I really enjoy using the skills I have learned outside of information security (infosec) and applying them to problem solving in cyber threat intelligence. This is known as lateral thinking, or a way of solving problems using an indirect and creative approach via reasoning that is not immediately obvious.(Wikipedia) Several problems, especially in infosec, require different perspectives to solve. So, this is the second part in a lateral thinking blog series that is going to dive into three lessons from the financial industry that can be applied to infosec.
1. No crime too small / Alert fatigue
When dealing with any type of crime, it is easy to try and focus on the larger, potentially more interesting crimes. Smaller, more predictable crimes can get tedious to monitor and enforce. When I was a financial fraud analyst, the crimes I witnessed the most was
- Check kiting – a form of check fraud, that involves taking advantage of the float to use non-existent funds in a checking account. If I deposited a check from my grandma into my bank account, the check would be processed through the federal reserve before a request would be sent to my grandma’s bank for funds. Either the funds or a message of non-sufficient funds is then processed through the federal reserve before being sent to my bank. This time period is known as the float.
- Money laundering – a form of financial crime that involves making money that originated from illegal activities appear to come from a legitimate source.
These two crimes have the ability to be fascinating to investigate and uncover. However, this is now always the case. For example, there are times when I identified check kiting activities from individuals that were simply struggling to make ends meet. They were taking advantage of the system with every intention of bringing the account positive. There was not always going to be a large check kiting ring with dozens of threat actors and banks involved. Sometimes it is just a single mom living paycheck to paycheck.
Money laundering cases are a bit different. Like any crime, there are amateurs and experts. Amateur criminals attempting to launder money is typically easy to identify especially when it is large amounts. Many set up some type of sole proprietorship or LLC and then write themselves checks claiming its their salary. A business that barely makes $500 a month randomly depositing $50k is an obvious red flag.
However, sometimes it is not large amounts. There are times when it is only a few thousand. Often times with these types of crimes I would identify it and report it to the proper authorities and internal stakeholders. My job was not to dig in and figure out what is going on.
Identifying and shutting down any true fraud is rewarding. However, when you have to sift through thousands of false positive reports it can lead to alert fatigue. When this happens, three things can happen:
- You can become complacent and miss clues of potential threat activity.
- You can become desperate for a case and go down a rabbit hole spending too much time on what is actually a false positive.
- When you find a positive case, you may overreact and start looking for an advanced organized crime group when it’s just a single parent struggling to make ends meet.
Overall, it means wasted time and labor with emotional stress to boot. Missing something that may seem small can have a large impact over time. Check kiting, for example, is often in $200 increments which is not that much. However, over time this number can add up and seriously impact the company. Moreover, a lot of criminals are repeat offenders. Sometimes criminals will test the waters with smaller crimes to test the defenses of their victims. I can tell you from experience, it is difficult having a conversation with your boss after a big incident that there were clear red flags missed prior.
So how do we avoid alert fatigue, so we do not miss as much due to complacency and burn out? There is not a single solution that works for everyone. It depends on your team and resources available. However, I have a few recommendations. First, take a deep dive into your current toolset. Determine if you are using all of the features. Reach out to the vendor and ask them how their tool can help combat alert fatigue.
Adding additional layers of validation with smarter features, such as machine learning or behavioral analysis, can help categorize and prioritize your alerts. If you get a similar false positive all the time, determine if there is a way to block those from reporting in the future. You would be surprised at how much fine tuning and configuration can help make your life so much easier.
Next, ensure the alerts have context whenever possible. Vague alerting leads to more research time on your part. Furthermore, if your current toolset is just not doing it for you, determine if the team can explore other options. Change can be scary especially when you have been performing your processes the same way for a long time. However, if it can prevent burnout and improve productivity why not give it a chance.
Finally, automation is your friend as well. Certain tasks require human analysis, but there are typically several monotonous tasks that can be automated saving you time and brain power. There was a process I performed manually in the financial sector that took hours and was exhaustive. It was not until I left the field that I identified there is software available that could take that burden away from an analyst with ease. With more time available to me, I would have had more brain power to conquer alert investigations with more brain power.
The financial sector is not the only sector with alert fatigue. There are many. However, cyber security and financial fraud alerts can lead to expensive incidents. In cyber security, a single click on a link in a phishing email could lead to a cyber attack that bankrupts the company. As a community in both fields, we need to continuously do more to combat alert fatigue.
2. There’s a chance it’s an insider
I think as humans, we like to assume the best in people. For me, I am kind of the opposite maybe due to my job or past trauma. In my book, everyone is suspicious until proven otherwise. However, I think the general public is less cynical which is why social engineering is such a successful attack vector. When it comes to insider threat, things can get awkward fast. It feels unnatural to point fingers and accuse coworkers of potential wrongdoing. This is why you need to rely on the evidence that you identify during your investigation.
If the evidence points to an insider, this does not immediately make that person guilty. There should be a standard operating procedure for reporting suspicious activity in the workplace. These are put in place for a number of reasons including the safety of the reporter. You can put yourself in a dangerous situation if you confront a malicious insider. There are also other types of insider threats to include individuals that are just making mistakes and not realizing it. This is why the procedures are there so management can help sort out the details.
When I used to treat hunt for financial crimes as a fraud analyst, I used to consider how an outsider would commit the crime and how I would commit the crime given my knowledge of the inner workings of the organization. I believe this technique can leak over into cyber threat hunting as well.
3. Physical security is just as important as digital security
If you walk into a bank, chances are you are going to see a lot of people immediately making eye contact with you. There is a reason for this. They are assessing whether you could be a potential threat. Banks and other financial institutions put a lot of effort into physical security in an attempt to keep their employees safe. This is obviously due to a long history of criminals robbing banks.
Let’s think about this from another perspective. When you walk into a business complex, a hospital, or even a retail store you typically do not get this type of intense eye contact. You can usually stroll in and go about your business.
Cyber criminals can come in the form of physical threats. Cameras are a great deterrent, but more often than not I have seen the cyber security staff of an organization are unsure who manages and monitors security cameras. Is anyone patching them? Are they even recording? How many times have you heard on the news the security cameras were not working during a crime?
Physical security is just as important as digital security. I am not saying all financial institutions are secure from physical threats. I am merely pointing out that situational awareness can go a long way. If a physical threat turns into a cyber threat, chances are the executives are going to be looking at the cyber security staff wondering what was done to prevent it.
Threat Hunter Girl 