1. Home
    2. »
  2. Blog
    3. »
  3. Other
    4. » Trusted Insider, Unseen Adversary

Trusted Insider, Unseen Adversary

- Posted in Other by - Permalink
Trusted Insider, Unseen Adversary

Background:

One of the best examples to understand insider threats or similar risks is to look at the case of DPRK (North Korean) IT workers. This is becoming one of the most widespread risks related to insider threats. The risks arise from the fact that these IT workers may operate under the management of other entities or groups whose goal is not only financial gain.

Such threats can also undermine compliance with regulations established by governments in the countries where the affected companies are registered. Another issue is the risk of data breaches, as it is no secret that software engineers often have access to sensitive infrastructure secrets. In cases of abuse, law enforcement may be unable to resolve the situation, since the IT worker may be operating from a country with which there are no legal or diplomatic connections.

Detection: Phases we need to divide into 3 stages

  • Pre-Interview
  • Interview
  • Contract

In a pre-interview context, let's review a real example of how to identify a potential insider threat. First, DPRK IT workers often avoid exposing their real faces and instead use images from real accounts for their profiles. This means that, from an HR perspective, it is relatively easy to utilize image search engines to trace the original account owner whose image has been used by the insider threat. enter image description here In another example, you can review the commit timeline and content on a potential interviewer's GitHub page. In this case, the names were recently changed, which is a suspicious sign that can help correlate findings and identify missing pieces of the puzzle. enter image description here

The next one metric is to check github account following users . And make correlation . From the picture you can see that there are 2 accounts and each account is following one to another one one . enter image description here enter image description here You need to follow up on these chunks to find correlations with other code that publishes to additional accounts.

Interview stage: During the interview stage, it is important to ensure that the candidate's web camera is turned on. Ask as many questions as possible related to the candidate’s personal and cultural values. For example, the “Kraken case” is a good reference for assessing that direction (see example). You can ask whether they are open to moving to any random location.

Pre-interview: If a new employee has moved to the next stage of the contract and you have already accepted the candidate, there are several important practices to follow:

Always ensure that employees regularly turn on their cameras during work hours. Request that they activate their cameras immediately whenever required. Periodically verify that employees are not consistently working under a VPN or from hosting services. Ensure that company-provided laptops are assigned to the correct individuals as per contractual agreements. Conduct thorough background checks to confirm their identities. Regularly verify the presence of Remote Monitoring and Management (RMM) tools on all provided machines. Routinely check for the existence of unauthorized tunneling software or connections on company devices.

Conclusion: Having an employee impersonate another person is not the main issue. The real concern lies in how to resolve such situations if things go in the wrong direction, as well as understanding the legal consequences associated with these issues.

Tags:

Related posts

« »