John Wetzel, Program Manager at Recorded Future
Insider threat is a complex problem requiring the fusion of security teams, business operational teams, and technology, to adequately address. Current strategies to mitigate the risks from insiders tend to focus solely on activity inside the network, but behaviours are easily misjudged and the risk from noisy alerts is high.
The financial services industry is increasingly susceptible to the insider threat yet not enough financial services organisations use third-party threat intelligence, and if they do, they agree that intelligence sharing on security threats within the industry really needs to improve.
Why is the financial services industry threatened?
Recent developments in the techniques of threat actors have seen them begin to solicit and recruit insiders on the dark web. Insiders are also advertising their access to the networks and infrastructure of banking or financial service companies.
Criminal actors recognise insiders as a rich source of both sensitive access and valuable knowledge across industries. Examples of finance insiders advertising their access in criminal forums and dark web marketplaces have also been uncovered.
Insider threat – what exactly do we mean?
Any examination of the risk posed by an insider needs to start with defining the threat. To do this effectively it’s important that we eliminate the psychological distance we place between “normal” employees and insiders. It is unlikely for insiders to join an organisation with malicious intent, but motivations to act maliciously will likely increase over time or in the wake of a compelling event. Beyond the careless user who poses a risk due to their negligence, insiders may be motivated by money, ego, or conflicting ideology. In some cases, employees may be being coerced or blackmailed by malicious outsiders.
While it is impossible to exactly profile the motives and methods of every insider that threatens an organisation, to help understand the likely risks they pose we can broadly assign them three categories: negligent; exploited; and malicious.
Employees that may accidentally move or edit corporate data or unwittingly share sensitive information fall into the ‘negligent’ category.
The ‘exploited’ category are insiders who are used by an external threat actor to find their way into the corporate network, usually via phishing or malware.
Furthermore, individuals who act to deliberately access and exfiltrate critical company information belong in the ‘malicious’ category.
What risks are involved?
Just as criminal actors use betrayal, employees or contractors may seek out criminal actors to help them with the transmission, purchase, or sale of corporate assets and data. While the operational act of goods for money is often conducted via private means, it is possible to identify various indications of insider threat.
The biggest risk associated with uncovering these kinds of indications is to concentrate effort on unproductive sources of intelligence. This issue arises as organisations tend to treat insiders as solely a security problem, which can limit their perspective on external resources. Typically, many businesses will focus first on costly internal detection methods, then monitor external sources only for perceived signs of risk, such as negative sentiment in social media posts.
There are three potential reasons why current approaches are challenging for businesses:
- Behavioural monitoring is expensive, particularly when you consider how scarce insider threat activity is in comparison to other cyber threats.
- Insider threat systems generate significant noise in general, particularly when targeting high-noise sources. Social media is a high-noise source and does not always provide the best means for insider threat detection and analysis.
- The insider threat program itself may become a cause of discontent amongst employees. Exposure of monitoring programs, such as social media monitoring and reporting on employee behaviour, risks creating an enmity between the organisation’s security policies and an employee’s privacy. Increased employee disenfranchisement can ultimately contribute to potential insider activity.
Examples of threats to financial services
Most of the news coverage around insider threats in the financial services industry highlights the risk from espionage and large-scale financial theft. One example is that in February 2016, the Bank of Bangladesh issued a statement that criminal hackers had stolen the equivalent of over $86 million. The criminals sent forged SWIFT messages, most likely by using custom malware and insider information, to withdraw funds from the bank’s account at the U.S. Federal Reserve Bank. In total, the hackers attempted to steal over $1.1 billion.
What can the industry do to protect against these threats?
An effective way of combating the insider threat is to acquire a solution which provides valuable monitoring, investigative, and contextual reporting in real time yet, at the same time, requiring few resources to maintain. External threat intelligence is a great fit for this. Empowering network monitoring solutions, such as data loss prevention (DLP) and user and entity behaviour analytics (UEBA) with external intelligence on external actor behaviours can enhance and enrich insider threat discovery and investigative efforts.
Threat intelligence surfaces relevant sources of information for analysts to rapidly identify potential insider activity. These indications alert the security analyst to research and, if necessary, escalate the incident for further investigation. Threat intelligence can assist in monitoring for insider threat indications in the following areas:
- Posted advertisements or solicitations on criminal forums and dark web
- Proprietary information on sensitive sources
- Proprietary assets or information on public code repositories
- Employee PII or databases for sale
A final note
The insider threat is undoubtedly a top current security risk at the moment. Once solely the concern of government and defence organisations, financial services firms are now seeing an increase in the threat. If they haven’t already, now is the time for finance organisations to ensure they are adequately prepared for and protected against the insider threat.