network security
Carrefour Enhances Cybersecurity With Corelight
A growing number of defenders use two SIEMs. This post explores why and whether XDR platforms will evolve to to become full threat hunting solutions.
The threat is coming from inside the organization. It is coming from a laptop farm three states over, routed through a proxy, and operated by a threat actor sitting on the other side of the globe.
We are witnessing a massive shift in how adversaries breach organizations. They no longer need to spend weeks probing your external firewalls or crafting the perfect zero-day exploit. Instead, they simply update their resumes, pass your interview process, and your IT department ships them a corporate device.
The North Korean IT worker scheme represents a brilliant, but highly destructive evolution of the insider threat. Operatives are infiltrating hundreds of global organizations using a mix of artificial intelligence (AI), stolen identities, and domestic accomplices. Once inside, they act as Trojan horses, stealing intellectual property and channeling millions of dollars to hostile regimes.
Government agencies are acutely aware of this evolving risk. CISA (Cybersecurity and Infrastructure Security Agency) has repeatedly highlighted the insider threat as a top strategic concern, and has issued alerts and practical guidance for organizations of all sizes. CISA emphasizes the importance of holistic visibility and rapid detection, which unfortunately tends to be absent from most victims' security stacks.
To effectively defend against modern threats, security leaders need to look beyond traditional identity and endpoint controls. It’s paramount to enhance your existing security stack with a solution that provides deep, comprehensive visibility across all network traffic.
This post breaks down exactly how these fraudulent IT workers operate, the massive risks they introduce, and how network detection and response (NDR) helps you spot the ghosts in your machine before they can do damage.
The infiltration playbook: Unpacking the fraudulent worker’s strategy
The modern attack surface has expanded far beyond the traditional perimeter. Remote work, while unlocking global talent, has also created unexpected visibility gaps. Threat actors have perfectly weaponized these gaps to turn your hiring pipeline into an attack vector.
The infiltration process is a masterclass in social engineering and technical evasion. Operatives leverage stolen identities of citizens to apply for fully remote engineering and IT roles. They use generative AI to alter stock photos or create deepfake video personas that hold up during remote interviews. To your recruiters, the candidate looks, sounds, and codes like a highly qualified professional.
When you hire this candidate, you ship a corporate laptop to the address they provided. This is where the technical deception begins. The address belongs to a domestic accomplice operating a "laptop farm." This facilitator receives the device, powers it on, and connects it to the internet.
The overseas operative then accesses the corporate machine using IP-based KVM (keyboard, video, mouse) devices or unauthorized remote management software. To your identity provider, the user is logging in from a domestic IP address. To your endpoint detection and response (EDR) tools, an authorized user is performing approved tasks on a managed device.
What makes these insider schemes so effective is their reliance on “Living off the Land” (LoTL) techniques, using legitimate administrative tools already available in the environment to stay under the radar. Attackers may leverage utilities like PowerShell, WMI, RDP, or built-in remote administration features instead of custom malware. This approach enables them to blend with normal operations, helping to avoid both detection and suspicion.
The illusion is complete. The attacker has legitimate credentials, a trusted device, and full access to your internal ecosystem.
The stakes of undetected infiltration
Treating this as a simple case of payroll fraud is a dangerous underestimation. These operatives are highly trained cyber espionage agents embedded directly within your engineering and IT teams.
Their primary directive is generating revenue to fund hostile activities and state-sponsored weapons programs. Industry data indicates these schemes generate hundreds of millions of dollars annually. They draw substantial salaries, routing the funds through complex cryptocurrency laundering networks.
However, the risk extends far beyond the stolen payroll. These insiders have legitimate access to your source code, customer databases, and proprietary algorithms. They routinely exfiltrate this highly sensitive data. Because they operate as trusted insiders, they can move data laterally across your environment with minimal friction. LoTL tools make this lateral movement even stealthier, allowing attackers to enumerate assets, dump credentials, and copy data, all with tools your administrators use every day.
