Employee digital twin attacks will be a bigger problem than credential theft by 2027: report

A lot can change in a year. A bad haircut can grow out, a fitness goal can become reality, or cyberattackers can realize the different ways to take advantage of employee digital twins (EDTs). One company believes the lattermost example isn’t hypothetical. 

According to a new TrendAI report unveiled at RSAC on Wednesday, companies should expect malicious actors to compromise and abuse EDTs within the next 12 to 18 months. The kicker? Such attacks are expected to be worse than credential theft by the end of 2027 because unlike credentials, EDTs cannot be reset.

Like an onion. EDTs differ from AI assistants in that they are typically composed of four different components, which TrendAI describes as “layers”:

• Knowledge. The layer of an EDT that has access to an employee’s expertise, processes, and skills.
• Personality. The layer that understands an employee’s communication style and unique mannerisms.
• Mindset. The layer that helps EDTs that emulate decision-making skills and logic of their owners.
• Trust. The layer that shapes EDT relationships and interactions (e.g., knowing “whose ‘urgent request’ gets immediate action”).

Robert McArdle, TrendAI’s director of cybercrime research, told IT Brew that each layer presents unique advantages to attackers if they get hold of an EDT. For example, malicious actors can use the knowledge layer of an EDT to easily access company secrets.

“If you compromise the knowledge layer, as we call it, of an EDT who’s in the security team, you might have an understanding of, what are their best practices? How often do they run scans on the network?” McArdle said.

He added attackers who compromise EDTs can use the personality layer to impersonate individuals much better, and leverage the trust layer to take advantage of employees. For example, a compromised EDT can be used to request department leads to download a malicious patch update.

“If you’ve compromised the head of IT, and you say that to a whole bunch of heads of departments, they probably will do it because they trust the head of IT, and it’s coming from them, even though it’s a compromised digital twin,” McArdle said. Attackers can exploit the mindset layer of an EDT to make decisions and influence others under the guise of advice. McArdle said this is the most “critical” layer.

“Mindset is, essentially, how does this person make decisions?” McArdle said. “If you know how the CEO is going to make a decision based on the last 1,000 decisions that they’ve made, and that’s been encoded to save them time, you can predict what they do next.”

What to know before going 100% in on EDTs. TrendAI suggests companies prioritize having strong governance policies before deploying EDTs to combat incoming threats. That includes answering key questions such as who owns an employee digital twin and what types of data should be avoided when simulating an employee.

For companies that have already deployed EDTs, TrendAI suggests they conduct audits to see which twins exist and who has access to them, and test their incident response playbook. McArdle compared monitoring for abuse of EDTs to how insider threats are detected.

“In the case of an insider, you could imagine somebody who normally only logs in nine-to-five suddenly logging in at night time, they’re doing hundreds of requests for files in a short period of time, and so on,” McArdle said. “That’s the type of anomalous behavior that we would expect to see in an employee digital twin attack, as well.”

Don’t you worry, child. While TrendAI’s report highlighted some of the incoming threats associated with EDTs, McArdle said IT professionals should remember the many benefits EDTs can bring to organizations, and to just proceed with caution.

“There’s a lot of amazing…benefits for, especially, the knowledge economy, with this type of skill coming on board,” McArdle said.