Insider Threat Mitigation with OSINT

Insider threats remain one of the most challenging security risks for organisations to manage, and the costs are high - recent statistics reveal:

The average annual cost of insider risks reached $17.4 million in 2025, up from $16.2 million in 2023.
Insider threats can cost organisations millions in losses from stolen data, disrupted operations, or damaged infrastructure, with intellectual property theft being a significant concern.

Costs of insider incidents from 2018 to 2025 shown in a chart. 2025 estimate is $17.4M USD. Background is dark with bold white text. — Screenshot from the 2025 Ponemon Insider Threat Report. Source: https://ponemon.dtexsystems.com/

These statistics underscore the importance of developing an effective capability to detect insider threats.

But, where does open-source intelligence (OSINT) come into the picture?

OSINT can provide other security measures an added boost and, can be leveraged to detect insider threats throughout the employment lifecycle by looking into social media, technical footprints and identifying connections. It can also help to better understand the risk exposure resulting from partnerships. Let's explore this in more detail, but keep in mind it is a big topic, with considerable thought required for ethics and legality.

An insider is anyone with legitimate access to an organisation's people, information, techniques, activities, technology, assets or facilities, who could potentially misuse that access to cause harm, either intentionally or unintentionally. An insider could be a current or former employee or contractor.

Ethical and Legal Considerations

Before we go further into this topic, it's essential to address the ethical, legal and oversight obligations associated with insider investigations. Given their inherently intrusive nature, insider threat investigations require rigorous scrutiny. While ethics should underpin all OSINT work, investigations involving individuals – especially those that may affect someone's employment, reputation, or livelihood – demand special attention.

Ethical conduct, legal compliance (always seek legal advice that is specific to your use case), and robust oversight are not optional; they are foundational. Any insider threat investigation involving OSINT should be grounded in the following principles:

Clear policies and procedures: Establish documented guidelines for OSINT activities, including approved data sources, collection methods, permissible use cases, and handling protocols.
Strict adherence to privacy laws: Comply with relevant legislation, such as the Privacy Act 1988 in Australia, as well as local data protection and employment laws relevant to your jurisdiction.
Proper authorisation and oversight: Conduct OSINT activities within a defined governance framework that includes appropriate oversight. Additionally, an escalation or review mechanism to review complex or sensitive cases is recommended.
Detailed documentation: Maintain detailed records of all OSINT activities and findings to ensure transparency, traceability, and accountability. Define data handling, retention and disposal protocols to ensure information is stored only as long as necessary and disposed of securely.
Proportionality: Align the scope and depth of OSINT activities according to the level of risk, avoiding overreach and unnecessary intrusion.
Organisational integration: Integrate OSINT insights with physical security, cybersecurity, legal, and HR functions to support a comprehensive threat assessment and response.
Mandatory training. Ensure all individuals involved in insider investigations are properly trained in ethical standards, legal frameworks and investigative best practices – and that they operate with the highest standards of professionalism and integrity.

Ultimately, these seven points isn't just a legal necessity - it's critical to maintain trust within your organisation.

Using OSINT For Due Diligence in the Hiring Process

An important preventative application of OSINT is in pre-employment screening context. Checking a prospective employee's online presence can reveal information that just might make us hit pause before awarding them the job and providing access to sensitive information.

When implementing pre-employment OSINT screening, organisations should assess:

Public social media profiles across multiple platforms
Digital security practices (how much personal information is exposed)
Risk-taking behaviour online
Value alignment with organisational security culture
Judgment in public communications

Red flags might include excessive personal information sharing, connections to concerning organisations or individuals, evidence of security rule violations in previous roles, or expressions of views that conflict with security responsibilities.

As the case study below illustrates, consider adding these OSINT checks:

Assess account age and activity for anomalies or recent creation.
Reverse image search to verify profile image authenticity and history.
Attempt to identify AI-generated identities or misleading info.
Inconsistencies in employment history e.g., compare dates from LinkedIn account to business website creation dates.

