Insider Threat: Ex-L3Harris Employee Jailed for Selling Zero-Days to Operation Zero

Just saw the breaking news about Peter Williams, the former L3Harris employee sentenced to over seven years for selling eight zero-day exploits to a Russian broker known as Operation Zero. It's a stark reminder that sometimes the biggest threat isn't a sophisticated APT hitting your perimeter, but the person sitting next to you in the R&D department.

He netted millions for these exploits, which highlights the insane current market value for 0-days. The guilty plea was for theft of trade secrets, which makes me wonder about the detection gap here. How do you differentiate between a developer testing a PoC and someone packaging an exploit for sale?

From a defensive perspective, we usually look for anomalies in code repository access or large data egress. If you're monitoring this, you might want to watch for mass cloning events or archive creation on endpoints. For those using Splunk or a similar SIEM, hunting for spikes in Git activity or archive creation processes (like tar or 7z) interacting with sensitive directories is a good start:

splunk index=endpoint (process_name="git.exe" OR process_name="tar.exe") | stats count by process_name, user, dest

| where count > 50

It is difficult to balance R&D freedom with strict security. How is everyone handling access controls for high-value exploit development teams? Are you relying on basic DLP, or have you moved to more robust behavior analytics?