While these changes offer numerous benefits, they also open new doors for one of the most dangerous security risks: insider threats. And today, these threats are not just about disgruntled employees or careless mistakes; they are evolving, fueled by sophisticated AI-driven tools like deep fakes that make detecting malicious intent harder than ever before.
Introduction
Insider threats have undergone a makeover—and it’s not one to be ignored. The concept of insider threats isn’t new—employees, contractors, or anyone with access to an organization’s sensitive data have long been seen as potential risks. However, the landscape has dramatically shifted. Today’s insider threats are more like tech-savvy double agents, sometimes unwittingly turning your own defenses against you.
With the rise of flexible work setups—whether in-office, remote, or hybrid—employees now access sensitive data from virtually anywhere. This convenience, though, comes with a catch: it’s easier than ever for threat actors to slip through the cracks. And as if that weren’t enough, AI-enhanced tools like deep fakes have added a new, chilling twist. The modern insider threat can now manipulate video, audio, and images with alarming precision. Imagine a deep fake video of a trusted executive authorizing a fraudulent transfer, or an AI-generated voice instructing a team to share classified information. These are not far-fetched hypotheticals but emerging realities that organizations must confront, making it increasingly difficult to distinguish friend from foe.
The Rise of AI-Driven Deception
Deep fakes, once a novelty, have matured into powerful tools for malicious actors, as demonstrated by a recent incident where a North Korean operative used AI-enhanced identity fraud to infiltrate a U.S. cybersecurity firm. This technological leap has given rise to new campaigns where attackers leverage deep fakes to infiltrate organizations, manipulate employees, and steal sensitive information—all while leaving minimal traces of their actions.
https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us (Left - Original Stock Image, Right - AI Enhanced Image)
The implications are vast. Traditional security measures like passwords and basic identity checks are no longer sufficient. In a world where seeing is not always believing, organizations must adapt their defenses to stay ahead of these new threat landscape. The incident underscores the urgent need for enhanced identity verification processes and vigilant cybersecurity practices to combat this new generation of AI-Driven threats.
The Insider Threat Matrix: A Framework to Combat Next-Gen Insider Threats
As insider attacks grow more complex and devastating, standard defenses often fall short. The Insider Threat Matrix (ITM) is a framework specifically designed to address these next-generation threats. Building on the MITRE ATT&CK framework, the ITM provides a comprehensive mapping of tactics, techniques, and procedures (TTPs) specific to insider threats, equipping organizations with the tools and insights needed to detect, assess, and mitigate these subtle risks.
Recent incidents, like the North Korean hacker posing as an IT worker to infiltrate U.S. companies, underscore the urgent need for such frameworks. We will explore this case and demonstrate how the ITM framework can help organizations build stronger defenses, create effective mitigation strategies, and respond to next generation insider threats.
Insider Threat Matrix Use Cases
In this part, we will be following the timeline from Knowbe4’s incident summary and on top of it we will use the ITM framework as a universal language for communicating and describing insider threat information.
Motive: Joiner:MT001
Joiner - A subject joins the organization with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies.
According to the incident summary from the US-based cybersecurity firm Knowbe4, the company fell victim of a Joiner:MT001 employee that turned out to be a fake IT worker. The impostor leveraged a valid but stolen U.S. identity, and used an image enhanced with an AI as a profile picture, to deceive the company’s HR department.
Motive: Speculative Corporate Espionage:MT005.001
Speculative Corporate Espionage - A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization.
One of the primary objectives of insider threat intrusions is to extract valuable information from the target infrastructure and sell it to third parties, whether private organizations or adversarial entities, if the price is right. We will include the possibility of Personal Gain: Speculative Espionage:MT005.001 on top of “Joiner:MT001” as motive.
Means: Asset Control:ME001
Means - The mechanisms or circumstances required for an infringement to occur.
After the fake North Korean IT worker successfully passed the interview, the company sent a device as part of the onboarding process. This allowed the threat actor to gain control of a company asset, which posed a significant risk for potential abuse.
