Everyone assumes an insider threat is a legitimate user exploiting their permissions for nefarious purposes, usually stealing databases, sensitive IP, or manipulating an organizational process to commit fraud.
This type of insider is a major problem because they are inherently difficult to detect or predict. Every large organization uncovers insider threats of this kind from time to time. However, cybercrime has expanded this definition somewhat.
Today, insider threats can also include legitimate accounts that have been hijacked, for such as forgotten accounts belonging to third-party contractors. The user appears genuine, the account is legitimate, but the actions are rogue.
Active Directory, naturally, is a prime target for account takeover. Gain a foothold inside Active Directory and the attacker can attempt to manipulate or damage the entire domain. This is why monitoring the behavior of legitimate user accounts is a new front in the battle to keep networks safe.