All Categories
Search
James Weston
Stated Cases
Approached from the Outside: Mapping Insider Solicitation in the BBC-Medusa Case
In late 2025, a British Broadcasting Corporation (BBC) journalist, publicly described as a “Cyber Correspondent,” was directly approached by a third party claiming affiliation with the “Medusa” cybercrime group. In exchange for cooperation and the journalist’s credentials, the actor offered a portion of any ransom obtained from the BBC as...
Joshua Beaman
Control Architecture
Managing Access to Microsoft Purview
While not purpose-built for insider threat, Microsoft Purview provides essential enforcement capabilities that strengthen internal security posture across compliance, legal, and investigative functions. Through features like data classification, policy-driven alerts, communication monitoring, and audit logging, Purview equips organizations with the operational controls needed to manage sensitive information and respond to...
Joshua Beaman
Control Architecture
Entra ID Roles For Insider Threat Investigators
This article aims to educate insider threat investigation teams on Entra ID Privileged Identity Management (PIM), just-in-time privileged access, and Entra ID roles that enable access to key resources or actions required for common insider threat/event investigations.The information in this article is subject to change by Microsoft at any time....
James Weston
Policy & Governance
The Role of Acceptable Use Policies in Insider Risk Management
Insider threats rarely emerge spontaneously or reveal themselves through immediate acts of serious harm. More often, they unfold gradually through subtle shifts in behavior, intent, or adherence to expected norms. As explored in our Behavioral Drift paper, this quiet erosion of boundaries can precede significant security incidents, often without triggering...
James Weston
Detection & Forensics
Identifying Torrented Media via File Metadata and Naming Patterns
The presence of pirated or torrented media on organization-owned endpoints poses more than a compliance issue; it may signal broader behavioral drift, technical misuse, or active infringement. This article outlines how insider threat teams can detect potentially unlawfully obtained media through common naming patterns, file extensions, and forensic markers observed...
James Weston
Insider Risk Theory
Perimeter to Population: A New Vocabulary for Insider Threat
In 1969, the United States Department of Defense launched ARPANET, one of the earliest packet-switched networks, linking research institutions and government agencies to share scarce computing resources. ARPANET became the proving ground for many of the technical principles that underpin today’s Internet.The intellectual foundations of this network trace back to...
James Weston
Insider Risk Theory
Behavioral Drift as a Predictive Signal for Insider Threat Escalation
In the practice of insider risk management, there is often a tendency to focus exclusively on acute acts of harm; data exfiltration, sabotage, and unauthorized disclosure. But these outcomes are seldom sudden. More often, they represent the final step in a longer behavioral trajectory that begins with relatively minor, individually...
Joshua Beaman
Detection & Forensics
Snipping Tool Artifacts of Visual Data Exfiltration
In insider threat cases involving data loss, a common assumption is that exfiltration occurs through conventional means: email, cloud uploads, removable media. However, some subjects bypass technical controls altogether by capturing data visually. The native Windows utility Snipping Tool provides one such method: enabling users to screenshot sensitive content directly...