Skip to main content

CTEM-INF-4 - Infected Employee Owned Device (Personal Use of Corporate Identity)

To be Completed

Documentation has not been completed. This page is a placeholder for future documentation.

An Infected Employee-Owned Device (Personal Use of Corporate Identity) is a compromised host that is owned by an employee where corporate credentials are used for personal activities. In this case, there are no direct indications that the device has been used to access corporate assets. For example, an employee of Acme Inc. may use their corporate email address (e.g., joe@acme.com) as the username for services like Netflix or Facebook. Although this scenario is inherently less severe compared to other types of infections, it carries an implied risk that the user may at some point use the device to access corporate resources.

Characteristics of an Infected Employee-Owned Device

  • Personal Ownership: The device is personally owned by the employee and is not managed by corporate IT. This makes it more challenging to enforce security policies and implement protective measures.
  • Corporate Identity Usage: The employee uses their corporate email address or other identifiers for personal accounts or services, potentially exposing the corporate identity in insecure environments.
  • Established Persistence: Attackers may have established persistence on the device using methods such as malware or trojans, gaining unauthorized control.

Common Methods of Discovery

Infected employee-owned devices used for personal activities are typically discovered through:

  • Stealer Log Posting: The employee's corporate email address may be found in stealer logs on underground forums or marketplaces, indicating a compromise of the device.
  • Cybercrime Forums: References to the compromised corporate identity may be found on cybercrime forums or other illicit channels, suggesting that the device has been infected.
  • Botnet Activity: Evidence of the device being part of a botnet may indicate that it is under the control of an attacker through command-and-control (C2) infrastructure.

Risks and Impact

The compromise of an employee-owned device used for personal activities presents risks that, while generally less severe, are still significant:

  • Credential Exposure: Even if corporate resources are not directly accessed, attackers may gather information about the corporate identity, increasing the risk of phishing or social engineering attacks.
  • Potential Future Exposure: The infected device may later be used by the employee to access corporate resources, thereby escalating the risk and potentially compromising corporate systems.
  • Implied Trust: The use of corporate credentials for personal accounts may imply a degree of trustworthiness, which attackers can exploit to conduct more convincing attacks against the organization.

Key Considerations for Threat Exposure Management

Managing infected employee-owned devices used for personal activities requires a focus on both prevention and monitoring:

  • User Awareness and Education: Educate employees about the risks of using corporate email addresses for personal services and encourage them to use personal email accounts for non-work activities.
  • Monitoring and Detection: Implement monitoring to detect when corporate credentials are being used outside of corporate systems. Alert employees and take necessary actions when such usage is identified.
  • Access Policy Review: Enforce policies that discourage or prevent employees from using corporate credentials for personal purposes, thereby reducing the likelihood of exposure.
  • Proactive Remediation: If an infected device is identified, take appropriate steps to ensure that the user does not use that device to access corporate systems until the infection is resolved.

Infected employee-owned devices used for personal activities underline the importance of maintaining a clear separation between corporate and personal identities. Effective threat exposure management should include proactive user education, policies that discourage the blending of personal and corporate usage, and continuous monitoring to mitigate potential risks.