“If you build a better mousetrap, it’s highly likely that an adversary will build a better mouse.” Jean-Francois Legault, Managing Director, Global Head of Cybersecurity at JPMorgan Chase, shared this metaphor at the beginning of his virtual breakout session at the 31st Annual ACFE Global Fraud Conference. It captures a sentiment that fraud examiners are all too familiar with — it can sometimes seem impossible to stay ahead of the fraudsters. But in his session “Building a Cyberfraud Intelligence Program for the Financial Industry,” Legault shared practical advice and tips on how financial institutions can build a cyberfraud intelligence program from the ground up.
Throughout his session, he focused on two of the biggest trends he sees in the financial industry: business email compromise (BEC) and ransomware. According to data that Legault shared, over the course of three years, the financial industry alone experienced more than $26 billion in losses due to BEC schemes. Legault also shared that ransomware threats increased significantly in 2019, and he expects that increase to continue throughout the rest of 2020.
Getting the right team together
When building a team that will be responsible for the cyberfraud intelligence program, Legault told attendees that it’s all too easy to focus only on the technical side of things — to look only for those who are well-versed in cybersecurity — but doing so leaves out a very valuable part of the equation. “This is one of the simple, obvious lessons that you learn in this,” Legault said. “Cybersecurity and adversaries might operate in cyberspace, but as CFEs and as members of the ACFE, you will all possess a set of skills that is a deep understanding of how money moves.”
When Legault first begins building a team with clients and customers, he advises them to forget everything they think they know about cybersecurity and cyber intelligence. Instead, he asks them to seek out those individuals who are curious, interested in the topic and looking for a challenge. The cyber skills can be taught, but it’s not always as easy to understand the everyday, granular operations of how money moves throughout each unique organization. This allows Legault and the clients to pick up a lot of people who are incredibly close to the business and understand the operations on a deep level. Having those people on the team helps them set up the requirements for the cyberfraud intelligence program.
The fraud kill chain
After your cyberfraud intelligence team is sorted, the next step is to understand the “fraud kill chain” and what it looks like at your specific organization. According to Legault, there are two facets of the fraud kill chain.
One facet is visibility. The other facet is the compromise versus abuse continuum.
When Legault talks about visibility, he is referring to what activities you, as the financial institution, can actually see. A lot of times, a client or organization will be compromised long before any sort of fraudulent transaction, or abuse, occurs. For example, in the case of a BEC scam, oftentimes adversaries will infiltrate an organization and conduct robust research before they ever attempt to send a malicious email from the CEO’s account asking for a large transfer to occur. As a financial institution, you don’t have visibility into those first steps of BEC. It’s all happening outside of your network. But you do see the abuse happen — the wire coming into and going out of your financial institution.
That brings us to the second facet — the compromise versus abuse continuum. There’s a stage between when the compromise first occurs and when the actual abuse takes place. Legault advises that the earlier you can get into that post-compromise/pre-abuse phase, the more success you’ll have in stopping fraudulent transaction.
The fraud kill chain in action
Legault offered up a real-world example to session attendees. In this example, an adversary has set up banking trojans in the form of web injects on a series of your retail customers. Banking data is being stolen from these sites, but since it’s not happening on your financial institution’s website, you have low visibility of these malicious actions. How can you, as the financial institution, prevent this compromise from turning into abuse? In other words, how can you prevent any fraudulent transactions from taking place?
First of all, we know that malware communicates with command-and-control servers, which are centrally managed by adversaries. Compromised computers talk to those command-and-control servers. There are companies out there that can capture information on these hosts and pass it back to you, the financial institution. When you start to notice a trend of several clients’ data being passed through these command-and-control servers, this gives you visibility before abuse happens.
In addition, you have controls in place for when hundreds of different user names and passwords are being attempted on your own site, and they are all coming from the same location. The adversaries don’t get in because you have other controls in place to prevent them, but now you have a list of all these accounts that have been compromised. You bring that information, along with the command-and-control server information, and you start to build a broader database of information. You’ve started to create a risk profile.
This allows you to take action as the financial institution to either block or prevent any type of fraudulent activity associated with compromised accounts.
One small warning to keep in mind
In the beginning, Legault advises, you’ll be able to measure your team’s success in dollars. As your program matures, most of your activity will start in the post-abuse date, meaning the adversaries have already initiated a fraudulent transaction. You will be able to tie a loss number, or an avoided loss number, to the actual activity that you’ve detected.
But as you get better at this and as your team continues to mature, you’re going to develop more indicators, more context, more intelligence around adversary activity, and that’s going to shift you into the post-compromise/pre-abuse. We know that in that phase, no transaction has been initiated, so you won’t have a concrete number to bring back to your executives.
“We had great saves in the beginning,” Legault told attendees. “I could actually point at the metrics and say, ‘Look what the team has done.’” But eventually, you will no longer have those concrete numbers, and he advises you to be prepared to explain this paradigm.
This shift is actually a good sign because it means you have built a better mousetrap, and you’re catching the mouse before he even smells the cheese.