Key signs of NK-linked insider infiltration: SpiderLabs has found that these threat actors commonly operate from China rather than North Korea because the internet is more stable and they can employ VPN services to conceal their true geographic origin.Astrill VPN has the ability to bypass China’s Great Firewall and allows threat actors to tunnel traffic through US exit nodes and masquerade as legitimate domestic employees. As a result, authentication events from known Astrill VPN IP ranges represent a high-fidelity indicator of compromise.In this case, however, the VPN itself wasn’t the only sign things were not as they seemed.”I believe what happened here is that Astrill VPN was not a standard solution used in the specific environment we were monitoring for the client in this case. If it had been, then this particular indicator might not have had as much weight,” Luu said.”The true anomaly here is that the use of that particular VPN software was unusual for this particular environment. There are personal VPNs and business VPNs, and the XDR solution can distinguish between the personal and business VPN solutions and only alert on the personal VPN usage,” Luu added.
No silver IAM bullet for CISOs: Identity and access management offers no magical method for spotting fake IT workers. As this example demonstrates, discovering a North Korean insider requires patching together a number of signals. This investigative and alert work can take different forms.”Some approaches start with well-segregated privileges and begin ramping up privileges over time as trust and tenure are established to ‘slow roll’ risky hires,” Luu told CSO.In some cases, it’s looking for logon or work activity outside of typical working hours for a particular geography.”Certainly, the confluence of suspicions helps. For example, are employees accessing data or attempting to authenticate data, hosts, or applications outside their established roles?” Luu noted.The reminder for CISO is to ensure onboarding processes are robust and regularly reviewed. “Learn what software is ‘normal’ in your environment and set software standards, and ensure employees have company-managed devices, preferably Windows for more control,” Luu advised. “Make sure IT admins apply EntraID Conditional Access policy to lock down logins from allowed regions or areas where employees are employed. The client didn’t have the conditional access policy activated before the incident, and they applied it after as a recommendation from Cybereason.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4148279/behavioral-xdr-and-threat-intel-nab-north-korean-fake-it-worker-within-10-days-of-hire.html
