Alex Tilley [00:00:00]:
Do they need access to this stuff? Until you can verify that this is a real person and this is the person that we thought it was, which is more to the point, right? Because sometimes they will be real people. Like, you can pay someone to do anything for you these days, but you need to make sure this the person that you thought it was. So until you can verify that, then verify it again and again. It’s like an ongoing thing. Maybe they don’t need to give access to their full internal networks and code repositories and data stores and sharepoints, et cetera. With each account they’re privileged on day one.
Karissa Breen [00:00:42]:
Joining me back on the show is Alex Tilly, Global Threat Research coordinator at okta. And today we’re discussing Democratic people, People’s Republic of Korea, also known as dprk. IT Workers Go Global. So, Alex, welcome back.
Alex Tilley [00:01:02]:
Thanks very much for having me. I really appreciate it.
Karissa Breen [00:01:04]:
Okay, so you’ve recently conducted a bit of research which we will be linking in the show notes for those that want to dive a bit deeper. But I found this really fascinating and obviously you were part of this research. So let’s get a little bit of the lay of the land from yourself, Alex. Like, what’s sort of going on with North Korean IT workers? You know, what’s the threat? What’s the whole thing with us big tech threats? Like, just tell me everything. What’s happening?
Alex Tilley [00:01:31]:
Yeah, for sure, for sure. So for a while, everyone’s sort of been aware that there was this growing threat of agents operating on behalf of the North Korean government trying to infiltrate and get IT jobs in big American companies. Right. Like, that was pretty well established that, hey, if you’re in a big tech company and you’re hiring remote software developers or remote coders, you’re probably going to have some North Korean people come across your desk as part of applicants for the job. So we started looking at what we can see as OKTA through our telemetry, and turns out we’re pretty uniquely positioned to have a good look inside this particular threat, which is really great. So, yeah, myself and my colleague Simon really worked quite heavily to try and get a baseline of factual information that we can say, here are some actual numbers on where the North Koreans are targeting for, you know, vertical base to try and get jobs. And then we expanded that out to globally. And to be honest with you, the numbers really sort of showed a different picture than what we were expecting.
Alex Tilley [00:02:28]:
So we just sort of went with it.
Karissa Breen [00:02:30]:
Okay, so what were you expecting and what were the numbers, if you can mention?
Alex Tilley [00:02:33]:
Yeah, for sure. So what the con narrative was, obviously, was around that big US Tech company. They were the ones who were being targeted. And it became very, very quickly apparent that this is not a US Problem. This is not a US Tech problem, this is not a big US Tech problem. This is a global problem in all different verticals. So when we’re looking at it, obviously the US Is overrepresented in as much as it is the large piece of the pie, in as much as these are the companies that are getting applied for and having interviews with North Koreans. But when we started to sort of drill down in it, if we take America out of the picture, there are every other Western nation and quite a few Asian nations I’m interviewing with North Korean operators.
Alex Tilley [00:03:16]:
So we saw that the global footprint of these interviews and these infiltration attempts was massive. And then we started to look at the different verticals again. The common narrative being it’s IT jobs, right? It’s software development jobs in big software development companies. And to an extent, that remains true. You know, the vast majority of the jobs being applied for and the people trying to get into these companies are for software development roles, but they’re not for software development roles only in big tech companies. They’re for software development roles in automotive, in agriculture, construction. Healthcare was the big one. So all these verticals, these different industries, all have apps and software that they develop.
Alex Tilley [00:03:58]:
So they’re all also being targeted by North Koreans for infiltration, which to us rang a bit of an alarm bell, because it’s not just developing an app to, you know, maybe give you a different social media experience. It was developing apps directly related to healthcare and, you know, energy and utilities. This is the sort of technology that was being infiltrated. So our worldview changed quite quickly, and we started to delve more into the numbers, trying to get a bit of a picture of how does this look globally and put together a report. It took us a long time, and Simon and I worked very hard to get it to where it is. And we were able to say, this is a snapshot. We’re not saying this is, you know, everything. Obviously no one can say they see everything, but we can see a snapshot and we can glean these for these findings from this snapshot that everyone needs to be aware of this problem.
Karissa Breen [00:04:44]:
So do you think people are aware of this problem? Like, I have heard that People applying for jobs are like fake candidates. Now I live in the U.S. now, as you know, I’m hearing that a lot, a lot more than what I would have heard in Australia for as an example. But do you think people are aware that this is going on or do you think that they’re more like, oh, it’s fake candidates of, you know, you’ve seen some of those like reels of someone applying for the job and you’ve got the dude sitting down like trying to do the coding, the background to do the technical sort of test. Right. So where does their mind sit? Or do they are not aware? It’s more nefarious perhaps than what it is.