Means: Unrestricted Software Installation:ME002
Unrestricted Software Installation - A subject can install software on a device without restriction.
Following the successful job interview, the attacker gained access to a corporate asset. According to the incident summary:
'The attacker manipulated session history files, transferred potentially harmful files, and executed unauthorized software using a Raspberry Pi to download malware.'
The Insider Threat Matrix (ITM) framework also highlights critical 'Prevention' and 'Detection' strategies that organizations can implement to mitigate risks if they fall into this part of the attack chain.
Preparation: Disrupted Monkey Business
Preparation - The activities conducted by a subject to aid or enable an infringement.
KnowBe4's SOC team responded effectively to the incident, disrupting the threat actor's attempt to extract and steal sensitive data. Despite the attacker deploying malware for automated scans and information gathering, KnowBe4's security controls successfully thwarted the attacker's tactics, techniques, and procedures (TTPs). The company confirmed that no sensitive data was exfiltrated during the incident, highlighting the effectiveness of their defense-in-depth security strategies.
Rethinking Hiring Processes: Multi-Step Identity Verification
One of the most critical areas requiring immediate attention is the hiring process. With the advent of deep fakes, the risk of onboarding individuals using stolen or falsified identities has skyrocketed. To combat this, organizations must implement multi-step identity verification processes. Here’s how:
- Biometric Verification: Use facial recognition, fingerprint scanning, or voice recognition to verify the identity of candidates during the interview process. This adds a layer of security that’s difficult to fake, even with advanced AI tools.
- In-Person Interviews: Whenever possible, conduct final interviews in person. This can help identify inconsistencies that may not be apparent in virtual settings.
- Background Checks: Enhance background checks by verifying educational credentials, previous employment, and references through multiple sources.
- Document Verification: Use digital forensics to validate the authenticity of identification documents submitted during the hiring process.
Why Insider Threat Matrix Framework?
The world is constantly evolving with new technologies, especially with the rise of Artificial Intelligence. We are in the era of AI, which offers opportunities to accelerate processes, but also brings significant risks. AI-enhanced and generated images, audio, and videos, combined with the shift from in-office to hybrid and remote work, present potential insider threats.
The Insider Threat Matrix, or similar frameworks, serves as a universal language for threat intelligence and defense. Utilizing these frameworks enables organizations to make effective operational and tactical decisions to safeguard against this rising threat.
Benefits of using Intelligence Frameworks
Insider Threat Matrix provides several universal benefits, including but not limited to the following:
- Common Language: Frameworks like the Insider Threat Matrix create a shared language, enabling clearer communication across technical teams and business decision-makers.
- Consistency: They ensure a standardized approach to identifying and mitigating insider threats, fostering uniformity across the organization.
- Defense-In-Depth Integration: These frameworks facilitate the integration of layered security measures, strengthening the organization's overall defense strategy.
- Continuous Process: They promote continuous monitoring, allowing teams to refine their approach as threats evolve, and ensuring that business-level decisions are informed by the latest intelligence.
Using intelligence frameworks such as the Insider Threat Matrix becomes increasingly important as insider threats get more complicated. It ensure that corporate executives and technical teams are in sync and working toward the same goals. These frameworks are essential for staying ahead of shifting dangers because it present a consistent strategy and promote continuous development. Using frameworks are not only helpful in the current environment, but also important in securing the organization.
Conclusion
The rise of AI-enhanced threats, like deep fakes, combined with the shift to remote work, has intensified insider risks. Frameworks like the Insider Threat Matrix are essential for aligning teams and business leaders in detecting and preventing these sophisticated attacks. By offering a consistent approach and encouraging continuous improvement, these frameworks help organizations build robust intelligence to safeguard against increasingly complex threats.
About SBT
Security Blue Team (SBT) is a leading online education and training provider, specializing in cybersecurity courses and programs for over 100,000 students worldwide. With a solid commitment to delivering an exceptional experience to each user, we have implemented a robust infrastructure to support our operations.
