Lessons from North Korea’s IT Case to Strengthen Your Security

A recent federal indictment exposed a wide-reaching operation by North Korean operatives and their accomplices, who infiltrated U.S. companies to generate revenue and intelligence for the Democratic People’s Republic of Korea (DPRK) regime.

This operation began with North Korean operatives applying for remote IT jobs in the United States using stolen (American) identities. Once hired, their company-issued devices were shipped to laptop farms in the U.S. The laptop farm operators exploited weaknesses in corporate endpoint security controls. They immediately installed remote access software (e.g., AnyDesk) on the company endpoints—giving threat actors the ability to operate the devices from North Korea.

Had sufficiently hardened endpoints been delivered to these laptop farms, the North Koreans would have struggled to launch their insider threat campaign and likely would have been detected right away. For example, had these newly issued devices been issued with strict security controls that prevented end users from installing unauthorized or unmanaged software, the North Koreans would not have been able to leverage such a simple (yet extremely risky) product like AnyDesk to facilitate their malicious operations. 

Even with strict endpoint security rules and configurations, it is still critical that security teams audit what newly onboarded users are attempting to bring into the organization. End users with malicious intent are determined to bypass your security controls—they come up with creative (oftentimes simple) ways to bypass even the most sophisticated endpoint security technologies. Ensure your teams are continuously auditing endpoints for newly onboarded software, and treat findings seriously. If unmanaged software is being installed in your environment, it means that either security policies aren’t functioning or an end user has bypassed security controls. 

We should all be concerned by how such rudimentary techniques enabled a sophisticated threat actor to compromise and disrupt the U.S. private sector — there were no mind-blowing exploits used in this intrusion. The North Koreans simply took advantage of absent endpoint security controls and monitoring capabilities. Now is the time to assemble your security teams and vet your capabilities and defenses in the following areas: 

1. Device Provisioning / Device Imaging: When your organization builds a laptop for a new hire, can you audit the endpoint to ensure that all security configurations are enabled and all endpoint security software is installed? If not, it is time to meet with your IT teams and identify ways your security analysts can begin to audit endpoint security health and remediate broken controls or missing security coverage. 
2. Attack Surface Reduction: Reducing an organization’s attack surface starts on the endpoint level. Ensure your IT and Security teams are proactively working to identify redundant, outdated, or unmanaged applications. Cleaning up unnecessary programs and applications on end-user devices is a great way to improve security and privacy posture. 
3. Continuity of Coverage: Security teams should be able to quickly identify when endpoint security controls and software are missing or malfunctioning, and should have the tools to immediately re-deploy security coverage. In today’s world, it may take security teams weeks to identify and remediate misconfigured endpoints. If this is the case for your organization, it is time to start identifying ways to manage devices in real time. 
4. Metrics and Reporting: Including detailed information on your organization’s overall endpoint health and security posture is key to ensuring accountability and proactivity in your endpoint management practices. Quantify your EDR coverage across all endpoints, grade compliance with critical endpoint security controls, and report on how long it takes your teams to identify and resolve endpoint security misconfigurations.