Alex Tilley [00:05:17]:
Your last point there is probably the truth. I think everyone who’s hiring for staff, especially remote staff, and remember this is, I probably didn’t make a point that this is while it’s mostly IT stuff, it’s also any sort of remote job. Payroll processing, customer service work, payments processing, architectural stuff, civil engineering, anything that you can do remotely is being sort of attempted to infiltrate. So when we see this and we start talking to these companies and saying, hey, you might have interviewed a North Korean or hey, did you interview this person? And they say, yeah. And we say, well, our information that we can glean together is that this person A, isn’t who they said they were and B, is probably working on behalf of the North Korean regime. We’re obviously very careful. With my law enforcement background, you can’t really say someone did it unless you actually saw them do it. You know, evidence is still interesting to have.
Alex Tilley [00:06:07]:
So we sort of say this looks like it to us based on these factors and people are shocked. To be honest with you. I think the background noise of yeah, now when I advertise a role, I get 200 applicants of which 70 look like they’re just ridiculous and they’re not legitimate or they won’t come on interviews, etc. Like that. But putting that, you know, those threads together to say, well, hey, of those 70 applicants, 45 were probably running by the same people to get access to your company on behalf of North Koreans. So that is a bit of a wake up call. And as we talk to these different verticals and we say, you know, hey, this is also affecting you guys and here’s the evidence that we have or the, you know, at least the intelligence that we have, people are genuinely shocked and they really want to work with us and help us to understand this threat because obviously it’s affects their business and that’s what we’re here to try and help.
Karissa Breen [00:06:57]:
Okay, so walk me through a bit of a scenario. So obviously at the moment what I’m hearing a lot from people in the market is like some people have been trying a job, Alex, like 12 months, like senior people. So obviously now you’re naturally by default going to get a lot more applicants applying, which we’re seeing anyway, because things are changing, people, there’s layoffs, you know, AI is taken over certain role etc, different investments going in other parts of the business. So there’s a couple of things. So people either go to a recruitment company, they hire or they put a job out through LinkedIn or like indeed and seek and all these sort of like job advertisement platforms, for example. So then obviously they’re getting lots and lots of people applying, they’re sifting through it, whether it’s outsourced recruitment company or someone in, you know, in source to do that. Then they’re going through the traditional process of hey Alex, your CV looks good, let’s have an interview, et cetera. How so obviously that’s at that stage.
Karissa Breen [00:07:47]:
But then how does a company not sort of discern then like, hey Alex, and who Alex is sort of thing like, where does any of the dots start to not like disconnect or talk me through that?
Alex Tilley [00:08:00]:
Yeah, I think a lot of it does start to fall apart at the personal interaction stage. From us looking at definitely the North Korean, North Korean identities using our customers and the services through us, we can sort of see the platforms they’re using. And a lot of them are around being better at building a job application, being better at building a cv, better at understanding what a react developer’s toolkit looks like. These types of services that are, you know, commonly out there on the Internet are being used to craft these. In law enforcement, you sort of call it crafting a legend, but it’s like they craft a Backstory or a CV or a LinkedIn profile either from scratch or by copying someone’s already exists and just changing the contact details. Right. If you can find yourself a really good full stack developers LinkedIn profile and you can copy it and copy their CV and just change the email address and the phone number and maybe the photograph on it. Then all of a sudden, for all intents and purposes, for this job application, you are that person.
Alex Tilley [00:09:00]:
It’s not until it gets to the end of the job application process where there starts to be probity checks and stuff like that that it can fall apart. So oftentimes getting the interview is not the hard bit. It’s that part where you start interacting with people and people start saying, well, the answers to questions were a bit off on the interview, or maybe the webcam looked a bit strange. You know, there’s this whole thing about that I’m sort of trying to sort of coin a phrase around webcam etiquette, and we need to sort of reframe that discussion to sort of say it’s okay on a job interview to do those tests around, you know, hold up today’s paper from your city or whatever it may be. You know what I mean? It’s. It’s okay to ask for a bit more clarity that this person is where they say they are, because that’s the point where you can step in and start to understand this might not be the applicant that we thought it was, because they can look. And they use these tools to make their applications look perfect. Which is why we see this interesting scenario where we see the exact same fake identities, getting interviewed by companies and getting, you know, sometimes getting job jobs at companies several times because their application is.
Alex Tilley [00:10:05]:
Is crafted perfectly to get through those initial automated filtering steps by the HR department or the recruiter. So once it gets through, once, they can just keep firing that application through and getting through every few weeks, every few months, as more roles come up. So unless the company is saying, hey, this applicant was, you know, found to be not the person that they said they were, therefore, let’s change our hiring gate posts and let’s change our filtering rules so this person can’t get through again. Then we see them sort of go through time and time again, sometimes three, four, five times, which is pretty interesting to us. It sort of shows that their legend building is working, if you know what I mean.