Case Study: North Korean IT Workers as Insider Threats

In January 2025, the US Department of Justice indicted two North Korean nationals and three facilitators for a sophisticated remote worker fraud scheme that generated over $866,000 from at least 64 US companies over six years. They infiltrated global companies under false identities, violating sanctions, and conducting data theft and cyber espionage. Linked to groups like PurpleBravo, these operations targeted industries such as cryptocurrency through deceptive job interviews.

Search results showing LinkedIn profiles of Andrew Bettridge, Chris Ogden, and Taylor D., with brief job descriptions and locations. — Reverse image search results showing LinkedIn profiles different 'people' but all with the same image.

Detecting and Investigating Insider Threats with OSINT

With OSINT we can look to publicly available information, to uncover indicators of insider risk that may be missed by internal monitoring alone. But, once again, think about legal and ethical policies ensuring you have a permissible 'why' you need to do these checks.

Risk Factor	Indicators	Where OSINT Plays a Role
External Business Relationships	Undisclosed conflicts of interest	Monitor business registries for new company formations by employees
Financial Vulnerability	Unexplained lifestyle changes	Examine public property records or court filings for financial distress
Digital Footprint	Unusual system access patterns	Analyse public code repositories or technical forums for exposure of proprietary information
Professional Networking	Unusual interest in information outside job scope	Review professional networks for connections to competitors or adversaries
Social Media Activity	Expressions of disgruntlement	Monitor public posts for workplace dissatisfaction or security policy violations
Community Factors	Changes in behaviour following external events	Monitor for reactions to hostile environments, political shifts, or public health (e.g., Covid-19)

OSINT is uniquely positioned to identify vulnerabilities that arise from external relationships – an often-overlooked element of insider threats. Partnerships such as joint ventures, academic collaborations, research partnerships, and investment relationships can inadvertently expose protected information, as the following case study demonstrates.

CASE STUDY: Technology Transfer in High-Speed Rail

Japanese and European rail companies have reported that Chinese counterparts utilised technology from joint ventures to emerge as significant players in the high-speed rail industry. Initially intended for mutual benefit, these collaborations allegedly resulted in the appropriation of proprietary technologies by Chinese partners, enabling them to compete globally.

Kawasaki transferred high-speed train technology to China South Locomotive & Rolling Stock (CSR) in a US$740 million deal, including engineer training and local manufacturing support. Similarly, Siemens partnered with China CNR Corporation, involving train construction and training 1,000 engineers. Subsequently, both Japanese and German firms found themselves competing against their former partners in international markets, leveraging technologies derived from these alliances.

When assessing insider risk related to external partnerships, OSINT monitoring should pay close attention to:

Identifying intellectual property misappropriation
- Use Google Alerts to monitor terms related to knowledge transfer and proprietary technologies. This proactive approach aids in identifying unauthorised disclosures or suspicious activities such as changes in marketing strategies or website updates that indicate potential competitive actions.
Unexpected or unusual relationships in collaborative projects
- To detect unexpected funding sources, leverage OpenCorporates, comprehensive database of company information. By researching entities, you can uncover undisclosed financial backers or affiliations, revealing hidden interests that may pose risks.
Unusual data transfer requests between partner organisations
- These can hint at shadow IT or unauthorised sharing. Beyond internal network tools, OSINT can catch what slips outside—like exposed documents or open directories. Advanced Google Searching e.g. filetype:pdf "internal use only" OR “confidential” AND “organisation name” may reveal leaked or unsecure files.
Collaborations that lack clear scientific or business rationale
- Litmaps, a citation mapping tool, can help identify collaborations by visualising citation networks, allowing you to spot unusual partnerships.
Undisclosed participation in foreign talent recruitment programs
- Check if email addresses associated with your organisation have been compromised or are linked to external programs.

Detecting Behavioural Red Flags

We can draw on authoritative resources such as the FBI's Insider Threat Brochure, which provides indicators of insider threats, but, how are these behaviours detected through OSINT?

