From Application to Access: Detecting DPRK IT Workers Before They Become Insider Threats
Jesse Buonanno
BSides Seattle 2026 · Day 1 · Track 1
A security engineer presented a comprehensive defensive framework for detecting and blocking DPRK (North Korean) IT worker infiltration attempts across the entire hiring lifecycle -- from initial application through interview to offer stage. The talk treats the DPRK IT worker problem as a kill chain problem: if defenders can detect and root out the threat actor at any point before they are hired, the defenders win. The speaker walked through specific threat actor TTPs at each hiring stage and then presented a layered detection architecture combining identity verification, composite scoring, anomaly detection, and human-in-the-loop decision-making.
AI review
A well-structured defensive engineering talk that treats DPRK IT worker detection as a kill chain problem with specific, implementable controls at each hiring stage. The composite scoring system with weighted signals, the breach-data-as-true-negative insight, and the keystroke heuristics from coding platforms show genuine detection engineering craft. Not offensive research, but solid blue team work with real operational value.