Duaine Labno on Digital Investigations and Corporate Threat Intelligence
In the latest episode of the Future of Threat Intelligence Podcast, Will Baxter is joined by Duaine Labno, Director of Special Investigations & Threat Intelligence at TIG Risk Services. With a thorough background in investigations across years serving as a police detective and firefighter, Labno brings years of experience conducting physical investigations into the cyber realm.
In this week’s discussion, Labno discusses how physical and digital investigations should be run in parallel, how physical research can strengthen corporate threat intelligence, the investigative challenges of DPRK remote worker cases, and more.
Cyber Threat Investigation in the Age of Identity Fraud and Remote Work
According to Labno, the COVID shift to remote work and digital hiring practices has introduced significant vulnerabilities that are easy to target and repeatedly exploitable by threat actors. In general, the shift away from in-person verification has increased both the likelihood and overall amount of fraud.
One large driver of this is the relaxation of hiring standards. During and post-COVID, many organizations relaxed their overall hiring protocols. This included moving towards remote, often automated processes and away from face-to-face verification processes. Processes may include soft checks, Labno notes, such as an individual holding up a photo of their ID and taking a picture with it.
However, these checks—which may be automated through an external application—do not necessarily involve legal, security, or HR teams. As such, while the process may be faster, it can also introduce elements of risk to an organization as well as to individuals who are having their identities stolen and misused.
“In theory, these hiring processes help all sorts of people in the organization get through the hiring challenge quicker, but it also exposes the organization in other areas, allowing bad actors to come in and start taking advantage of the process,” Labno says.
And once potential bad actors are hired into an organization using stolen or synthetic identities, these actors then have access to corporate laptops, internal systems, and sensitive data.
How Digital Investigations Strengthen Corporate Threat Intelligence
Organizations can help strengthen their overall security posture, Labno says, by leveraging digital investigations to strengthen their corporate threat intelligence. This provides broader context for evaluation risks.
When conducting digital investigations, corporations should leverage digital tools to perform comprehensive threat assessments. In the case of hiring, this should include thorough threat assessments by examining an individual’s background, including criminal history and civil records. These investigations should also pull in social media analysis. This allows intelligence teams to understand an individual’s associations and interests, along with potentially any specific threats they may pose.
These investigations can be extremely time consuming to conduct manually, Labno notes. As such, corporations can leverage advanced pattern recognition software. This software can scan millions of open-source data points to identify common themes and pinpoint areas that may warrant further investigation.
Where Threat Intelligence and Physical Investigation Converge
Physical investigations dovetail with threat intelligence when investigating potential persons of interest. According to Labno, in many cases, these investigations should be run in parallel to help support each other as opposed to one investigation type picking up where another leaves off.
“I honestly see [digital and physical investigations] going parallel in a lot of different ways. Because anytime we're dealing with these situations, you have the human element involved…So we're leveraging technology to look into this person a little bit more. So we're going, what were their actions? What's their criminal history? Because we can pull their criminal history, we can look at their civil records, we take all that into consideration.”
Simultaneously, Labno notes, the investigation is online looking at elements like social media communications, group activity, and general behavioral profiles. This dual approach gives a sense of an individual’s background and what the potential threat associated with them is.
Additionally, especially in cases of remote work fraud, physical investigations help verify digital findings. For example, a physical investigation can confirm whether a person using a specific IP address is the same individual as the person hired for a role.
DPRK Remote Worker Cases and the Enterprise Investigation Challenge
North Korean-associated entities are perhaps one of the most sophisticated and pressing groups exploiting laxer hiring standards. DPRK remote workers increasingly target remote work roles to enable sophisticated state-sponsored fraud.
Labno shared with Will portions of an ongoing investigation his team is conducting into potential DPRK remote worker activity for a corporate client. The client noticed that a laptop provided to a remote worker pinged from two different locations: one in China and one in North Korea. When the team tried to get the remote worker on an online call, he kept his camera off, leading to an increasingly suspicious activity.
When Labno reviewed the employee’s hiring document, he spotted that they used a fake driver’s license. This drove home two challenges in remote hiring:
- The recruiter responsible for this individual’s hiring likely was not properly trained.
- Hiring is a numbers game, with some recruiters trying to get as many people into roles as quickly as possible, leading to questionable quality decisions.
Ultimately, Labno and his client conducted an operation in which they convinced the worker to send his laptop back for a software check while delivering him a second laptop. However, the worker who dropped the laptop back off did not match the hired worker. A private investigator followed the alleged worker, who likely brought it back to a laptop farm where he kept it on for the North Korean worker.
According to Labno, the person based in the US facilitating the DPRK operation likely had no idea they were working for North Korea or doing anything illegal. Instead, they were likely just responding to a gig listing. This type of layered accountability provides another layer of difficulty in investigating, as there may be multiple unwitting accomplices to any DPRK remote worker activity.
How AI Is Changing Digital Investigations and Fraud Detection
Ultimately, AI is a double edged sword. It can be both incredibly powerful for adversarial use, while also allowing for more thorough and faster investigations.
On the one hand, threat actors can leverage AI to supercharge their social engineering and fraud activities. AI can already be used to create live video deepfakes, alter a voice in real time, and to help generate synthetic identities.
On the other hand, AI can also enhance data processing for investigations. Labno notes that AI can speed up the ingestion and search of large datasets and recognize complex patterns that may otherwise be missed in financial or criminal records.
Still, there is much work to be done. Labno says that there is an urgent need for the development of highly accurate detection software to combat AI-driven fraud and to protect critical digital and physical infrastructure.
Listen to the full episode of the Future of Threat Intelligence Podcast with Duaine Labno, Director of Special Investigations & Threat Intelligence at TIG Risk Services HERE.
.png)
.png)
.png)
.png)