Skip to main content

CTEM-INF-7 - Infected Employee Owned Device (3rd Party Business Use of Corporate Identity)

To be Completed

Documentation has not been completed. This page is a placeholder for future documentation.

An Infected Employee-Owned Device (3rd Party Business Use of Corporate Identity) is a compromised host that is not owned by the organization but appears to be leveraged by an employee to access third-party business services using their corporate identity. This type of infection poses a risk to corporate security, as it involves the use of corporate credentials on an unmanaged device to access external business platforms. For example, this could be evidenced by the host being used to access services such as acme.salesforce.com if the organization is Acme Inc.

Characteristics of an Infected Employee-Owned Device (3rd Party Business Use of Corporate Identity)

  • Non-Corporate Ownership: The device is owned by an employee and is not managed or controlled by the organization's IT department, making it difficult to ensure its security.
  • Third-Party Service Access: The device is used by the employee to access third-party business services, often requiring the use of corporate credentials, thereby potentially exposing sensitive information.
  • Established Persistence: The device has been compromised by attackers who have established persistence using methods like malware, trojans, or backdoors, enabling them to maintain control.

Common Methods of Discovery

Infected employee-owned devices used for third-party business services are typically discovered through:

  • Access Logs from Third-Party Services: Logs from third-party services may show evidence of access from a device that does not match known corporate devices, indicating a potential compromise.
  • Unusual Account Behavior: Suspicious or unusual activity detected in third-party accounts may indicate that the employee-owned device used to access those accounts has been compromised.
  • Threat Intelligence: Threat intelligence feeds may identify compromised credentials being used to access external business services, suggesting that the device has been infected.

Risks and Impact

The compromise of an employee-owned device used for third-party business purposes presents significant risks, including:

  • Credential Exposure: Corporate credentials used to access third-party services may be stolen, giving attackers access to sensitive business information or allowing them to impersonate the employee.
  • Third-Party Data Breach: Attackers may leverage the compromised device to access data stored in third-party services, resulting in potential data breaches or unauthorized data access.
  • Supply Chain Risk: Compromised access to third-party services could pose a risk to the entire business supply chain, potentially allowing attackers to move from third-party systems into other parts of the organization's environment.
  • Reputation Damage: A compromise involving third-party services can negatively impact the organization's relationship with external partners and customers.

Key Considerations for Threat Exposure Management

Managing infected employee-owned devices used for third-party business services requires a focus on monitoring, response, and employee guidance:

  • Access Policies and Controls: Limit the use of corporate credentials on unmanaged devices, especially for accessing third-party business services. Enforce policies to restrict access to sensitive information from non-corporate devices.
  • Monitoring and Detection: Implement monitoring of access logs for third-party services to detect suspicious activity and unauthorized access attempts. Alert employees when unusual access is detected.
  • Employee Education: Educate employees on the risks of using their corporate credentials on personal devices and provide best practices for securely accessing third-party business services.
  • Incident Response: Establish a clear incident response plan for when a compromised employee-owned device is detected. This should include isolating the device, revoking any compromised credentials, and assisting the employee in securing their device.

Infected employee-owned devices used for third-party business purposes represent a risk to both corporate security and the integrity of third-party relationships. Effective threat exposure management should include proactive monitoring, strict access controls, and comprehensive employee education to reduce the risks associated with these devices.