ABOUT i3 CONTACT i3

i³ Threat Advisory: Detecting the Use of Multiple Identities

Release Date: 12 March 2024
Last Updated: 12 March 2024

ACT NOW TO MITIGATE RISK

  1. Provide all employees with corporate devices to perform their duties.
  2. Limit access to corporate data and assets from personal devices.
  3. Allowlist corporate mail applications and websites on corporate devices.
  4. Monitor for use of personal webmail and provide targeted security awareness training to highlight the risk to the company.

INTRODUCTION

The DTEX i3 team has responded to several insider investigations and incidents involving the use of multiple identities and accounts on corporate devices.

The recent Okta customer support breach underscores the importance of separating corporate and personal realms at work. In this case, an employee’s compromised credentials on a personal device led to data exposure for 134 customers.

DTEX has also encountered several investigations where use of multiple accounts was associated with an increased risk of data loss from both malicious and non-malicious insiders. The i3 team has seen insiders commonly use personal webmail to conduct side gigs on corporate devices without understanding the risk they are posing. In other instances, the team has observed insiders intentionally leveraging personal webmail to spread misinformation or disinformation.

To help prevent similar situations occurring, DTEX i3 has developed several detections and alerts within its InTERCEPT™ platform for escalated behaviors to identify the use of multiple identities.

DTEX strongly encourages all insider risk practitioners to create and enforce acceptable use policies and communicate them back to employees on an ongoing basis. If a potential compromise is detected, organizations should apply the incident response recommendations.

OPERATIONAL SCENARIOS

Personal Webmail Activity on Corporate Assets

The DTEX i3 team has seen an increase in organizations allowing the use of personal webmail on corporate assets – a major trend from last year following the normalization of the hybrid workforce. However, further investigation has identified that allowing users to utilize the corporate asset to perform personal activities are not as innocuous as one may believe. This can and has caused more damage than good for businesses, examples of which can be seen below.

Side Jobs

Many individuals have been identified utilizing their corporate device for side jobs. In many cases, these activities are done during expected corporate hours. Examples of side jobs include realty, selling/reselling cigars or other goods, taking on government contracts, having a second job in the same field as their current job and more. Additionally, individuals involved in research and development within an organization have been identified leveraging corporate research into their own business.

Use of Multiple Identities

This is generally an obvious outcome of the use of personal webmail on corporate devices as the user will have their own personal email address as well as their corporate one. The DTEX i3 team has also observed the same or common aliases appearing on other sites which can then uncover more about the user and their browsing habits. As this is more of an advanced detection it is initially manual during the early stages of an investigation but can quickly become automated within the DTEX InTERCEPT™ platform.

Compromised Credentials

A side effect of allowing personal webmail can be that the user signs into their profile through a browser for easier follow-on use. Most popular platforms will allow passwords to be stored to that profile including work related passwords or sensitive notes. While most of those platforms implement secure password storage the user’s personal computers and devices might not be as secure. If the user is performing a role that is a particular interest to an external threat actor, then this could lead to an organizational data breach, as seen in the initial stages of the Okta breach.

Links to Extremist Groups

In one investigation conducted by the DTEX i3 team an employee used their employer’s infrastructure plus multiple personal webmail accounts to spread extremist material. After further investigation it was discovered that the employee was quietly supporting a terrorist organization and actively distributing Jihadi propaganda and training material.

INVESTIGATION

DTEX releases regular content which contains new Data Enrichment categories, Modules, or Visualizations designed to help DTEX insider risk practitioners detect insider threats.

When considering building and tuning rules each organization should also consider the aspects of localization. Take for example the side job of a realtor, when looking for a personal business of this type they could also be known as “estate agent”, “house agent”, or “property broker”. The DTEX insider risk practitioners within your organization should understand what the rules within the DI package can detect and then tailor for their own use case.

Below are examples of profiles within DTEX InTERCEPT.

This content is classed as “limited distribution” and is only available to approved insider risk practitioners.
Login to the customer portal to access the indicators or contact the i³ team to request access.

EARLY DETECTION AND MITIGATION

Broadly speaking, there are several steps organizations can take to help mitigate the risks associated with the use of multiple identities. The DTEX i3 team encourages insider risk practitioners to:

Monitor for use of personal webmail and provide targeted user training to highlight the risk to the company.

Continuous monitoring enables early detection of the corporate data being used with personal webmail (whether intentional or not). This will be challenging if users are not provided corporate devices or if corporate data is permitted to be accessed on personal devices like phones. No matter what the current technology landscape the organization has in place, employers should be mindful of privacy regulations and compliance.

Without a dedicated insider risk monitoring solution, organizations should consider how they can capture user browser activity to detect when they are accessing a webmail client through a browser on their corporate device. This should be considered with local workplace laws and how much data is being captured by the monitoring solution.

Provide all employees with corporate devices to perform their duties.

An organization’s ability to protect their data hinges on their ability to control it. Providing employees with corporate devices to perform their work duties is critical to achieving this.

Corporate devices enable employers to establish clear expectations and use policies around acceptable usage. Employers should also define what is being monitored (as well as what is not being monitored) on corporate devices and communicate that back to employees.

Limit access to corporate data and assets from non-corporate assets.

Providing employees with corporate devices to perform their work duties should negate any need for them to use their personal devices for work purposes.

Organizations that want to allow employees to access work emails via their personal mobile phones should ensure business profiles on mobile devices are enforced. This segregates business applications from other applications on an employee’s mobile device, which enables employers to clearly define what will be monitored on the employee’s phone.

Allowlist corporate mail applications and websites on corporate devices.

Organizations should allowlist wherever possible. This is a process of working out what employees need access to on their corporate devices to do their work and only allow those applications or sites.

This is most seen within government organizations where there are often strict security and compliance rules that are to be followed. This can be performed in corporate environments too, however, requires dedicated effort into determining the technologies to employ, keeping the list updated, and ensuring there is a process for exceptions when the risk can be tolerated.

CONCLUSION

Addressing the needs of the employee to perform their job, whether it is in the office or remotely, is a critical step in maturing an insider risk program. Providing a clear delineation between corporate versus personal uses on corporate devices helps filter the noise, enabling insider risk practitioners to prioritize alerts and potentially malicious insiders.

Continuous education, program improvement, and monitoring can significantly help in fostering a strong security culture and protecting the data most important to the organization.

INVESTIGATIONS SUPPORT

For intelligence or investigations support the contact DTEX i3 team.

RESOURCES

SANS Institute

SANS provides various resources on web application security, including training courses, whitepapers, and articles. It covers topics ranging from secure coding practices to penetration testing.

Common Sense Guide to Managing Insider Risk

The guide describes 22 best practices for mitigating insider threat based on the CERT Division’s continued research and analysis of more than 3,000 insider threat cases.

RETURN TO i³ INSIDER RISK RESEARCH HUB
CONTACT i³

i³ Mission

DTEX i³ Mission Statement

DTEX i³’s mission is to uplift enterprise security by proactively detecting and mitigating insider risks.

Combining 20 years of insider risk experience with our potential risk indicators, we empower organizations to stay resilient, and maintain control of their public narrative and global success.

Importantly, DTEX i³ often discovers wider security threats that extend beyond insider risks. Such external threats are typically the outcome of an insider incident, not the intention of the insider.

In both cases, DTEX i³ prioritizes detection and deterrence, helping organizations to do away with reactive incident response.

Contact i³