.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
Artificial intelligence is transforming nearly every aspect of cybersecurity, including how organizations recruit talent, establish trust, and identify threats. At Infosec Europe, Exabeam revealed a real-world incident involving a North Korean operative who successfully navigated portions of the hiring process using AI-assisted tools, falsified documentation, and used deepfake techniques.
Tech-Channels caught up with Steve Polovny, Vice President, AI Strategy & Security Research, at Exabeam and Findlay Whitelaw, cybersecurity strategist and researcher at the company, to discuss threat actors are exploiting AI to bypass traditional controls, why behavioral analytics are becoming increasingly important, and how organizations must rethink trust in an era where identities, credentials, and documentation can be convincingly forged. The upshot? While AI can fake many things, behavior remains one of the most reliable indicators of intent.
Q: You’re here at Infosec Europe to discuss a security incident that occurred at your own company. What happened and how are threat actors using AI to infiltrate organizations?
SP: We are talking about an actual North Korean operative that managed to get hired at Exabeam last summer. This guy got through some of the interviewing process using some AI-assisted tools, some deep fakes, and some doctored documents to get into the organization. The candidate hired a local or maybe a remote stand-in, who spoke English, and was able to do an on-screen video interview. He was clearly using AI-assisted tools. These tools are getting better and better at assisting people at getting in the door. The third-party validation company checked his I9 form, and his driver's license. He had all the right documentation and was vetted and approved.
Q: What lessons can organizations learn from this incident?
SP: Look at documentation more carefully. The driver's license passed fine. But once we found out that there was malicious behavior and had fired the guy, the CSO sent me some of the documents. I zoomed in on the image, and it was clearly AI-generated. It was a deep fake of the driver's license. He also had faked his transcript, so it was an AI-generated transcript. We weren't able to connect with his references directly, and it turned out those were doctored as well. Part of the takeaway is, how do we go back and realize that there's more responsibility than just trusting third parties to vet these sources? We have to do a little bit more up front to make sure that they're not doctored as well.
Q: How is the insider threat landscape changing?
SP: I think the bigger message for organizations is how the insider threat has evolved from that of a traditional malicious insider into actors that are coming in through the vetting process with intent to cause harm. Now that's a massive shift. Once they're in, they are valid hires. They're legitimate. And they're given the resources like a laptop. They have the same kinds of behaviors as your normal insiders. They look less and less like malicious insiders because they've been hired legitimately. That's where the threat's evolving.
Q: Why is behavioral analysis becoming more important?
FW: You can fake identity. You can fake a CV. You can fake all of that. But you can't fake behavior. Especially over time. That is the key. The first 24 hours are probably critical. Normally in your first 24 hours of joining an organization, you're setting up your laptop. You're doing all the usual forms and so on and so forth. But this person wasn't. He was installing software. He was just jumping right into his business.
SP: Behavior can't be conveyed. What does a new starter typically do? What does your peer group typically do? That's where the deviation in anomalous behavior triggers. That focus on behavior is turning some of the security models on their ear, or away from how people have approached security in the past. For us, it's nothing new. It's what we've been doing for 15 years.
Q. Why are traditional detection methods becoming less effective?
SP: In this case, the new hire was not doing smoking gun kind of activities. What he was doing is putting in jump desk software. But then he was trying to clone the machine and shipping the laptop off somewhere. These are not things that traditional vendors are looking for. They're looking for exploitation signals. This guy is flying just enough under the radar. He might not stand out unless you're looking for normal behavior and anomalies against that. If an organization was chasing static detections and looking for the exploit behavior, the employee would have flown completely under the radar.
Q: It sounds like your malicious insider exploited hiring and onboarding processes and the levels that build trust. How is the notion of trust changing and what is AI’s impact likely to be?
SP: I think that the proliferation of AI is actually going to be the most beneficial thing for trust and antitrust. It's teaching us not to trust everything we see. My kids will go on Instagram, and they'll say, “That's AI,” even though it's not. It's the first time that these different generations are starting to not trust by default. They're seeing so much misinformation. It's fed to them all the time. That's a really powerful change. My hope is that it gives you a don't trust and validate mentality.
Q: How are AI agents changing behavioral security models?
SP: It's not always just about a human being anymore. Now we have AI and AI agents to deal with. They act exactly like human users do. It's not always going to be a human being. It might be an agent in this case. We have to treat those behaviors the same way and build a baseline of what normal looks like, look for deviations from that baseline. What a human can do, an agent can do at machine speed.
Q: What should organizations expect next?
SP: Adversaries are going to adapt. As they realize their activities are being quickly discovered, they're going to have to figure out how to fly more under the radar. So, expect their activities not to be as obvious. Expect them to learn how to achieve the intended effect without being so obvious in the first week or two of hiring."
Organizations can no longer rely solely on credentials, documentation, or identity verification as indicators of trust. AI has made it possible to convincingly fabricate resumes, references, transcripts, and even personal identities. As a result, behavioral analysis is emerging as a critical layer of defense. While identities can be forged and credentials manipulated, behavior remains much harder to fake—especially over time and at scale. The discussion underscores a broader industry transition from static indicators of compromise toward continuous analysis of user, entity, and agent behavior.
Perhaps the most important takeaway is that trust itself is evolving. In an AI-driven world, security teams must increasingly adopt a "trust but verify" mindset, validating not just who someone claims to be, but how they behave once they gain access. As AI-powered threats continue to mature, organizations that can identify abnormal behavior quickly and accurately will be best positioned to defend against the next generation of insider and identity-based attacks.