Karissa Breen [00:10:43]:
Yeah, this is interesting. Okay, I want to get into this a little bit more. I want to go back to LinkedIn profile. So what I’ve found recently, like maybe the last two months, I’m getting a lot of clearly fake profiles trying to add me. I obviously decline them, but because you have the natural. Even if I don’t accept to connect with them, they can just automatically follow me. So I think LinkedIn is trying to crack down that, because sometimes I’ll see like a bunch of people, like the number just go down. And I think it’s them saying, we’ve removed a bunch of these fake profiles.
Karissa Breen [00:11:07]:
But I mean, like, look, do you think. So if you look at a fake profile, it’s pretty obvious that some are fake. Like they just nearly created. They have one follower. And I’m the apparent connection that they have or like there’s a lot of gaps in like their alleged work history or there’s a really basic photo, like it’s pretty obvious. But are you saying that some of these people that are applying for these roles, like their cv, if you were to do like a match, it does look legitimate. Because I mean, if you start, and I mean, it’s hard because if you’re doing like talent acquisition, like your job is not an Alex silly to do research on these people to this end degree, right? So they may be doing a preliminary check, but maybe is it just not enough? But then also when you’re in the interview with someone, doesn’t it sort of then isn’t it obvious then that the person that you think you were interviewing is not the person that you then see when you’re doing a virtual interview or.
Alex Tilley [00:11:57]:
Yeah, perfect question. Which that’s exactly what pops up in our head as well as we’re looking at this, this work. And it really does come down to, in this case, the adversary is really well experienced and they know that it’s a numbers game from both directions, right? So it’s a numbers game from applications. If you get enough different legends crafted enough different identities, throwing them at a job, one of them is going to look good enough to get you past the first hurdle, the second hurdle and so forth, right? And then whatever, whatever identity gets past those different hurdles or filtering gate points, whatever you want to call them, that’s the application or the legend that you then copy and say, okay, well this one worked. Let’s use ones that are just like this one again at this company or in this, you know, for these types of roles and see if we can’t keep going. Because obviously this is not a static threat, right? These bad guys are learning because they’re really good at what they do. And then from the other side of the fence, as you alluded to from the hiring manager point of view and the HR department point of view, it’s a numbers game. From the sheer volume of applications coming in, as you said, up the top people looking for work.
Alex Tilley [00:12:58]:
Unfortunately, with layoffs, etc. Happening, there’s a lot more people looking for work in IT jobs around the place. So those numbers of applicants are going through the roof. So when you’re trying to filter out all these different applications coming through, you do use the technology and ATS and various different filtering techniques to say, you know, only float me the top 10% of applications because I’m getting a thousand applications for each remote job, right? So if the bad guys can craft your applications to be one of that top 10%, they’re going to get through that first hurdle. So both aspects of this are playing the numbers game. And I’m not sure who’s winning. All I know is that it’s still going on. Which normally in criminal circles, which is my background, crooks don’t keep doing crime if they’re not making money out of it.
Alex Tilley [00:13:43]:
And I would say similar to this, you wouldn’t keep doing any type of intelligence gathering or infiltration campaign if you weren’t having some level of success. So, yeah, I think definitely the numbers game is playing off maybe on the side of the bad guy at this point because the good guys are just getting swamped in applications and it’s really hard to filter those out. To that point of I can only physically interview 20 or 30 candidates. Right. Or maybe that’s a massive number. I’m not a hiring manager. I can only physically interview so many candidates. So I need to have these automated systems to filter this stuff out, which is where the bad guys can help win.
Karissa Breen [00:14:18]:
Okay, so there’s a couple of things in there that I want to get into as well because I find this really interesting. So, okay, the first question I’m going to ask is, are these people getting through and then they’re actually getting a job or they’re still being barred even if it’s the first or second round of interview. Is anyone actually even to your research getting through? So, like, hey, I now work at this company or what?
Alex Tilley [00:14:37]:
Yes, definitely. It’s not a massive number percentage wise, but when you see the massive number of actual applications, it’s enough to make this lucrative. Definitely.
Karissa Breen [00:14:47]:
Because then my next thought goes to, even if, and I mean, I haven’t gone for a job interview for a long time, so be probably like nine or 10 years. But I remember historically, like when you go for a job interview, they’re sort of telling you what type of project you’re working on. So is that then enough for these North Korean folks to gather that intelligence, to be like, oh, well, we know X company in the US is going to invest $1 billion into this project on XYZ. And now at least that’s some data point, at least, because the hiring manager is sharing this information around. We’re hiring a bunch of people like you to work on this project that we’re going to kick off in 2026, for example.