Social Media Intelligence (SOCMINT) - Public social media activity can reveal concerning patterns such as:

Expressions of workplace dissatisfaction or grievances
Evidence of sudden lifestyle changes suggesting unexplained wealth by analysing imagery in social media photos showing locations, activities or possessions.
Connections to competitors or entities of concern
Unusual travel patterns inconsistent with known activities
Security awareness gaps through oversharing of workplace information or security policy violations

Three Reddit posts discussing Americans in Australian public service, security clearance issues, and DISR onboarding. Contains user comments. — Openly discussing, on Reddit, security clearance processes and government onboarding. This creates an environment for social engineering, foreign targeting, and exploitation of insider vulnerabilities.

Red flags in social media analysis include significant changes in posting patterns, dramatic shifts in content tone, or sudden changes in online associations that deviate from established patterns.

Financial Intelligence - Publicly available financial indicators can reveal potential vulnerabilities:

Property records showing acquisitions beyond apparent means
Business registry entries revealing undisclosed external activities
Court records indicating financial distress (bankruptcies, foreclosures)
Public financial disclosures inconsistent with known income sources

For Australian organisations, ASIC company director searches can be valuable for identifying undisclosed business interests that might represent conflicts of interest or unauthorised external activities.

Technical Footprint - Digital traces can expose security concerns:

Code repositories containing proprietary snippets or credentials
Technical forum posts revealing internal systems or configurations
Checking breach notification platforms to identify if corporate emails have appeared in breaches
Identify if employees have created domains using organisational credentials using work emails
Developer accounts showing activity during unusual hours

Reverse Whois results for 'defence.gov.au' show 41 matched domains listed below. Plain background, text in black on white. — Using https://viewdns.info to search organisational credentials.

If you are looking for more information on how open-source information can help monitor and maintain awareness of misuse of cyber assets see our blog here.

Professional Networks - Professional connections can reveal concerning patterns:

Active job hunting while handling sensitive projects
Connections to competitors without proper disclosure
Endorsements revealing capabilities beyond official role

Mapping online relationships through followers, connections, likes, comments, and tags can reveal associations that might not be apparent in physical workplace interactions, potentially identifying hidden relationships of concern.

Another one of our blogs looks at this in more detail including practical steps organisations can take to apply OSINT to personnel vetting, as well as maintaining awareness of their organisations broader security posture.

Building Digital Footprint Awareness with Education

An education-focused approach, that empowers employees to understand digital footprints, can help support other security measures, such as detection-based monitoring. Teaching staff about the risks of oversharing information online and providing clear guidelines for responsible social media use creates a preventative culture rather than relying solely on detection. An effective digital footprint awareness program may cover:

Social media privacy settings
Personal information protection
How to identify approaches that may be targeting employees for their access or knowledge
Security implications of location sharing
Education about how information posted online can persist indefinitely

This kind of training not only builds a stronger security culture but also reduces the likelihood of needing potentially intrusive investigations later.

Key Takeaways

OSINT provides a critical enhancement to existing insider threat programs by offering visibility into external indicators that might otherwise go undetected. By systematically applying OSINT techniques to monitor publicly available information, organisations can:

Identify potential insider threats before they manifest as security incidents
Detect external relationships that might create conflicts of interest
Recognise financial or personal stressors that could create vulnerability
Discover inappropriate sharing of proprietary information
Protect intellectual property and sensitive data more effectively

The most effective insider threat mitigation strategies combine traditional security measures with targeted OSINT techniques, all within a framework that respects privacy and operates according to clear ethical guidelines. This balanced approach helps organisations protect their most valuable assets while maintaining a culture of trust.

To delve deeper into OSINT applications for security, consider exploring specialised training options focused on these techniques and methodologies.

Ready to take your insider threat program to the next level? Book a demo of NexusXplore to discover how our platform helps analysts illuminate insider threats. From early warning to risk validation, NexusXplore empowers you to take a proactive, data-driven approach to insider threat detection—before it’s too late.