INSIDER THREAT ADVISORY (iTA) WORKSHOP
What Happens When a Trusted Contractor Turns into a Server-Side Threat?
When: Tuesday, March 31 | 1:00 — 2:00 PM PT
Brought to you by:
The Scenario
Servers remain the most consistently targeted systems in the enterprise because they hold the highest‑value data and are routinely accessed by admins, contractors, service accounts, and automation.
We will discuss a real case where a contractor with legitimate SSH access appeared to be performing normal work on a production server. Behind that benign activity, the user established persistence via reverse shells, moved laterally into restricted network segments, and harvested credentials in preparation for exfiltration. The attacker never used malware or exploits only trusted access that blended into routine admin behavior, highlighting why traditional server monitoring often fails to catch these threats.
This workshop walks through that investigation and shows how behavior‑centric visibility exposes the signals system‑level monitoring misses.
What you’ll learn:
- How to recognize when “normal” SSH admin activity flips into persistence, lateral movement, and credential staging.
- Why server threats routinely go undetected and where system‑level logging and traditional monitoring create blind spots attackers rely on.
- Practical insights including how behavior‑based visibility exposes trusted‑access abuse early and helps stop exfiltration before it starts.
RSVP for the workshop
View ITA library
The DTEX i³ Insider Risk Research Hub publishes regular insider threat research and advisories based on real-world investigations to help analysts stay ahead of insider threats as they arise.
Contact I3 team
DTEX i3 provides threat briefings on the latest insider risk research, early behavioral warning signs, and best practices, using data-driven insights from internal experts and partners like MITRE.