When these workers face termination or discovery, they frequently pivot to outright extortion. They deploy ransomware, lock critical systems, and threaten to release the sensitive data they spent months quietly hoarding. You are not just paying an unearned salary; you are actively funding a threat actor who is mapping your network for future destruction.
Why traditional detection falls short
Finding a fraudulent IT worker requires a fundamental shift in security philosophy. You cannot rely on the same tools that catch external script kiddies to catch state-sponsored insiders.
Traditional security logs and EDR fall short because they operate on the assumption that authenticated users are trustworthy. When a fraudulent worker accesses a database, the logs show an authorized engineer performing their job. When they install productivity-masking tools to simulate keyboard activity, EDR might flag it as a low-priority policy violation rather than a critical indicator of compromise.
Identity access management tools also struggle here. The operative possesses the correct multi-factor authentication tokens. They have the right passwords. The domestic laptop farm provides an IP address that perfectly matches the user's supposed geographic location.
Compounding these limitations, attackers skilled in LoTL tactics can abuse legitimate command-line tools, scheduler tasks, and remote access utilities to perform reconnaissance, escalate privileges, and exfiltrate data, all while remaining virtually invisible to signature-based defenses. The abuse of built-in tools is now the status quo for advanced threat actors, making network visibility and behavior-based detections a necessity.
These adversaries operate entirely within the bounds of "normal" administrative behavior. They hide in plain sight, weaponizing your own trust against you. To catch them, you must analyze the one thing they cannot forge, fake, or manipulate: the network traffic.
Corelight's multilayer detection: A strategy for shutting down insider tactics
Sophisticated insider threats rarely appear as obvious malware or one-off security events. They blend seamlessly into sanctioned activities, making one-dimensional detection ineffective. Corelight addresses this with a multi-layered detection strategy mapped directly to insider TTPs (tactics, techniques, and procedures).
Behavioral detection
Insider data exfiltration, lateral movement, and C2 communications each have distinct fingerprints in network traffic. Motivated attackers may rotate domains to evade threat intel feeds and mutate payloads to bypass signatures, but their activities generate network sessions (SMB, RDP, Kerberos, and DCE/RPC) that cannot be hidden. Corelight Open NDR parses and analyzes dozens of protocols in real time and detects more than 100 TTPs. With behavioral detections, Corelight analyzes how sessions behave, not just the byte patterns they match.
Some examples of behaviors that could be part of an insider’s attack pattern, and that behavioral detection would surface, include:
- DCE/RPC lateral movement: Identifies which Windows service is being invoked, by whom, and the target endpoint
- Kerberos attacks: Detects Golden Ticket, Silver Ticket, and Kerberoasting techniques (all invisible to signature-based tools).
- DNS tunneling: Differentiates covert C2 from legitimate, high-volume DNS, even when an attacker throttles activity
- SMB file classification: Distinguishes reconnaissance from staging and lateral data movement
Anomaly detection
Detecting routine mistakes and compromised accounts requires establishing a baseline of "normal" for every user, device, and application. Corelight’s anomaly detection automatically develops these baselines based on your environment, and then instantly flags when a user communicates over a protocol or with a server for the first time, or at unusual hours or data volumes. Rather than generating endless alerts for every deviation, Corelight’s Agentic Triage correlates anomalies with other detection layers, surfacing risks that matter and filtering out benign deviations. This is essential for rapidly surfacing an employee who is suddenly acting out of character, whether due to compromise or malicious intent.
Threat intelligence and IOC correlation
Even insiders, or those masquerading as them, ultimately reach out to the outside world. Corelight’s integrated Threat Intelligence module correlates high-fidelity IOCs (indicators of compromise) in both real time and retroactively. This allows rapid detection of:
- Beaconing to known malicious infrastructure, even if disguised as legitimate traffic
- Exfiltration to domains linked with APT and cybercriminal operators
- Session activity that matches the patterns of active campaigns
Corelight’s IOC matching is anchored by deep network context, reducing false positives and ensuring that subtle insider behaviors aren’t drowned out by alert fatigue.
