惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
P
Privacy International News Feed
Security Latest
Security Latest
H
Hacker News: Front Page
T
Tenable Blog
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
Project Zero
Project Zero
O
OpenAI News
AI
AI
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
NISL@THU
NISL@THU
A
Arctic Wolf
T
Threat Research - Cisco Blogs
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
U
Unit 42
S
Security Affairs
有赞技术团队
有赞技术团队
WordPress大学
WordPress大学
博客园 - 【当耐特】
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
月光博客
月光博客
Engineering at Meta
Engineering at Meta
腾讯CDC
F
Full Disclosure
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
The Cloudflare Blog

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
How AI caught a malicious North Korean insider at Exabeam
2026-03-30 · via Search Security Resources and Information from TechTarget

Alissa Irei

By

Published: 30 Mar 2026

In the summer of 2025, a young tech professional named Trevor Roth* landed a remote job at cybersecurity vendor Exabeam.

Roth had aced his technical interview and test with flying colors. He also passed his video interview -- although the hiring team felt he might have leaned on generative AI tools for real time assistance -- and Exabeam extended an offer. After the standard pre-employment clearance process, including a background check and I-9 validation, he received his laptop from IT and immediately got to work.

There was just one problem. "Trevor Roth" was actually a malicious foreign actor from North Korea, using a stolen identity and forged documents. And he was now inside Exabeam's private network.

Malicious foreign actors from the Democratic People's Republic of Korea, or DPRK, represent a pervasive and escalating threat to Fortune 500 companies. The U.S. Department of the Treasury estimates thousands are on American companies' payrolls and have access to their corporate systems. North Korean operatives' goals are twofold: first, to earn money for their nation's authoritarian regime, and second, to enable malicious intrusions. In recent cases, American employers have been victims of cryptocurrency theft, sensitive data theft and data extortion at the hands of malicious insiders from the DPRK.

Complicating detection efforts is the fact that such foreign threat actors often aim to keep their jobs for months, if not years, motivating them to keep their heads down. "Typically, you're going to see these low-and-slow types of attacks, living off the land, stuff that is not super obvious," said Exabeam Vice President of AI and Security Research Steve Povolny, during a presentation at RSAC 2026. "You'll see behaviors that fly under the radar, until they don't."

Unfortunately for Exabeam's new hire, his first day of employment was also his last -- thanks in part to agentic AI.

To catch a malicious foreign threat actor

The first time "Trevor Roth" signed into his Exabeam corporate account, the SOC's threat intelligence feed flagged his username as high risk, noting that it had been associated with North Korean threat actor activity. Based on that information, incident responders quietly accessed Roth's laptop and isolated it from the rest of the network.

Fraudulent driver's license photo, showing a subject with unnaturally wide and square ear lobes
The malicious foreign threat actor used a doctored driver's license to apply for the job at Exabeam. Povolny and Kirkwood said it is likely an AI-generated image, pointing out the unnatural appearance of the ears. They urged hiring teams to monitor pre-hire behavior for anomalies or inconsistencies and treat hiring workflows with the same rigor as production access. A good rule of thumb: Don't trust, and also verify.

Initially, the incident response team was open to the possibility that the threat intelligence was wrong, said CISO Kevin Kirkwood, who presented alongside Povolny at RSAC. "At first, we ascribed positive intent. This is a brand-new user, and maybe we just got the wrong guy," he added.

At the same time, the SIEM started generating scattered alerts on Roth's activity, which included the following:

  • Downloaded files from a malicious Zoom site.
  • Attempted to connect to a third-party VPN.
  • Installed Jump Desktop software.
  • Loaded a streaming service.

Taken individually and out of context -- and without the heads up from the threat intelligence feed -- each alert could have amounted to little more than noise, according to Kirkwood. That's when AI entered the chat.

Exabeam Nova, the organization's investigative AI agent in the SOC, autonomously collected Roth's scattered user and entity behavior analytics (UEBA) data and evaluated it in the context of his role and new-hire status. Deciding a full investigation was warranted, Nova then analyzed the user's behavior and likely intent and presented human operators with its conclusion:

"The pattern of activities aligns with the 'Malicious Software' threat vector, which is a precursor to a compromised insider scenario."

