Page 248 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 248
Advanced threat intelligence platforms utilize entity graphing to visually map and correlate seemingly
unrelated signals, revealing hidden connections. These interconnected graphs can expose relationships
between threat actors, even when they use obscure data points. This high-fidelity intelligence can identify
not just isolated threat artifacts but also the human adversaries orchestrating malicious campaigns.
Understanding the identity of the individual behind the keyboard is as critical as understanding their
Tactics, Techniques, and Procedures (TTPs).
Historical Context: The Power of Signal Analysis
The concept of analyzing signals for threat intelligence is not new. The National Security Agency (NSA)
project labeled ThinThread (circa 1990s) aimed to analyze phone and email metadata to identify potential
threats. ThinThread demonstrated the potential of analyzing seemingly disparate signals to gain critical
insights. The core component of ThinThread, known as MAINWAY, which focused on analyzing
communication patterns, was eventually deployed and became a key part of the NSA's domestic
surveillance program. This historical example illustrates the potential of analyzing seemingly disparate
signals to gain critical insights into potential threats, a principle that underpins modern identity risk
intelligence.
Real-World Example: North Korean Cyber Espionage
Recent events highlight the urgent need for identity-centric intelligence, particularly the numerous cases
of North Korean intelligence operatives infiltrating companies by posing as remote IT workers. These
highly skilled agents create elaborate fake personas with fabricated online presences, counterfeit
resumes, stolen personal data, and AI-generated profile pictures to secure employment. Once employed,
they often exfiltrate data. In some cases, they diligently perform their IT work to avoid suspicion. U.S.
investigators have corroborated the widespread nature of this tactic, revealing that North Korean
nationals have fraudulently obtained employment by presenting themselves as citizens of other countries.
These operatives create synthetic identities to pass background checks and interviews, acquiring
personal information to appear as proficient software developers or IT specialists. One North Korean
hacker even secured a software developer position at a cybersecurity company using a stolen American
identity and an AI-generated profile photo, deceiving HR and recruiters. In some instances, these actors
exfiltrate sensitive data within days of employment. KnowBe4, a security training firm, discovered a newly
hired engineer who was a North Korean operative downloading hacking tools onto the company network.
The operative was only apprehended because of the company’s proactive monitoring systems.
This example underscores that traditional security measures, background screenings, and network
monitoring may be insufficient to detect these sophisticated threats. Intelligence that can unmask these
malicious actors early in the process is crucial, highlighting the value of identity risk intelligence.
Proactively incorporating identity risk signals early in the screening process can help organizations
identify potential imposters before they gain network access. For example, an identity-centric approach
might have flagged the KnowBe4 hire as high-risk before onboarding by uncovering inconsistencies or
prior exposure of their personal data.
248
