DeepSec 2023 Talk: Using RPA to Simulate Insider Threats – Andrei Cotaie & Cristian Miron
In a world where trust is a currency, and information is power, meet Jim, the innocent accountant, with access to many financial secrets. When his dream promotion slips through his fingers, Jim crosses the line from hero to rogue, unleashing a hidden fury fueled by betrayal.
Lacking any technical skills but armed with insider knowledge, he becomes the ultimate insider threat. He can steal data without a trace, eluding the watchful eyes of the very firm that underestimated him. As colleagues celebrate their achievements, Jim orchestrates a daring heist of classified information, and security tools can’t detect him. He is the insider threat. Can he be caught as he employs ChatGPT knowledge and just google searches to grab and exfiltrate data from his company?
In a thrilling tale of vengeance and deception, witness how a master of numbers becomes a master of mayhem. This autumn, Jim unveils the dark side of insider knowledge. Prepare for his story as told at DeepSec Conference.
We asked Andrei and Christian a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- RPA is not SOAR. RPA is not scripting. RPA is anything you want it to be.
- We are using real scenarios, where we leverage RPA to fully emulate a human on keyboard.
- We create a repeatable framework, that can take dynamic input for links, folders, emails, content and so on.
- You can compare RPA with the Living off the Land concept. You have browser cookies there? Thanks, we’ll use those!
- We live in an AI and automation world. Attackers know that. Detection and Simulations need to advance in that area as well.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Automation was always at our core. The first time we used our product for learning purposes, and we saw it can leverage all the local privileges of the account the automation it is running on, we knew we hit a gold mine. From here we started to automate all kinds of things, from daily manual tasks, to fast automation processes needed during triage and incident response. And lately, test our security posture.
Why do you think this is an important topic?
As we are aware that attackers have started using AI models and are constantly updating their automation frameworks for malicious purposes, so should we from a blue/defender perspective. What better way to see how prepared we are against an insider threat than to simulate one head-to-toe, so to speak.
Is there something you want everybody to know – some good advice for our readers maybe?
We are both big python fans because we always searched for the best or easiest way to achieve our tasks. Well, right now, RPA makes that even simpler. Our general recommendation is to think outside the box and always progress as the technologies does.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
With the raise of AI and LLM models, there is a high chance that script kiddies will achieve or automate their tool set to APT complexity levels. Imagine having your personal assistant telling you, based on the output of a command what is the best next action item, what command to run, how to avoid detection, what the next target should be.
Andrei Cotaie is a Security Engineer specialised in Incident Response. Currently working for UiPath’s Security Operation Center, Andrei made the transition from the public to the private sector almost 9 years ago. A big fan of automation and machine learning enthusiast, Andrei spends most of his time involved in monitoring, engineering and RPA security related projects, trying to take automation of security tedious tasks as Incident Response, Acquisition and Forensics to the next level.
Cristian Miron is a Security Engineer currently working for UiPath. His career in IT started 12 years ago and for the past 8 years he focused his attention on Security. He is passionate about automation ever since he realised that he can work more efficiently if his tasks are scripted: from handling data sets in phishing campaigns to closing alerts which don’t need human interaction, everything should be done with a robot.