Screenshot from Exabeam Nova investigative AI agent

Finally, the AI assistant suggested SOC analysts take the following next steps:

  1. Isolate the affected host to prevent further compromise or lateral movement.
  2. Initiate a full forensic analysis of the affected host to identify the initial infection vector and full scope of compromise.
  3. Review the user's activity, including recent emails and browser history, for potential phishing attempts or unauthorized software downloads that could have led to the malware execution.
  4. Check for persistence mechanisms, including scheduled tasks and modified registry keys.
  5. Analyze network traffic for connections made by the affected host to suspicious external IPs or domains.
  6. Update endpoint protection, ensuring endpoint detection and response and antivirus software are up to date, and perform a full scan on the affected machine and other potentially vulnerable systems.

An investigation that Kirkwood said would have taken SOC analysts three to four hours took the AI agent seconds.

Screenshot from Exabeam Nova investigative AI agent

"This is really where the combination of traditional UEBA and modern AI capabilities becomes really, really powerful -- being able to take all that scattered, [seemingly] unrelated, nonsuspicious noise and turn it into signals," Povolny added. "The AI that we had deployed internally caught this very, very quickly."

After quietly isolating the DPRK threat actor's device, Kirkwood and his incident response team spent the next five hours observing his behavior, which included installing command-and-control software and trying to exfiltrate company data.

"It was a fun five hours," Kirkwood said. "It was kind of like sitting back and watching the prize fights. You're drinking beer and eating peanuts and watching the blows land."

When the malicious foreign actor finally realized he was being watched, he started trying to delete his temporary files. That's when Kirkwood called time, and the incident response team bricked the machine. "It was a massive piece of metal at that point -- nothing more," he said.

Next, the Exabeam team sent the indicators of compromise they had collected to the FBI, along with the address in Austin where the threat actor had asked the company to send his laptop.

"About a week after that, we saw that the FBI had shut down a laptop farm in the Austin area," Kirkwood said.

How to mitigate the AI-enabled malicious foreign actor threat

North Korean IT workers began infiltrating American companies in large numbers in 2020, during the remote work boom. Now, AI is making an already bad problem worse. According to researchers at CrowdStrike, DPRK-affiliated adversary group Famous Chollima infiltrated more than 320 companies in 2025 -- a 220% year-over-year increase. Researchers attributed the group's recent success to its use of GenAI throughout the hiring and employment processes.

With AI, malicious actors can easily forge official documents and cheat on technical exams. Deepfake and voice cloning technology lets them impersonate others in real time. And according to Kirkwood and Povolny, many job candidates -- North Korean and otherwise -- now use AI-powered interview copilots to optimize their answers during remote job interviews. Many such tools are designed to be invisible to third parties when users share their screens, making detection difficult.

To vet for unsanctioned AI use and possible malicious foreign actor activity during video interviews, the Exabeam executives suggested the following tactics:

  • Intentionally under-specify problems to observe candidates' clarification skills.
  • Ask candidates to share personal experiences that illustrate how they make decisions.
  • Change technical problems mid-answer to test candidates' adaptability.
  • Introduce off-topic or unexpected prompts -- e.g., how would you build a bridge? -- to see if the candidate responds with human confusion or AI confidence.
  • Ask job candidates to use external webcams that show their workspaces and monitors, rather than share their screens.

Kirkwood and Povolny also urged CISOs to closely monitor access control lists and put all new hires on a SOC watchlist for enhanced monitoring, ideally with support from agentic AI. 

"When you have 500 or 1,000 new employees, you should have agents that are capable of understanding and prioritizing their behaviors, driving a cherry-picked handful to your human analysts, who remain in the loop," Povolny said. "Those human analysts can then double-click on that employee and dig deeper to see if it's a threat."

*Editor's note: SearchSecurity has changed the name that the threat actor fraudulently used to protect a potential victim of identity theft.

Alissa Irei is senior site editor of Informa TechTarget Security.

Next Steps

RSAC 2026 recap: AI security and network security trends

Inside the SOC that secured RSAC Conference 2026

Dig Deeper on Threat detection and response