Impersonation Protocol - Russell Mosley

okay you good yeah involving individuals from North Korea opposing as non-north Korean Nationals while applying for remote work so what could happen if you hired a contractor who's a North Korean national well besides the fact that they could be a chalima like we heard about in The Talk an hour ago um and cause data theft and extortion or another type of incident this could also cause you reputational and Regulatory impacts if you were to find out and the public were to find out and additionally you could face sanctions under U.S and your U.N authorities so thanks for joining me today for this session impersonation protocol my name is Russell Mosley and I'm a professional services manager at

crowdstrike on the Strategic risk advisory team what that means in short is that I help our clients with proactive Consulting engagements doing things like cyber security maturity assessments sock assessments ransomware Readiness that sort of thing and tabletop exercises which are my very favorite I want to clarify that uh I am not a lawyer some of the things I'm going to mention you should definitely talk to your legal team about because they may or not be okay in your jurisdiction I'm also not here speaking on behalf of crowdstrike I am here on my own dime and these are my recommendations not crowdstrikes uh additionally as you can see there uh I really enjoy besides conferences and

practitioner cons I helped run the b-sides in Baltimore besides charm and I'm a director with the blue team Village at Defcon and last but not least because I know that Pittsburgh uh people from Pittsburgh are very serious about their sports teams I'm a huge Penguins fan I grew up in Washington PA that's me at the the Penguins one of their Stanley Cup parties I think after the 2016 cup but I'm super excited to be here I've known about besides Pittsburgh for a number of years never got around to submitting a talker coming up and finally saw an opportunity this year so I wanted to thank you for having me all right so we're going to talk about

this problem of impersonation and what to do about it to get started I'm going to explain the problem as I've experienced it firsthand over the years as a security practitioner and then talk about some examples of impersonation then we're going to talk about some possible mitigation steps the foundation of which were really developed by my CIO and I at a previous job and we dubbed it impersonation protocol this is essentially A playbook for impersonation cases and since this is a b-sides and I'm not a very exciting speaker I decided to make my talk a little less boring by making it themed if you didn't notice from the intro there we're going to use the band Rage Against the Machine to

help explain the problem today which I immediately decided I had to do when the opening slide was a public service announcement so let's let's get started what is impersonation well impersonation as a cyber security risk falls into the category of Insider threat an Insider threat is something that's difficult to detect because most tools are really focused on external threats and internal threat programs with formal capabilities to be able to identify impersonation are very rare in my experience you have to have mature governance monitoring visibility identity security alerting to find it or you're going to be relying on your team to notice and that's really why I put this talk together as a CSO I dealt with a number

of impersonation cases and as a consultant I've observed that most companies don't have the ability to detect these so what are some examples of impersonation it looks something like this and this is one more attempt to play audio uh this is a video called the North Korean military choir performs Killing In The Name Of as described by the FBI Public Service Announcement people are committing and doing identity theft to get hired claiming there's someone else and then using that person's experience to get a job and I hope we can get this to work for a moment

well it looks like it's not going to work but if you haven't seen this you can look it up on YouTube basically you've got the Rage Against the Machine song Killing In The Name Of dubbed over like a performance by the North Korean military choir it's pretty funny sorry about the uh fail there uh the next is a scenario that I've witnessed as a CSO and I've dubbed it the onboarding bait and switch so in this scenario you interview and find a candidate that's qualified for a job and you hire him then on the first day a co-conspirator shows up and starts work and I apologize to any Chris Cornell fans but yes this absolutely happens

sometimes what will happen is the the interviewee was paid by the uh the candidate other times the interviewee will find a few co-conspirators and they'll get hired and then they'll have those folks go take the jobs for them usually what we see is someone who's really good at interviewing goes out and gets jobs and then finds co-conspirators to help them do this I've seen this multiple times and with crowdstrike and IRS you might be asking yourself well how could someone pull this off and so I have an example particularly at larger companies and I can tell you this has been my experience more than once when you're interviewing for a job you'll interview with someone