Alex Tilley [00:15:23]:
Yeah, definitely, that’s. And there’s, I suppose there’s potential for tiers of operators in this type of scenario where you see videos of the interviews with, with, with the hiring managers at various companies and they literally, you can see them googling the answers to questions or asking chatbots the answers to the questions on the interview. That’s sort of a lower tier person all the way through to. If you’ve done enough job interviews for like react developers. I’m not a developer, I’m a network and cybercrime guy. But if you’ve done enough job interviews and maybe had enough jobs for a few months in software development, plus you use all these, all these extra tools online that will teach you how to code and answer your questions around, you know, various different taskings you’ve been given. You can form a reasonable facsimile of a coder for a little while and it’s only really a little while that they need to get a few paychecks right. Like we’re not talking about mostly people who want to stay employed for years.
Alex Tilley [00:16:16]:
Like I’m sure that that would be golden for them. But what we’re sort of seeing and anecdotally what we’re hearing a lot of is definitely it’s if they can last two months once they get a job, they’re doing pretty well. Like that’s a bit of a win, you know what I mean? They’re not sort of saying you’ve got to get this job and keep it for three years. It’s very much get a few paychecks, get found out sometimes, get what data you can get out of them apparently and then go on to the next one. Because you’re always doing, you’re always working five, six, seven jobs, you know what I mean? So it’s just a churnover of numbers and with this current environment there’s so many numbers out there that they can just keep churning.
Karissa Breen [00:16:51]:
Yeah, because that’s the part that I was thinking. It’s like eventually people are going to find out that you can’t really do this job right and eventually they’re going to fire you. You’d be like, well you don’t really know it. But then are there tell signs? I mean if someone’s coming in pretty heavy and asking like a thousand and one questions like an investigative journalist like myself would ask, look pretty suspicious. Then like, well hang on, this dude just started working here. They’re asking a lot of questions and depending on what level of access they have or what type of role that they’re doing in that company, it could be like a very secret skill project that they’re Working on, for example. So, like, isn’t there easy signs? But I guess at the end of the day, these people aren’t. They’re not necessarily cyber people.
Karissa Breen [00:17:26]:
They’re not thinking like how you and I think Alex.
Alex Tilley [00:17:28]:
Yeah, spot on. I’ll get to your second point there in a tick. But definitely it’s not really about asking the questions. From what I see of when we talk to people when they get jobs, seem to want to keep as quiet as possible. They want to keep as low profile as possible just to try and last a few months without getting found out that they’re absent or that they’re not what they said they were. So I think the least that they can speak to the better as they go forward there. So they sort of try very, very hard to keep a bit of a low profile. But once, once they’re in.
Alex Tilley [00:17:59]:
Definitely one thing that I’m personally trying to champion, and this is one of those really uncomfortable discussions to have with companies. Once me and my colleague Simon have sort of said, hey, this is what’s happening with your company. One of the bits of advice that I give people is investigate why you would need to give every new starter full access to your internal network or your code repository. Like, and this comes down to a really interesting cultural question, right? It’s like many organizations say, well, no, we want our new employees to feel like they’re part of the family. Want them to feel like they’re a valued employee. And we don’t want to put up guardrails straight away to make them feel uncomfortable and unwelcome. That’s a, that’s an internal culture decision, which is whatever, what I’m sort of saying, and Simon is sort of saying, if you hire someone to be a remote payroll processor or a remote code developer or remote engineer or anything like that, maybe they don’t need access to everything straight away. You should only be giving them access to the specific things they want.
Alex Tilley [00:18:57]:
Right? It’s a pretty basic, as you mentioned, cyber principle. You know, those of us in cyber, it’s pretty basic principle of least privilege, right? It’s the same thing with hiring. It’s like, do they need access to this stuff? Until you can verify that this is a real person and this is the person that we thought it was, which is more to the point, right? Because sometimes they will be real people. Like, you can pay someone to do anything for you these days, but you need to make sure this is the person that you thought it was. So until you can verify that, then verify it again and Again, it’s like an ongoing thing. Maybe they don’t need to give access to their full internal networks and code repositories and data stores and sharepoints, et cetera, et cetera, which with each account they’re privileged on day one. I think that’s a pretty hard discussion to have in my experience, but it does get some people thinking.
Karissa Breen [00:19:42]:
Yeah, for sure. And perhaps would you say it should be like an incremental trusting. So like maybe three months and the six, then the, you know, then the nine and the 12. Which I guess is counterintuitive because it’s like, well, hey, we need this person to work from day one. Because we don’t. Like, sometimes it’s like this person has a really specialized skill set. There’s like six people in the world that can do it. So we have to give them all the things.
Karissa Breen [00:20:00]:
And I’m not saying that this is an easy answer. I’m just trying to look at it differently to be like, what’s going on in their mind and why? What would be the impetus to saying, hey, you need to have access to all of these things.