Storage exfiltration detection
True data theft leaves quantitative clues. Corelight’s producer-consumer ratio models highlight disproportionate and directional data flows, such as a user or host suddenly pushing gigabytes to personal endpoints or staging locations. Traditional logs or NetFlow can’t surface these nuanced, abnormal flows; Open NDR can.
Cloud exfiltration detection
As teams increasingly use SaaS and cloud storage, classic monitoring struggles to distinguish shadow IT from sanctioned workflows. Corelight distinguishes cloud exfiltration by monitoring outbound data volumes by hosts, and flagging transfers that exceed customized thresholds, such as substantial uploads to AWS S3 from endpoints with no business justification.
DNS-based exfiltration and DGA detection
DNS is a favorite covert exfiltration path and C2 channel for insiders because it masquerades as routine traffic. Corelight captures and analyzes every DNS query, detecting both the large, random-looking queries used in DNS tunneling and the fast-flux, high-entropy domain queries used in domain generation algorithm (DGA) attacks. Corelight distinguishes legitimate from malicious use by inspecting the nature, rate, and structure of queries over time.
Autonomous triage: Accelerating the response
Most vendor “AI” aids analysts; Corelight goes a step further with Agentic Triage, an autonomous system that not only investigates and correlates alerts but also renders a disposition (benign, confirmed threat, or escalate). For insider investigations, often the most time-consuming incidents due to the need to contextualize weeks of behavior across multiple protocols, this feature has demonstrated a reduction in triage times from 90 minutes to under five. Analysts gain a complete forensic timeline, recommended actions, and the context required to make principled, defensible decisions at speed.
Finding the truth with Corelight Open NDR
While threat actors can steal identities and trick endpoint agents, they cannot hide their packets. Every action they take generates network traffic. This is where Corelight's network detection and response (NDR) transforms your defensive posture.
Corelight provides the unvarnished ground truth of your environment. We give you deep, widespread visibility across all network traffic, regardless of its source. By capturing comprehensive network evidence, you gain the power to spot the subtle behavioral anomalies that expose fraudulent insiders, even those leveraging advanced LoTL techniques.
Tracking lateral movement
Once onboarded, these operatives quietly map your network. They scan for open ports, probe internal databases, and attempt to escalate privileges. Corelight illuminates this lateral movement. We provide continuous visibility into internal traffic, allowing your security team to see exactly when an engineer in one department suddenly begins polling sensitive human resources servers or finance directories. LoTL-based lateral movement, such as the suspicious use of net.exe, WMI, or scheduled tasks to spread throughout your environment, leaves traces at the network layer, traces Corelight detects and correlates.
Catching data exfiltration
Before an operative leaves, they steal data. They might try to bypass your data loss prevention tools by slowly dripping files to personal cloud storage or encrypting payloads in DNS requests. Corelight monitors the volume, frequency, and destination of all outbound data, and looks for anomalous transfers of data. The platform empowers you to detect and halt exfiltration in real time, long before your intellectual property ends up on the dark web, even when attackers attempt to use common administrative protocols as covert exfiltration channels.
Take back your network
The modern network has evolved into a vast, borderless ecosystem. You can no longer afford to assume that every authenticated user has your best interests at heart. The rise of the fake IT worker, and the attacker’s mastery of LoTL tactics, prove that adversaries are bypassing the perimeter entirely.
You have the capability to stop them, but you need the right tools. Implementing a modern NDR platform is more than just acquiring a tactical tool; it is a fundamental shift in security philosophy. It is a commitment to absolute visibility and proactive defense, principles directly aligned with CISA’s recommendations for building resilience against today’s most pernicious threats.
Do not wait for a massive data leak or an extortion demand to realize your newest hire is a state-sponsored operative. Empower your security operations center with the comprehensive network evidence they need to hunt down anomalies, investigate suspicious behavior, and evict threat actors.
Take the blinders off your security team. Deploy Corelight Open NDR and gain the ground truth required to identify, disrupt, and defeat the modern insider threat.
To learn more about combating insider threats with Corelight, download our whitepaper.