who's a hiring manager on a team but they might not end up being your manager they're one of the managers and then they decide to offer you a job and you're going to start and you might come back one month two months two months even three months later so especially if your hiring manager that you talk to on your first day isn't the one who interviewed you you could see how there's a possibility in a fully remote you know you were remotely interviewed and your job is remote you could pull this off so related to onboarding bait and switch and what might be a goal of it is what I've dubbed unauthorized Outsourcing so unauthorized Outsourcing is when

someone gets other people external parties to you know the organization where they're employed to do their work for them I've got a couple of examples here so I had one case where a subcontractor called us up and they said that they had to fire one of their employees because she told them she was getting help doing her work they wouldn't tell us who was helping her other than that she had some reports that she couldn't explain so they kind of pressed her on it and she eventually admitted that she was having help the Assumption here is that you know perhaps a partner or a family member or a friend was helping her we never really

found out but we did have to write it up as an incident and report it to the agencies that she was doing work for she could have been farming it out to Consultants at upwork or something more Sinister we just don't know the case it was reported that someone showed up to a team meeting and gave a presentation to the team on something they had been working on for weeks and the team reported to us they didn't recognize this person the face or their voice however this person used the name of the person we had hired and it appeared they were the one who had done the work we investigated that one and found that

their corporate laptop had an unauthorized installation on TeamViewer on it pulled the logs and found out that there were regular connections from a host and an IP address located in Asia and this person eventually also admitted that they had someone else helping them do their work so these cases they have them people realize I think there's a number of reasons why but companies tend to not report them unless they have to you unless it materially affects the business they generally don't report Insider cases or if it goes public on its own so in the Forefront that's tool singer Menard James Keenan he was a guest singer on one of Rage Against the Machine songs all right

another problem that's related is multiple jobs sometimes people hold down multiple full-time jobs themselves if you haven't come across this very common you might be surprised just how common this is so this is what it looks like at a former job we caught someone who is not only working for us as a contractor but who also had two government jobs seriously this person was working three jobs and collecting three paychecks for at least some period of time before we figured it out we fired them we notified the government who knows what they did they probably eventually fired them but that can take quite a long time and it turns out this is a common problem at least with US

government contractors I've talked to numerous csos that found the same thing it seems like it's easy to get away with at least in the Government Contracting world if you're fully remote so what's the problem well I mean it really depends on what your employment agreement says it may or may not violate the terms of that agreement to have multiple jobs I think that most private companies today they want you to report if you have any other job there's definitely concerns about confidentiality and the access to the information that you have across multiple jobs uh and that together could also constitute a conflict of interest if you don't recognize Tom Morello the lead guitarist for Rage Against the

Machine that's him touring with a bunch of other bands there's even a site now called overemployed.com where people share tips on how to work multiple full-time jobs pretty interesting if you take a look at that employers are being impersonated as well threat actors will impersonate recruiters to steal your information and there are lots of other scams that are related and this even happens in infosec this happened last year to my friends at greylog they found a scammer and posted publicly about it and here's a quick summary so this scammer registered a look-alike domain so they register greylog.com except with a second l so unless you look very carefully you might not notice then they used sketchy recruiting firms

to solicit job applicants those applicants were then sent a fake check to pay for office equipment and told to use Zell to send payment to office equipment vendors well those vendor accounts belong to the scammers so they sent you a fake check they had you buy stuff and you never got anything and they got your money so this is a quick summary of impersonation cases uh there's probably a lot more variations um but with a 20 minute time slot I just wanted to hit some kind of high points there uh next how can you mitigate against them well let's start with prevention so my high level recommendation here is if you don't have one think about

developing an Insider threat program and once you get there also think about developing an impersonation Playbook and consider some of the things that I have mentioning on my next slide or my next few slides if you don't want people working multiple full-time jobs then legally include that in your employment agreement and inform people of that you should also have a solid acceptable use policy that prevents unauthorized activity that would impersonate or allow them to Outsource their job to others also consider a travel or remote work policy it's obviously more tricky in today's environment you know to get the best talent you may need to allow fully remote work but you still could disallow work from