Alex Tilley [00:20:11]:
Definitely. And the overhead, right, doing staged access and doing, you know, restrictive access to two new hires. When you say if you’re doing, as you mentioned, like a big project, right, and you’re going to hire a couple hundred people or whatever it may be to do this massive project, to develop this new widget, to do staged access per account is a massive overhead for your onboarding team. Right? So I totally get it. It’s not, I’m not saying this is, this is how you fix the problem. It’s going to be easy, but definitely start thinking about what can your new starters do on day one with their provisioning kit and sort of start having those thoughts internally. And again, it’s not an easy fix, but it is something. And you mentioned, you know, this sort of staging of access and that that’s a really key thing that we try and champion is that idea of reverifying that a person is who a person says they are.
Alex Tilley [00:20:58]:
And that’s difficult, but I think necessary and increasingly necessary that you need to keep verifying that your staff, especially if they’re fully remote, contingent workers, etcetera, are who they said they were. And that’s, again, can be. I’m not a HR lawyer. That could be, you know, some sort of workplace bullying or harassment type claim in there somewhere, I would imagine. But definitely sort of saying every, you know, random period. We just need to really reverify that you are who you said you are until we can get an idea that this is going to be an ongoing scenario. So yeah, it’s just one of those things where there are some difficult conversations to be had and to be thought of around everyone’s risk profile.
Karissa Breen [00:21:38]:
Okay. So the part that I’m curious they’ll know from yourself, Alex, is once the candidates found out, it’s like, well, you know, obviously it’s not real. They don’t know what they’re doing. What does the employer sort of do? Do they freak out or they’re not really thinking about it like a whole didn’t work out. That person obviously just wasn’t up to scratch. Like, have the cogs started to turn to be like, hang on, pretty sure I scammed from this person right now?
Alex Tilley [00:22:00]:
Yeah, more often than not. Unless you are in one of these organizations that has been dealing with this threat for a number of years now and has a quite mat in their approach to dealing with these, with these workers. If you’re in a brand new vertical, like say if you’re developing a healthcare app in the dental space, for instance, and all of a sudden you find that you’ve hired a developer for a project and they haven’t turned up to team meetings or if they have, they’d have, they haven’t contributed. And you know, like all the, all the red flags are going off, right? At what point do you pull the trigger? And obviously and say, okay, this person can’t be employed here and then what information do you give that person as to why they were terminated? That is an interesting discussion to have with HR departments because, oh, we give so many warnings or we have this much probation time, but obviously every organization has built into their contracts mechanisms to protect themselves from just this type of thing, Right. That’s why probationary periods exist. But the organizational culture of let’s cut this person first because something is really going wrong here, something’s really off, or his teammates are telling us, his or her teammates are telling us something’s off here. This person is not right. We need someone to investigate this.
Alex Tilley [00:23:08]:
And oftentimes HR departments will say, yeah, yeah, we’ll get to that one. And it can take months. So that, you know, in Australia there was that whole topic of if you see something, say something, you remember that. And the problem is that with staff, you don’t want it to get to the point of, you know, bullying and witch hunting and finger pointing, et cetera, because you don’t like that other person. But there is a point of view where if your staff are really deal with these workers day to day. They’re probably going to be the first ones to tell their boss or their peers, hey, something’s up here. And to have a process involved to quickly deal with that and I think quickly is the key message there because you don’t want these people with full access or any access to your networks and your or your devices that you’ve sent them a laptop or whatever while they’re under serious suspicion of being odd and an investigation takes place. If the investigation can happen quite quickly and you can get enough information to say we’re going to lock this out just until we can really confirm what’s going on here.
Alex Tilley [00:24:03]:
What if investigations can take weeks or months? You know, sometimes these things can drag on for a while. You are potentially leaving yourself vulnerable to this person who you’re credibly suspecting of being potentially a nation state adversary for quite a while. So having those discussions internally about what would we do, what, how would we handle this? Those are really cool discussions to have internally to see how everyone’s different, business unit, legal, hr, it, et cetera, all think that they would deal with this situation. So it’s right. It’s not really like an ir, you know, tabletop exercise. It’s more of a sort of a culture and HR and legal discussion. But it should be happening, I think and it will be quite interesting to see what companies come up with from these, from those sort of meetings.
Karissa Breen [00:24:48]:
So just say someone is presenting as a suspect sort of person, employee. So would. And depending on, and again it depends on what they’re doing, etc. But as an example, would your first response be to like quarantine their account so that they are not like, if they’re working in certain like privileged systems, for example, that way it’s not noticeable because again like you don’t to be super brash where it’s like, oh, we made a mistake and there’s a whole lawsuit going on because something happened and unfair dismissal and all that. Hoo ha. That goes on or if something is too extreme, would you just immediately cut all access? So no, no, no emails, nothing, all gone. So like obviously it depends. But I’m just curious to know because again, sometimes when people are cut off like pretty abrasively then then like Nucleus sort of goes on after the fact.
