiting to go through TIBER. They shared insights into how to plan for and prepare for engagements, suggesting organisations prepare by doing a small red team before their TIBER to understand the process. They recommended choosing scenarios where you will get key learnings and do as much preparation for contingencies (leg ups, backup accounts, information) as you can.

These presentations, panels, and even the quiz were all backed by networking discussions over food and softdrinks.

All in all, it was an insightful and useful event!

Tag: Infosec

Insider Threat Simulation: A Red Team Perspective

TIBER-BE Insights