Anthropic Hires Insider Risk Hunters: Why LLMs Are Your New Digital Psychologist + Video

Listen to this Post

Featured Image

Introduction:

Insider threats have long evaded traditional detection because security tools focused on the click or the file—never the intent behind it. But as Anthropic hires an Insider Risk Investigator who combines technical forensics with human intelligence, the industry is waking up to a new reality: large language models (LLMs) can now decode the “why” at scale, transforming behavioral analysis from an art into a data-driven science.

Learning Objectives:

  • Differentiate between legacy DLP/log-based detection and intent-driven insider risk monitoring
  • Build a practical LLM-powered pipeline to analyze user behavior narratives from system logs
  • Deploy proactive sensors and automated response playbooks across Linux and Windows environments

You Should Know:

1. Decoding Intent: Moving Beyond Click Logs

Traditional insider risk programs rely on data loss prevention (DLP) rules and quarterly access reviews—reactive measures that miss subtle behavioral shifts. The shift toward intent analysis means capturing not just what a user did, but the contextual “why.” LLMs excel at identifying anomalous narratives in user activity, such as a sudden spike in accessing unrelated sensitive folders before resignation.

To build your own intent-relevant telemetry, start by logging user command-line activity. On Linux, use `auditd` to track executed commands:

sudo apt install auditd -y
sudo auditctl -w /bin/bash -p x -k command_monitor
sudo auditctl -w /home/ -p rwxa -k home_activity
sudo ausearch -k command_monitor --format raw | tail -20

On Windows, enable PowerShell script block logging and extract suspicious sequences:

 Enable Script Block Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
 Query recent 50 events with command line arguments
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104} | Select-Object -First 50 TimeCreated, Message

Step‑by‑step: Install auditd, set watches on critical directories, export logs to a central analyzer, then feed raw command sequences into an LLM with a prompt like “Flag any commands that suggest data exfiltration, credential dumping, or unusual privilege escalation.” The LLM returns a risk score and reasoning—your first intent signal.

2. LLM-Powered Behavioral Analysis Pipeline

You don’t need Anthropic’s scale to leverage LLMs for insider risk. A simple pipeline collects user narratives (emails, file access patterns, Slack messages), vectorizes them, and classifies intent. Using a local LLM (e.g., Ollama with Mistral) preserves privacy.

Install Ollama on Linux:

curl -fsSL https://ollama.com/install.sh | sh
ollama pull mistral:7b

Create a Python script to analyze PowerShell logs:

import subprocess, json
 Extract recent file access from Windows Event Log
log_data = subprocess.check_output("wevtutil qe Security /c:20 /rd:true /f:text /q:'[System[(EventID=4663)]]'", shell=True, text=True)
prompt = f"Analyze this file access log for insider threat indicators (unusual hours, sensitive paths, bulk copying):\n{log_data}"
result = subprocess.run(["ollama", "run", "mistral:7b", prompt], capture_output=True, text=True)
print(result.stdout)

Step‑by‑step: Run the script daily via cron (Linux) or Task Scheduler (Windows). The LLM returns a narrative judgment—e.g., “User accessed 200 HR files at 3 AM, consistent with pre-resignation harvesting.” Store outputs in a time-series DB like InfluxDB for trend detection.

3. Insider Threat Matrix Mapping

The Insider Threat Matrix (based on MITRE ATT&CK for Insider) organizes adversary behaviors into tactics like Collection, Exfiltration, and Impact. Use atomic tests to simulate these behaviors and validate your detection.

On Linux, simulate credential harvesting:

 Simulate reading /etc/shadow (requires root for real, but test file)
echo "test:password_hash" > /tmp/fake_shadow
cat /tmp/fake_shadow > /dev/null
 Log via auditd: ausearch -k shadow_access

On Windows, simulate copying sensitive data to USB:

 Create a test sensitive file
echo "Confidential" > C:\temp\secret.txt
 Copy to removable drive (assume E:)
Copy-Item C:\temp\secret.txt E:\leaked.txt
 Monitor via Sysmon Event ID 11 (FileCreate)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=11} | Where-Object {$_.Message -like "E:"}

Step‑by‑step: Download the Insider Threat Matrix CSV from MITRE, map your logs to relevant TTPs, then run Atomic Red Team tests for each (e.g., Invoke-AtomicTest T1113 -Collection). Compare detection rates before and after adding LLM enrichment.

4. Proactive Outreach & Sensor Deployment

Building “sensors across the organization” includes technical tripwires and human-led education. Deploy canary tokens—fake credentials or files that trigger alerts when touched.

Deploy a canary file on Linux:

 Create a decoy credentials file
echo "aws_access_key_id=AKIA_DECOY" > /shared/canary_secrets.txt
 Monitor with inotifywait (install inotify-tools)
inotifywait -m -e access,modify /shared/canary_secrets.txt | while read event; do
echo "ALERT: $event" | mail -s "Insider Risk Alert" [email protected]
done

On Windows, use a scheduled task to monitor a decoy registry key:

 Create decoy key
New-Item -Path "HKLM:\SOFTWARE\DecoyConfig" -Force
 Check every 5 minutes for reads
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Command <code>"if (Test-Path 'HKLM:\SOFTWARE\DecoyConfig\LastRead') { Send-MailMessage -To [email protected] -Subject 'Canary Triggered' }</code>""
Register-ScheduledTask -TaskName "CanaryMonitor" -Action $action -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5))

Step‑by‑step: Distribute canaries across HR, finance, and R&D shares. Pair each alert with an automated outreach email to the user’s manager—turning a technical signal into a human intelligence opportunity.

