A CISO shares the story of how his SOC staff caught and contained a North Korean agent posing as a software engineer, saying he hopes to raise awareness of a growing threat.
As if SecOps pros didn't have enough to worry about, HR has become a fresh attack vector for cybersecurity threats such as foreign agents posing as software engineers.
KnowBe4, a security awareness training software vendor based in Clearwater, Fla., made headlines in July when it thwarted an attempt by a North Korean agent to infiltrate its software engineering staff. The company's executives publicly shared the story about what they said is an increasingly common scenario, which the U.S. government issued warnings about in 2022, in the hopes of warning other companies that the threat is real.
In this episode of IT Ops Query Season 2: The State of SecOps, Brian Jack, KnowBe4's chief information security officer, told TechTarget Editorial's Beth Pariseau that it's not just companies in the security industry that should beware of such infiltration.
Brian Jack
"The main idea behind the scheme is to make money and send it back to North Korea," Jack said. "The side part is that they have access [to sensitive data], and the access could be given to other more offensive threats within North Korea."
Jack estimated that any company with more than 1,000 resumes submitted in response to a job opening likely has such an infiltrator among the applicants.
"They have people working with them in the U.S. to run laptop farms. They have people working with them in the U.S. to use their identity. They have found people in the U.S. to pose as them in person, to pick up equipment from an office in person, to do drug screenings in person," Jack said. "If the position really warrants it, they will go to great lengths to secure that role."
They have people working with them in the U.S. ... If the position really warrants it, they will go to great lengths to secure that role.
Brian JackChief information security officer, KnowBe4
Jack said KnowBe4's security operations center (SOC) quickly picked up on suspicious activity by the impostor worker -- within 25 minutes of the new employee's first day on the job. When the employee's answers to questions also proved suspicious, the operations center quickly contained the laptop, and no sensitive data or systems were accessed by that employee.
Still, the incident prompted the company's SecOps engineers to collaborate more closely with its HR department, Jack said. They created automation tools that flag potentially suspicious information in resumes, such as the use of VoIP phone numbers, which can be used to route calls and messages so that they appear to be coming from a U.S. location when they are not.
"We have [another] position open -- we have 2,000 resumes. The position's been open for a week," Jack said. "I am not sure how you manually scan that at any sort of reasonable pace. So this is ... solving different problems through just a little bit of code."
Overall, the ability to solve problems through security automation and code is the skill Jack most seeks in SecOps employees.
"We have this team of operations folks who are ... like site reliability engineers or platform engineers [who can] script something up, hit an API or to augment data that's coming into a SIEM [security information and event management] or a SOC, to automate that first step of following up on an alert," Jack said, and he recommends that approach for anyone building a security operations team.
"Your analysts will be happier," he said. "You'll be able to respond faster, and it's just a quicker, less menial type of thing. I think that's a good state of SecOps."
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Brian Jack