Alex Tilley [00:25:40]:
Yeah. And that, that again is, is what would fall out of those discussions internally as to what could we expect to happen. So like obviously, you know, if it was me personally, I wouldn’t want someone who was, you know, credibly or potentially credibly suspected of something like this on my network. That’s just me personally speaking. I think that having those discussions internally to say how quickly could we react and you know, segregate or at least war off this, this person’s access for a while. And as you mentioned, you know, I was like, at what point do you not want to tip your hand that this person is under investigation? Because like the last thing you want to do is fire someone and say we’re sacking you because we believe that you’re a North Korean. Like, don’t do that, don’t ever do that because all you’re doing there is telling them, okay, something about this particular, you know, employee and this particular employment engagement red flagged it enough to the company that we were North Koreans. So they sacked us for that.
Alex Tilley [00:26:32]:
And then they will just learn from that sacking, you know what I mean? So it needs to be a long discussion internally to understand where do we stand this, what mechanisms are in play for us to limit this person’s access either covertly or overtly, depending on, again on your organization’s point of view around what you want to do with your staff and then protect the organization. Because obviously coming down to those discussions all about protecting the organization, your staff and I suppose your IP and business. So understanding we might be able to say this person, you need to take a preparation period of administrative leave while we figure something out about, you know, make something up if you need to, if you can, whatever you need to do to get that person segregated away from anything that they could damage your company with while you figure out what’s going on. By being open to the possibility that something may be going on, I think is the very first step. Just understanding, just because I wrote I, I employ some developers and we write software for automotive paint machines, right? That doesn’t mean that we’re not going to have this problem. And that’s a terrible thing to say to people because obviously budgets are tight, no one has money to spend on anything around, you know, investigation. And these types of policies are quite expensive to figure these, you know, have these discussions. But you really are risking your business by not at least being aware that this could be the case.
Alex Tilley [00:27:53]:
I suppose I built a bit of a career on trying to do awareness around that sort of stuff as like, this could be in your backyard. Just, you know, be aware of it and then figure out how you can respond to it and what it might mean to you. Because we haven’t discussed sanctions and that’s a Whole other kettle of fish that I’m not probably qualified to. But I know that you don’t want to be employing someone from a sanctioned country that can have all kinds of ramifications.
Karissa Breen [00:28:13]:
So then that leads me to our next point around. There’s. I’ve been reading a lot of headlines at the moment. Big players saying they want their staff back in the office. Now, there’s multiple reasons to that. Number one, hey, we’ve got this big building that we’re spending a lot of money on, we want people to sit in it at least because we’re burning a lot of money for having people sit at home, etc. And then there’s the whole case around, well, you know, collaborative working, you know, meet your peers, et cetera. But then when you’re talking, do you think this also brings back a level of control for employees? So, for example, when I worked in the bank, you would see everyone’s screens, right? So if someone’s doing something dodge, it was pretty obvious because you have 50 people walking behind your screen every day.
Karissa Breen [00:28:50]:
It was pretty hard to do something dodgy and get away with it unless you were sort of in more relegated area, which still happened, but I’m saying in main sort of areas, when I worked in a big corporation, it was kind of hard to do things right. So everyone’s watching you, but when you’re at home, like, you don’t have anyone watching you. So do, do you think that even from a security perspective, there is more of a focus now to bring people in, so there is that level of control at least whilst they start to solve this problem that you’re talking about long term?
Alex Tilley [00:29:21]:
Yeah, I, I think, yeah, obviously I’m a remote worker, so I have a bias around staying here in my house, but I think definitely that would help this problem. Obviously if all your staff were in the office and you could see them and you could meet them every morning and have these discussions with them in person, et cetera, like that. That would make honestly this problem go away pretty quickly because it’s one thing to run 50 to 60 identities that are just email accounts and LinkedIn profiles. It’s a very different thing to run 50 to 60 identities who are physical people in a foreign country. You know what I mean? It’s a level of magnitude difference in effort and expense for the bad guy. So, yeah, that, that would. This problem largely could have come about as a result of this explosion of remote work, but I feel like potentially that that horse is bolted, especially for things like if it’s A contingent worker. Right.
Alex Tilley [00:30:12]:
Like if you’re staffing up to do a project or you know, we’re adding a new payroll processing arm to our business and we need to staff it up really quickly. So let’s quickly employ a bunch of people remotely to do the back end sort of work there. The cost of employing those people temporarily on like a three month contract in an office with it, with a bum on a seat, et cetera could be astronomical as well. So I think that sort of those levels of costing will definitely come into everyone’s discussions around this internally. But it’s sort of because yeah, like a permanent full time, ongoing react developer is probably a different story to 20 to 30 remote temporary, you know, six month contract people that we need for a job. And I think that’s where a lot of these infiltration attempts sort of navigate through the middle of those sort of blurry areas to what’s better seated where.
Karissa Breen [00:31:05]:
Yeah, this is interesting and I’ve also, I was reading something yesterday and it was like the Gen Z generation have said it’s like they would take 50 pay cut just so they could work at home.