5. Technical Forensics Combined with Human Intel

Forensic depth requires capturing process creation, network connections, and file hashes. Sysmon (Windows) and osquery (Linux/Windows) provide this.

Install Sysmon with a recommended config:

 Download Sysmon and config from SwiftOnSecurity
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig.xml" -OutFile "sysmonconfig.xml"
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
 Query process creation events (Event ID 1)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Select-Object -First 10 TimeCreated, Message

On Linux, osquery can log user shells and file access:

 Install osquery
sudo apt install osquery -y
 Run a live query for suspicious processes
osqueryi "SELECT uid, name, cmdline FROM processes WHERE cmdline LIKE '%passwd%' OR cmdline LIKE '%shadow%';"

Step‑by‑step: Set up osqueryd as a daemon with file integrity monitoring (FIM) packs. Forward events to a SIEM. When the LLM flags an intent anomaly, pivot to full disk forensics using `sleuthkit` (Linux) or FTK Imager (Windows) to recover deleted exfiltration artifacts.

  1. API Security and Cloud Hardening for Insider Risk

Cloud insiders abuse over-privileged API keys. Harden by implementing least privilege and analyzing CloudTrail patterns.

Audit AWS CloudTrail for anomalous API calls (Linux CLI):

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetObject --max-items 50 --query 'Events[?CloudTrailEvent.contains(@, <code>\"s3\")</code>].CloudTrailEvent' --output text | jq -r '.[].userIdentity.arn + " -> " + .resources[].ARN'

Monitor for failed followed by successful authentication (password spray):

 Extract failed login attempts
grep "Failed password" /var/log/auth.log | cut -d' ' -f9 | sort | uniq -c

On Windows, use Azure CLI to check for unusual role assignments:

 List recently added role assignments in a subscription
az role assignment list --include-inherited --query "[?contains(principalName, 'user@domain')] | [?contains(scope, 'subscription')]" -o table

Step‑by‑step: Write a daily Lambda function that feeds CloudTrail logs into an LLM with the prompt: “Identify API calls that deviate from this user’s historical baseline—especially privilege escalation or data downloads.” Automatically revoke temporary credentials when risk score exceeds threshold.

7. Mitigation and Response Playbook

Once intent is confirmed, automate containment without breaking productivity. A SOAR-inspired script can isolate a user’s session while preserving evidence.

Linux quarantine script (run as root):

!/bin/bash
USER=$1
 Kill all user processes
pkill -u $USER
 Lock the user account
passwd -l $USER
 Capture memory and disk image
dd if=/dev/sda of=/forensics/$USER.dd bs=4M status=progress

Windows PowerShell containment:

param($Username)
 Disable account
Disable-ADAccount -Identity $Username
 Revoke all active tokens
Revoke-ADAuthenticationPolicy -Identity $Username -Force
 Create forensic copy of user drive
wbadmin start backup -backupTarget:E:\ -include:C:\Users\$Username

Step‑by‑step: Trigger this script via webhook when LLM risk score exceeds 0.9. Notify the Insider Risk Investigator (human) with a full forensic package, including the LLM’s “intent reasoning” text. After investigation, automate reintegration if false positive.

What Undercode Say:

  • Key Takeaway 1: The shift from DLP rules to LLM-driven intent analysis is not hype—Anthropic’s job posting proves that mature security teams now prioritize behavioral psychology over log stitching.
  • Key Takeaway 2: A proactive insider program requires technical sensors (canaries, Sysmon, osquery) layered with human outreach; no single tool or analyst can do it alone, but LLMs act as a force multiplier to surface the “why” from terabytes of noise.

Analysis: The LinkedIn thread underscores a broader industry awakening. Traditional insider risk failed because it chased artifacts after the damage was done. By combining LLM narrative analysis with forensic rigor, organizations can now detect pre-incident behaviors—e.g., a user researching “how to delete bash history” followed by accessing termination-related docs. The emerging role of Insider Risk Investigator blends counterintelligence tradecraft with prompt engineering. Over the next 18 months, expect every Fortune 500 to either build an LLM-powered intent layer or outsource to startups like Above. The bottleneck won’t be technology; it will be hiring investigators who can ask the right questions of an AI.

Prediction:

By 2028, insider risk teams will replace signature-based DLP with behavioral LLM agents that continuously model each employee’s “normal intent.” When an anomaly is detected—such as a developer cloning the entire codebase while updating their LinkedIn profile—the agent will auto-negotiate a quarantine and generate a human-readable threat narrative. This will slash false positives by 70% but raise new ethical questions about digital surveillance and employee privacy. Winning companies will be those that deploy intent-aware AI transparently, turning insider risk from a compliance headache into a strategic early-warning system for workforce health and retention.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Avivon Spotted – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky