Securing Employee Onboarding with KYE for IAM
Understanding the significance of 'Know Your Employee' (KYE) in onboarding is becoming the next level of security in IAM. Recently, remote employees and contractors are a weak link in the security of a business. In one case, North Korea has targeted businesses with inside employees that decide to earn salaries, exfiltrate information, or remain sleeping agents until needed. Most companies will never need to worry about this type of threat, and the risk is low, but we will detail some aspects to look out for and secure. The extreme is a nation-state actor, in which case you can only do your best as it shouldn't be your top worry at the end of the day. These recent articles go into cases where employees bypass some onboarding checks and are able to work remotely undetected,US dismantles laptop farm used by undercover North Korean IT workers (bleepingcomputer.com), and Thousands of North Korean Workers Got Remote US Jobs: FBI - Business Insider. We will discuss further the gaps and some easy and effective preventative measures that would have caught these fake workers. IAM teams should be working closely with HR and they can further improve that partnership to identify threats earlier in the onboarding process.
In some cases, the person you interview in person might also change as they used a stand-in person to bypass the physical or pre-screening steps. In this scenario, future facial analysis of employees might be required to verify that the hired employee is the same as intended. As we detailed in past articles, IDs are extremely easy to fake and cannot be relied on as a single factor. IAM teams are already adding facial verification for password resets, and more so, adding it as a new joiner flow and computer unlocking is possible.
We will first examine the vulnerabilities and ways security teams might attempt to catch fraudulent remote workers. The most basic check is looking at IP addresses and seeing unauthorized remote work, but everyone knows that check is done, so they resort to residential IPs in the country and, voila, laptop farms. Another step is fingerprinting, where you have to go into an office and get printed for an FBI background check. Mostly, high-risk places do this, like some banks and the effectiveness is unknown, but it would have thrown an obstacle in the process. The next step is checking for RDP software; plenty of security solutions will look for that and ports to RDP services. However, those can be masqueraded and tunneled too, and no details in the article explain what the companies did to detect this behavior. Another technique could be using a separate camera pointed to the laptop and then hooking up a physical keyboard and mouse with an IP KVM. This allows users not to install RDP software and remotely control a device. In this case, detecting device descriptors and other details is essential as tools like CrowdStrike Falcon® Device Control & USB Security can help manage this threat. Again, this only goes so far, as the more advanced threats will spoof much of the device data and appear as an ergonomic setup with a big monitor, keyboard, and external mouse.
Even the most locked-down devices can be remotely controlled via a robot. Detecting USB and other devices is one way to prevent this exploit. It's a good security measure for physical keyloggers that businesses should use to secure a desktop. However, if someone wanted to bypass that, they can get a physical robot similar to how mobile apps do testing, for example, this device https://www.adaptarobotics.com/robots/or https://www.mobot.io or Kickstarter Keyboard robot. These would be extremely difficult to set up, and the high output of keystrokes needs to be mimicked at high speed to be feasible. It is possible if you only need to run a script or short commands. However, it is unlikely to be used daily and is more of an exit exploit that will burn the employees once they are out of the country. The mouse portion is accessible too, as styluses could be controlled similarly to the phone video so that clicking is remotely controlled too.
It is up to how sophisticated someone is, and physical tampering requires much knowledge of what can be modified. i.e., splicing the cable connector for the keyboard and connecting it to another remote device. This is typically the easier option as relying on some remote manipulator robots' arms does not match the speed needed for office work. Similar to a Trojan attack mentioned here https://www.blackhat.com/docs/asia-14/materials/Dunning/Asia-14-Dunning-Building-Trojan-Hardware-At-Home.pdf it can easily be repurposed for remote control purposes. Having device tampering is a way to catch some of these attacks, but it is worthless if the device is entirely powered down and they know how to bypass the check.
Bluetooth mouse and keyboard to a phone is another option. Some apps create virtual controls via Bluetooth to a phone. Multi boxers have done this too in the past, and using old hardware is a way to bypass many USB and new security device checks http://www.vetra.com/wow.html#anchor10757 you can simulate mouse and keyboard on one device with RDP and then split it to the other corporate-owned device to improve latency. Using multiple layers of devices to mask any signal detector analysis also works. They are adding an external monitor with another device in the middle to capture the screen if there is protection against recording it. https://www.keelog.com/vga-hdmi-dvi-capture/ Once there is an exploit to control a device, there are more options for bypasses. Nothing is stopping a person from physically getting hired and going to the office or even working remotely but not controlling their device. They could appear to be typing and moving their mouse, but in reality, a remote threat actor is doing the actual work, and the person mimes and acts like a dummy going to the office daily. There is an infinite supply of people willing or tricked into committing illegal activities as long as they get paid.
As demonstrated, the possibilities for circumventing device-based security, whether hardware- or software-based, are extensive. However, it's crucial to remember that every measure has a countermeasure. For instance, IT teams could consider adding GPS and mobile SIM connectivity to computers as an additional check on location. Yet, at a certain point, the cost and work restrictions of implementing all security measures on the devices themselves become prohibitive. This is where KYE emerges as a more accessible and cost-effective solution for many of these scenarios. Introducing a random authentication check, for example, could have detected many of the North Korean IT workers. Managing the laptop farm would become more challenging as the operator would also have to contend with various levels of biometric verifications. Companies could require physical device insertion for authentication, and demanding multiple Windows Hello authentication methods could be a way to catch bad actors.
Other companies require live feeds of users on their computers. This can be a good check but can be bypassed if they tap into the feed and change the source video, as explained earlier. For example, you could hook up a webcam that is connected to the internet and then connect it to the laptop to output the feed only. This way, the only way to detect would be if device-based signature checks were not spoofable. How to Convert Laptop Webcams to USB Webcams (youtube.com) It also will turn away many employees who see it as privacy-invasive and overkill on security.
Achieving NIST AAL3 should be an essential starting guide for creating a secure employee onboarding process. In these KYE processes, multiple identity proofing requirements should be collected. It is still bypassable, but the key is to add randomness to future verifications. Taking a random snapshot of a user is one method, but it would require the camera not to be covered. Catching these fake workers is much better than doing it upfront before any damage is done. To do this, you need a very robust identity verification process with multiple sources of truth. Like Trust Swiftly's approach, we do not take the word of one method but trust an identity only after approvals from numerous data points exist. As with most of our solutions, it takes a multiprong approach using people, hardware, and software processes that detect these types of bad actors. It is essential to revisit your security approach, and we predict biometrics and KYE (Know your employee) will play a more critical role in employee onboarding in the future.