Alex Tilley [00:31:15]:
Right.
Karissa Breen [00:31:15]:
So it’s like even if people are wanting people to work in the office, they’re like oh, I don’t want to. Like I’m actually willing to take a pay cut because I don’t want to come into the office. I have no desire to. I’ve had a lot of people talk like that actually from various generations. So even if companies wanted that, they may not get the talent that they desire because people like well no, I live three hours from Sydney, I’m not going to commute in every day because it gives you a level of peace in your company.
Alex Tilley [00:31:41]:
Definitely. Yeah. And I think that’s the brave new world that companies are facing with, with this type of thing and I, with this type of sort of work culture. And I think often the technology is adapting around in this space, particularly around constant identity verification, ongoing surety around staffing, who they are, where they are and the screen monitoring stuff and the presence detection, all that sort of stuff does exist whatever you think of it, but it does exist and it can help with understanding who your staff are, where they are and what they’re doing, which is obviously what everyone is scared of losing through not having people with a bum on a seat in an office. So I think that aspect of it is definitely catching up. But the cost benefits and the like cost difference between a person on a chair in an office and the cost to verify that person’s at their chair at home. I don’t know those numbers, but that would be an interesting discussion, right, to see how that stacks up.
Karissa Breen [00:32:37]:
Yeah, pretty much. Because while. So what I’m seeing here in the us, there are companies saying, like, you need to come in five days a week now. Now, whether that’s. I think that’s probably for other, like, economic reasons, because, like, say if they own the building and it’s just vacant, like, the actual depreciation for that building apparently, as I’m told, starts to decline because there’s no one in it and occupying it. So there’s that aspect. But then obviously people are still going to hire remote workers and it’s just the way it is now. So whilst I don’t really see this problem going away, it may sort of go away if more people go and work.
Karissa Breen [00:33:06]:
So it sort of plugs one hole, but it’s opening up for other things. So what do you sort of think then, moving forward? Like, what can people do? I know you can’t give away all of the answers to specifically what people can do, but it’s just we’re at this point now, in this juncture in time, remote workforce isn’t going to go away. But what do you think? Moving forward?
Alex Tilley [00:33:26]:
Yeah. Oh, yeah, for sure. Yeah. What I genuinely think is a. Is the best first place to start is probably your audience would be obviously more on the sort of cyber side of the fence rather than the HR side of the fence, I would imagine. Definitely seems that way. So those cyberpeople getting them access, so your CTI people, your threat research people, even just your, you know, your general security engineering staff, they need to get access to your quorum of applications for jobs. Now, that seems like an easy thing to say, to say, hey, let your CTI team run their indicators or run their, you know, whatever they have over the job, the applicants and their CVs for various jobs that you’re advertising so we can see if anything stands out as being strange.
Alex Tilley [00:34:10]:
Seems like a pretty straightforward thing to say. But in my experience, talking to many organizations that are going down this path now, either reactively because they had a problem or practically because they’re scared of having a problem, is that those discussions can take quite a while because you’ve got all kinds of PII and privacy considerations, all that sort of stuff around those, those data holdings of those persons, you know, personal information that they provided to HR. So even getting access to those CVs and those applications can be really, really a long process, but it’s a good one. To start today to just sort of sit down and say, hey, want to have a meeting with, with HR department, Say, we really need to be understanding how we stand to this threat of these, you know, fake applicants. Maybe let’s class it as fake applicants rather than North Koreans, depending on what we think might get better traction. And to that end, we need to have a program internally where certain people can access these applications and These stores of CVS and the associated LinkedIn profiles and email addresses, et cetera, so we can start verifying that they are not dodgy for a bit of term, from a technical point of view and from a cyber point of view, rather than just does their experience match their cv. That is a big one to start with. And once you can do that, then you can start to say, okay, well, now we can start to source maybe some indicators, I don’t know, the, the level of false positives out there around, you know, like email addresses getting float that are getting passed around is one thing that we found quite troubling.
Alex Tilley [00:35:42]:
So I think if someone sends you a list of email addresses and said these are all North Koreans, that’s great. Have that, use that to understand and maybe to start doing some ranking that maybe you might have an issue there with some applicants. But my personal point of view is I think it’s very dangerous if we start blocking applicants for jobs because an indicator says that that email address is a North Korean without some sort of other level of information to indicate to your team that this person isn’t who they say they are, simply because, you know, if you talk about an indicator like an email address or an IP address, for instance, back in the olden days, IP addresses as indicators got found to be, you know, by a lot of us, very short term, shall we say. Like they’re pretty good for a couple of weeks, maybe, maybe a couple of days, maybe a couple of minutes, depending on your point of view. But I wouldn’t be blocking every IP that’s ever been told as being bad. Right? And I think it’s the same thing with DPIK or with these fake profile email addresses. Definitely use them for scoring and definitely use them to open investigations and to understand this, this problem. But we saw enough legitimate people getting swept up in some of these lists that it made us sort of concerned that real people are getting blocked from employment opportunities because an email address of theirs was swept up in a large phishing net, you know, months or years ago and is still being flagged as being a North Korean to this day.
