Endpoint Network Access Agent Telemetry Monitoring

A subject performs work-related activities from a location or jurisdiction that is not approved by the organization, in violation of policy, contractual restrictions, or regulatory requirements.

This behavior includes remote work conducted outside authorized geographic boundaries, the use of undisclosed travel locations, or deliberate concealment of true working location through technical means. Unauthorized work location infringements introduce material risk across legal, regulatory, data protection, and operational domains. These risks include unlawful data transfer across jurisdictions, breach of client or government restrictions, tax and employment violations, and exposure of corporate systems to untrusted environments.

Unauthorized work location activity is often initially perceived as low-severity or convenience-driven. However, in practice it represents a critical control failure, particularly in organizations with geo-restrictions, data residency obligations, or sensitive access environments. Left unchallenged, this behavior can contribute to Behavioral Drift, where location-based controls are progressively disregarded across the organization's population.

This section captures all forms of location-based policy infringement, whether deliberate (concealment, evasion) or negligent (failure to disclose travel).

The subject intentionally disconnects from monitored corporate networks (such as managed Ethernet, enterprise Wi-Fi, or secure VPN tunnels) and reconnects using alternative, unmonitored connectivity options. This may include switching to a guest Wi-Fi network, tethering through a personal mobile hotspot, or leveraging an unmanaged residential or public access point.

By exiting the boundaries of controlled infrastructure, the subject avoids endpoint-level inspection, network logging, and identity-based access enforcement. This maneuver is particularly effective in environments where endpoint telemetry is only collected while connected to corporate networks or VPN channels. In such cases, activity conducted over unmonitored networks leaves no observable trace in central logging systems, severely degrading investigative visibility.

This behavior is commonly paired with additional anti-forensics techniques (such as unauthorized VPN use, encrypted transfer protocols, or private browsing) to further frustrate detection. The deliberate choice to operate from unmonitored networks signals a clear intent to conceal operational activity and evade forensic scrutiny.

The subject installs and activates browser-based VPN or proxy extensions (such as Hola VPN, Browsec, or ZenMate) to anonymize specific web activity while avoiding host-level detection or access restrictions. These lightweight tools require no administrative privileges and often evade traditional endpoint controls, allowing subjects to selectively obscure browsing sessions, bypass content filtering, or access external services undetected.

Unlike full-system VPN clients, browser-based VPNs operate at the application layer, making them more difficult to inventory, log, or control using conventional network or endpoint defenses. Their use complicates investigative visibility into user intent, session content, and destination domains, particularly when paired with HTTPS encryption or private browsing modes. This technique represents a form of network anti-forensics intended to obscure subject behavior with minimal system footprint or oversight.

The subject deliberately uses Virtual Private Network (VPN) technology in a manner that circumvents organizational oversight, masking the nature, destination, or content of network activity. This includes installing unapproved VPN clients, as well as reconfiguring sanctioned VPN software to route traffic through unauthorized exit nodes, personal infrastructure, or third-party services not governed by corporate policy.

By diverting traffic away from monitored pathways, the subject obstructs standard telemetry collection - evading logging of session destinations, data transfers, or identity-bound usage. This behavior frustrates forensic reconstruction, hinders real-time monitoring, and degrades the reliability of investigative artifacts. Unauthorized VPN usage is an intentional anti-forensics measure aimed at concealing potentially harmful activity behind layers of encrypted and unsanctioned transit.

A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.

By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries.

While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.

Technical Method

Both browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:

• Declaring a proxy server IP address or hostname (e.g., 198.51.100.7)
• Assigning a port (e.g., 8080, 3128)
• Specifying bypass rules for local or internal traffic (e.g., localhost, *.corp)

Once defined, the behavior is as follows:

• Outbound Traffic Routing: All HTTP and HTTPS traffic is redirected through the proxy server, often using tunneling methods (e.g., HTTP CONNECT).
• DNS Resolution Shift: The proxy, not the local device, resolves domain names—bypassing internal DNS logging and threat intelligence correlation.
• Destination Obfuscation: To enterprise firewalls, CASBs, and Secure Web Gateways, the endpoint appears to connect only to the proxy—not to actual external services.
• Encrypted Traffic Concealment: If the proxy does not participate in the organization’s SSL inspection chain, encrypted traffic remains opaque and unlogged.
• System-Level Impact: When configured at the OS level, the proxy may affect all applications—not just browsers—expanding the anti-forensic footprint to tools such as command-line utilities, development environments, or exfiltration scripts.

Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.

This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts.

A subject bypasses logical or physical network segmentation controls (such as VLANs, ACLs, security groups, or subnets) in order to obtain unauthorized access to systems, services, or data across trust boundaries. This preparation technique commonly manifests through deliberate configuration changes (e.g., modifying ACLs or VLAN assignments), covert tunneling (e.g., SSH, HTTPS reverse tunnels), rogue device introduction (e.g., unmanaged switches or dual-homed devices), or misuse of trusted services (e.g., remote access platforms or admin automation tools that bridge zones).

Such actions are often observable via first-time or anomalous cross-segment flows, management plane configuration logs, 802.1X/NAC anomalies, or long-lived encrypted outbound sessions. These techniques typically exploit privileged access, weak change control, or poor posture enforcement.

This behaviour may be motivated by a subject’s attempt to escalate access, stage data for exfiltration, evade oversight, or maintain persistence across environments. It is especially critical in environments with sensitive zoning, such as production-to-dev separations, cloud VPC peerings, or physically segmented OT/ICS networks.

Investigators should prioritize telemetry correlation across NetFlow/IP Flow Information Export (IPFIX), EDR, DHCP, and identity systems to attribute cross-zone traffic to known assets and subjects. Preserve infrastructure configuration snapshots and identify whether segmentation was circumvented by direct administrative action, covert bridging, or software-level tunnelling.

The subject performs work-related duties from a foreign jurisdiction without notifying or obtaining approval from the organization, in violation of defined location, legal, or contractual requirements.

This behavior commonly occurs when a subject travels internationally and continues to access corporate systems while physically located outside their approved working jurisdiction. In many cases, the subject does not disclose the travel, preventing the organization from applying appropriate legal, regulatory, and security controls.

A frequently observed variant involves annual leave extension abuse, where the subject initially travels abroad under approved leave but remains in that jurisdiction beyond the authorized leave period and resumes work remotely without declaration. In this scenario, the subject transitions from compliant absence to unauthorized international working, often assuming the original approval implicitly extends to remote work activity.

Undeclared international remote work introduces material risk, including:

• Breach of data residency and cross-border data transfer restrictions
• Violation of employment law and tax obligations
• Exposure of corporate systems to untrusted or high-risk environments
• Breach of contractual or client-imposed geographic controls

This behavior is often rationalized by the subject as low impact or temporary. However, it represents a failure of governance and visibility over where sensitive systems are being accessed. In regulated environments, even short periods of undeclared international access may constitute a compliance breach.

If repeated or unchallenged, this behavior may contribute to Behavioral Drift, where undeclared cross-border working becomes normalized within teams or functions .

The subject performs work-related activities from a jurisdiction explicitly prohibited or classified as high-risk by the organization, in violation of policy, regulatory obligations, or contractual restrictions.

These jurisdictions are typically defined based on legal, regulatory, geopolitical, or security considerations. This includes sanctioned countries, regions subject to export control restrictions, locations with elevated cyber threat activity, or jurisdictions where data access is restricted due to sovereignty or client requirements.

Unlike general undeclared international remote work, this behavior involves access from locations where work is explicitly disallowed, regardless of disclosure. Even where the subject has notified the organization of travel, performing work from these jurisdictions constitutes a direct infringement due to the inherent risk profile.

Operating from prohibited or high-risk jurisdictions introduces severe exposure, including:

• Breach of international sanctions or export control laws
• Unauthorized cross-border transfer or access to regulated data
• Increased likelihood of interception, monitoring, or compromise by hostile entities
• Violation of contractual obligations with clients, governments, or partners

In some cases, subjects may knowingly disregard restrictions due to convenience or personal circumstances. In more serious scenarios, this behavior may indicate coercion exposure, or deliberate or inadvertent data exfiltration to a third-party.

This sub-section represents a high-severity infringement category, as the risk is intrinsic to the location itself, not just the lack of approval.