outside the United States if you're not a global organization or by exception or monitor for people who are working from outside the United States or their primary location it's not that hard to do it's actually it's actually required for many US government contractors and then of course uh clearly Implement uh defined and granular role-based access controls to limit exposure to assets these are some steps you could consider while interviewing candidates remotely or doing things like unlocking accounts or even enrolling a new MFA device require cameras on for interviews and with sufficient lighting to see the candidate's face that was definitely a theme that we saw in multiple cases was that when this was happening the folks

had a poorly lit room to even further mask their identity then do an ID check at each interview I just got a new iPhone and I had to do a live Zoom do an ID check in order to enroll uh the MFA app on my new phone and it took like five minutes this is no big deal and the way that we implemented this for hiring at a previous job was for each interview HR would start the interview with the candidate and they would do an ID check and they would get a screenshot of the person sharing their ID and they would store it during the interviewing process and I don't want to talk about the

Privacy implications of that at the moment we did have an archive process but basically then after grabbing a screenshot and doing an ID check they would let the interviewer into the call and the interviewer would take over and do their interview we also required the hiring manager to attend as many of the calls as possible and the last one before waiting the for the uh candidate to start their job also consider basic enrollment biometric enrollment with new hires in person at an office so what are some ways you can detect impersonation cases well starting with onboarding make offer letters contingent on background checks and this is one of those things you have to look at the

legality of and the way that people interpret doing this but not only a criminal check but you can also run credit checks and other type of background checks and one that's uh I think really high value if you haven't thought about this is doing a a payroll check if you have a vendor like ADP or paychecks you can ask them if a candidate is already saving receiving paychecks from another organization depending on your relationship with them I've found that they've always given us the answer and we've used this to not only find out during the hiring process that someone had another full-time job and also while they were working for us um you know obviously things like

working at Lowe's on the weekend or something doesn't matter we're looking for other full-time jobs here

more suggestions for identifying impersonation once you've hired people have cameras on for team meetings or for manager one-on-ones as I mentioned earlier enhanced identity protection with conditional access and look at your alerts for impossible travel so many companies don't pay attention to those alerts it just boggles my mind that you're not looking at alerts from your IAM tools and from your VPN tools on a possible travel the last two here might be the most important train managers on how to detect possible impersonation cases or cases of unauthorized Outsourcing what indicators to look for and when to engage that impersonation protocol that Playbook that you've built and last developing a Security First culture this is something that's huge at

crowdstrike I can't go into a lot of details but we really train staff that if they see something to say something and the company rewards diligence and I did this myself and my last role as a CSO one of the first things I did was created challenge coins for the company and they were cyber Champion challenge coins and we would give them out to people as rewards for people who identified like serious phishing scams or other potential incidents or vulnerabilities and risks that we weren't aware of we actually gave the first one to an accounting manager who stopped payment on a submission attempt to pay like twenty thousand dollars it was just going to Breeze through

she called us and so we publicly rewarded her and gave her the first challenge coin uh crowd strikes inside a risk team told me when I asked them some questions before doing this talk that it's a major focus of theirs to build that Security First culture and simultaneously try to not come off as Big Brother so last how do you respond to an impersonation case well first and foremost follow your documented processes that impersonation protocol if you put together a Playbook follow your documentation and involve HR and legal it's so important with Insider cases to involve HR and legal because you you really need to be careful to abide by applicable laws and don't make any

mistakes that could lead to lawsuits I've also seen that happen use the data that you have you know interview screenshots geolocation data asset inventory configuration information use your IR firm maybe perform your own osent or even hire a private investigator if you need to uh so these are my main takeaways uh impersonation and fraud and hiring and employment are far more common than you think you should develop employment agreements and policies that are necessary to protect your organization consider developing an Insider threat program and as I say here in collaboration with HR and legal and developing a specific playbook for impersonation cases in collaboration with HR and legal that's it thanks for coming that QR code

is my LinkedIn and I'll be around for the rest of the day if anyone wants to talk anymore

that was great thank you Russell thank you