<p>In the summer of 2025, a young tech professional named Trevor Roth* landed a remote job at cybersecurity vendor Exabeam.</p>
<p>Roth had aced his technical interview and test with flying colors. He also passed his video interview — although the hiring team felt he might have leaned on generative AI tools for real time assistance — and Exabeam extended an offer. After the standard pre-employment clearance process, including a background check and I-9 validation, he received his laptop from IT and immediately got to work.</p>
<p>There was just one problem. “Trevor Roth” was actually a <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-spot-and-expose-fraudulent-North-Korean-IT-workers”>malicious foreign actor from North Korea</a>, using a stolen identity and forged documents. And he was now inside Exabeam’s private network.</p>
<p>Malicious foreign actors from the Democratic People’s Republic of Korea, or DPRK, represent a pervasive and escalating threat to Fortune 500 companies. The U.S. Department of the Treasury estimates thousands are on American companies’ payrolls and have access to their corporate systems. North Korean operatives’ goals are twofold: first, to earn money for their nation’s authoritarian regime, and second, to enable malicious intrusions. In recent cases, American employers have been victims of <a target=”_blank” href=”https://www.justice.gov/usao-ndga/pr/four-north-koreans-charged-nearly-1-million-cryptocurrency-theft-scheme” rel=”noopener”>cryptocurrency theft</a>, <a target=”_blank” href=”https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information” rel=”noopener”>sensitive data theft</a> and <a target=”_blank” href=”https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-workers-conducting-data-extortion” rel=”noopener”>data extortion</a> at the hands of malicious insiders from the DPRK.</p>
<p>Complicating detection efforts is the fact that such foreign threat actors often aim to keep their jobs for months, if not years, motivating them to keep their heads down. “Typically, you’re going to see these low-and-slow types of attacks, living off the land, stuff that is not super obvious,” said Exabeam Vice President of AI and Security Research Steve Povolny, during a presentation at RSAC 2026. “You’ll see behaviors that fly under the radar, until they don’t.”</p>
<p>Unfortunately for Exabeam’s new hire, his first day of employment was also his last — thanks in part to agentic AI.</p>
<section class=”section main-article-chapter” data-menu-title=”To catch a malicious foreign threat actor”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>To catch a malicious foreign threat actor</h2>
<p>The first time “Trevor Roth” signed into his Exabeam corporate account, the SOC’s threat intelligence feed flagged his username as high risk, noting that it had been associated with North Korean threat actor activity. Based on that information, incident responders quietly accessed Roth’s laptop and isolated it from the rest of the network.</p>
<p>Initially, the <a href=”https://www.techtarget.com/searchsecurity/definition/incident-response”>incident response</a> team was open to the possibility that the threat intelligence was wrong, said CISO Kevin Kirkwood, who presented alongside Povolny at RSAC. “At first, we ascribed positive intent. This is a brand-new user, and maybe we just got the wrong guy,” he added.</p>
<p>At the same time, the <a href=”https://www.techtarget.com/searchsecurity/feature/SIEM-isnt-dead-its-place-in-the-SOC-is-just-evolving”>SIEM</a> started generating scattered alerts on Roth’s activity, which included the following:</p>
<ul class=”default-list”>
<li>Downloaded files from a malicious Zoom site.</li>
<li>Attempted to connect to a third-party VPN.</li>
<li>Installed Jump Desktop software.</li>
<li>Loaded a streaming service.</li>
</ul>
<p>Taken individually and out of context — and without the heads up from the threat intelligence feed — each alert could have amounted to little more than noise, according to Kirkwood. That’s when AI entered the chat.</p>
<p>Exabeam Nova, the organization’s investigative AI agent in the SOC, autonomously collected Roth’s scattered <a href=”https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases”>user and entity behavior analytics</a> (UEBA) data and evaluated it in the context of his role and new-hire status. Deciding a full investigation was warranted, Nova then analyzed the user’s behavior and likely intent and presented human operators with its conclusion:</p>
<p>”The pattern of
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: