How would you approach threat hunting for insider threats? What makes hunting for insiders different from hunting for external adversaries, and what behavioral indicators would you focus on?

Sample answer preview

Hunting for insider threats is fundamentally different from hunting for external adversaries because insiders already have legitimate access to systems, data, and networks. They do not need to exploit vulnerabilities, bypass firewalls, or deploy malware.