Alex Tilley [00:37:09]:
So I think that’s a little, a little call that I wanted to make to your listeners is that if you get these email addresses, please use them as an investigation starting point rather than blocking outright. That’s my personal advice is that you don’t want to be blocking people based on an indicator that could be years old if you don’t have context for it because it’s a real person rather than just an IP address as we’re used to dealing with.
Karissa Breen [00:37:31]:
Yeah, that’s totally fair and I hear what you’re saying. The other point you made as well, Alex, which I found interesting, is when you’re in doing like a virtual interview, like buying the local PayPal. So maybe that’s just a prerequisite for companies now, like, hey, going to have to invest a couple of dollars. It’s just more for verification purposes because of this. I think that’s fine though. Like, I mean, like back in the day when you have to go for a job interview, like you’d have to take a train, bus, taxi, whatever, to see, you know, you had to have some investment, buy a new outfit to meet the employer. So I don’t think that’s that taxing. But would you think that that would help at least go, okay, well this per.
Karissa Breen [00:38:02]:
We know for sure that this person isn’t in a random country or else they can’t physically go and buy that paper in that town that they said I lived in.
Alex Tilley [00:38:09]:
I can see that that would help with a lot of the cases that I’ve looked at here. I can see that something like that sort of, you know what, yeah, literally what’s today’s paper? Hold it up. That would help a lot of these things. Obviously for every control there’s a way around it and. Cool. Yeah, let’s, let’s just assume that that’s the case. But yeah, I think something as simple as it sounds as that will be interesting because one, one of the good tells on the interviews is, you know, like they say they live in Florida, for instance, but they don’t know who the Marlins are or whatever the case may be. There are sort of, you say you were born and raised on the Sunshine coast, but you can’t tell me what a cane toad is.
Alex Tilley [00:38:45]:
That’s something that was personal to me, but you understand. So I think those sort of personal and location specific questions and verifications are one of the better things that we have at the moment to deal with the human side of this problem. Because I think this is very much a human problem. As I mentioned before, I think technical has A definitely has a place to it, but a lot of this is human. And yeah, those, you know, I guess you want to call them dumb human tricks. Right? If we fall back to old school stupid stuff that works, right? If it’s dumb, but works it ain’t dumb, that will probably help a lot of these cases.
Karissa Breen [00:39:18]:
Yeah. Okay, so you’re. So you’re also saying that depending on where they live, they have to enter some sort of context around where they live. That makes sense. Right, but then if these people are pretty skilled when they’ve worked that out. But have you seen that show, like Border Force? And it’s like when people like, oh, what are you here in Sydney to do sightsee? It’s like, mate, like at least do a little bit more research. You know, Sydney Harbour Bridge, you know, Opera House, like, obviously they’re bad criminals, but I’m just saying that, like, couldn’t some of these fake applicants do a little bit of like high level research to fake their way through or.
Alex Tilley [00:39:52]:
Oh, 100. Yeah, and they do. That’s the thing that they definitely do. And it’s definitely happening. Like they’re asking around, what are the Christmas holidays in Australia, for instance, which days do companies normally take off, who won the AFL Grand Final? This sort of stuff that you would get asked for that question as those sort of human verification questions, et cetera. But I think the way that they would help mostly is again, that numbers game. Right. Because not every fake applicant, whatever their background, is going to have that information or is going to be able to answer those sort of questions in a way that, you know, like not everyone knows who won the AFL Grand Final.
Alex Tilley [00:40:27]:
I totally get that. But you would have an answer that a normal say in Australia would go, oh, yeah, fair enough. That someone who says that they don’t really follow the footy and that’s fine, you know, you have those sort of human checks built in. But I think to just get rid of a few of those numbers to get the numbers game down a bit is the key. So then your actual HR people and your hiring managers can have less noise to deal with while they’re trying to pick candidates and trying to understand each candidate’s legitimacy. So anything that we can do to filter that down even a little bit will help. So yeah, of course they’re going to be able to go out and research these questions for sure, but at least some of them won’t bother to. At least you can cut them out of the list.
Karissa Breen [00:41:08]:
No, I love this. And I think another one just quickly would be that in Australia we don’t see zip code, right? When someone starts saying zip code it’s like, well you clearly don’t leave it. You call it postcode. So little tell signs like that. Love it. So Alex, any closing comments? Final thoughts you want to leave our audience with today?
Alex Tilley [00:41:23]:
Yeah, I think this is a numbers game and I think it’s going to take all of us together to deal with this. So I think get across the table from legal HR hiring managers and start having discussions and try and figure out an approach to this.
