When Attackers Are Hired: Today’s New Identity Crisis
What if the star engineer you just hired is actually an attacker in disguise, not an employee? This is not phishing. It is penetration through onboarding.
Meet “Jordan, Colorado” with a strong resume, persuasive references, a clean background check, and a digital footprint to check out.
On the first day, Jordan logs in to his email, participates in weekly stand-ups, and receives a warm welcome from his team. Within hours, you will have access to the repository, project folders, and copy/paste development keys used in your pipeline.
A week later, the tickets got closer faster and everyone was impressed. Jordan has made an insightful observation of the technology stack, where the environment, tools are misunderstood and which approvals are stamped with rubber.
However, Jordan was not Jordan. And we welcomed the team that the red carpet deployed was the equivalent of Golden Key and handed straight to the enemy.
From phishing to fake employment
Modern scams are not malicious links to your inbox. Legal login within the organization.
Phishing is still a serious threat that continues to grow (particularly with the rise in AI-driven attacks), but it is a well-known attack route. Organizations have spent years strengthening email gateways, training employees to recognize and report malicious content, and running internal phishing tests.
It protects against daily phishing email flooding as phishing has increased by 49% since 2021, and large-scale language models (LLMS) have increased by 6.7 times to generate emails with compelling lures. It’s much easier for attackers to carry out phishing attacks.
But that’s not how Jordan entered. Jordan joined the HR papers despite many defenses pointing out the email.
Why is hiring fraud now the issue?
Remote employment has grown rapidly over the past few years. The industry has discovered that 100% remote work is possible and employees no longer need offices with physical (and easily defensible) boundaries. Plus, talented resources exist everywhere on the planet. Employing remotely means that organizations can benefit from expanding their employment pool, with more qualifications and skills potential. However, remote employment also removes the intuitive and natural protections of face-to-face interviews, creating a new opening for threat actors.
Today, identity is a new boundary. And that means you can forge, impersonate, or even generate your boundaries into AI. References can be spoofed. The interview can be given a coach or a proxy. Faces and voices can generate (or depth) generated by AI. Anonymous enemies appear persuasively as “Jordan of Colorado” and can give organizations the key to their kingdom.
Hiring fraud in the wild: North Korea’s remote “employment” operatives
The threat of remote employment fraud is not something we imagine in the horizon or in the horrifying stories around the campfire.
A report released this August revealed more than 320 cases of North Korean operatives permeate businesses by pretending to be remote IT workers with false identities and sophisticated resumes. In that single example, this threat is escalating quickly, as it is up 220% year-on-year. In other words, this threat is escalating quickly.
Many of these North Korean operatives used AI-generated profiles, deepfakes and real-time AI operations to pass interview and review protocols. In one case, an American accomplice running a “laptop farm” operated a “laptop farm” to provide a physical US setup, a company-issued machine, and a domestic address and identity. Through this scheme, they were able to steal data and return their salaries to North Korean regime.
These are also not isolated Hattitivist stunts. Research has identified this as a systematic campaign, often targeting Fortune 500 companies.
The problem of castles and moats
Many organizations responded by overcorrection that “my company as a whole wants to be locked down as much as my most sensitive resources.”
That seems wise – until work is slow to crawl. Without the subtle controls that allow security policies to distinguish between legitimate workflows and unnecessary exposure, simply applying rigidity controls that lock down everything across your organization will stop productivity. Employees need access to do their job. If the security policy is too restrictive, employees will either find workarounds or ask for exceptions on a continuous basis.
Over time, as exceptions become standard, risk creeps up.
This collection of internal exceptions slowly pushes you back towards the “castle and moat” approach. The walls are reinforced from the outside, but the inside is open. And giving employees the key to unlock all inside and they can do their job means you are giving it to Jordan.
In other words, locking everything in the wrong way is just as dangerous as leaving it open. Strong security must explain and adapt to real-world work. Otherwise it will collapse.
How to achieve zero-standing privileges Block fraudulent new recruits without trade-offs with state and trade-offs
We’ve all heard of Zero’s trust: never trust, always check. This applies to every request every time, even after someone has already become “internal.”
Now, we need to use the new perimeter to look at this security framework through the lens of identity. This results in the concept of zero standing privilege (ZSP).
Unlike castle models that lock everything indiscriminately, the ZSP state must be built around the flexibility of the guardrail.
By default, there is no need to always access – the baseline of all identities is the minimum access needed to always function. jit (Just-in-time) + jep (Just-enugh-privilege) – Extra access takes the form of small scope permissions that exist only when the required period is required and is revoked when the task is completed. Audit and Accountability – All grants and cancellations are recorded and a transparent record is created.
This approach closes the gap left by the castle problem. It ensures that attackers cannot rely on permanent access, but employees can move their work quickly. The ZSP approach coordinates productivity and protection rather than enforcing those choices. Below are some tactical steps a team can take to eliminate standing access across the organization.
Zero Standing Privilege Checklist
Stock and baseline:
Request – Approval – Delete:
Complete Audit and Evidence
Take action: Start small and win quickly
A practical way to get started is to pilot the ZSP on your most sensitive system for two weeks. Measure how access requests, approvals and audits actually flow. A quick win here can build momentum for wider recruitment and prove that security and productivity don’t have to be at odds.
Beyondtrust Attlutle, the Cloud Access Management Solution, enables the ZSP approach and provides automated control that keeps all identities at the lowest level of privilege at all times. When more work is requested, employees can receive it on request through time-bound, auditable workflows. It will be granted enough access within the time limit and removed.
By taking steps to operate zero-standing privileges, legitimate users can move quickly.
Ready to get started? Click here to get a free red team rating for Identity Infrastructure.
Note: This article was skillfully written and contributed by David Van Heerden, Sr. Product Marketing Manager. A self-proclaimed nerd, metalhead and aspiring film snob, David VanHierden has worked on it for over a decade, honing his technical skills and developing tips to turn complex IT and security concepts into clear, value-oriented topics. At BeyondTrust, he assumes the role of Sr. Product Marketing Manager and leads the certification marketing strategy.
Source link
