I often use the term “fraud balloon” when discussing cybercrime because it’s the perfect metaphor for how criminals operate today. The basic premise is if you hold a partially inflated balloon in your hand and squeeze it, the air that is now restricted will naturally expand into the unrestricted area. Fraud is no different.
For each anti-fraud effort we deploy, savvy and entrepreneurial fraudsters will find a way around that effort. You don’t have to look very hard to find an example. Four years ago, a group of fraudsters managed to “miniaturize” a man-in-the-middle attack to defeat Chip and PIN enabled transactions and reap $600,000 before being discovered. Through a forensic analysis that was released just last month, French researchers discovered the fraudsters were supplying the point of sale devices with a false positive when presented with a PIN by physically manipulating the card to work with any PIN entered. The fraudsters took a concept, scaled it down, and deployed it for financial gain.
There will always be shifty criminals smart enough to change tactics when one fails to work. The key to fighting this sad reality is to use strategic threat intelligence as your fraud balloon. By monitoring which industries are being hit, what harm is being caused and which tactics, techniques and procedures are utilised, you will better understand where the balloon is expanding. This, in turn, will allow you to identify where resources may need to be altered to get ahead of that balloon shift.
Unlike operational and tactical threat intelligence, strategic threat intelligence is meant to appropriately inform the senior decision-maker regarding how technology threats impact the products and services those senior leaders are accountable for.
At the end of the day, every business, and every individual business unit is dependent on some kind of technology to produce and deliver products and services for the organisation. This means that threats to that underlying technology have a direct influence on whether or not the business unit leader is successful. It is the success of their product or service on the line and they are the ones who may shift or add resources; and they carry the risks if a negative event occurs.
After the mega breach in 2014 of Home Depot, its former Chairman reflected on the company's pre-breach environment with “we thought we were well-positioned.” Target admitted to failing to pay attention to threat indicators and subsequently fired its CEO. More recently, the Talk Talk CEO stated “our cybersecurity is head and shoulders above the competition” yet in reality they failed to undertake basic measures against threats because they were not legally bound to do so. And my personal favorite… in the wake of their 2015 breach, the Director of the Office of Personal Management said, "It is because of the efforts of OPM and its staff that we've been able to identify the breaches." What they really meant to say was “we stumbled across it.”
Clearly, senior leaders have no idea if they “are well-positioned” for cyber threats and the unfortunate thing is many seem to be frightfully unaware they are carrying a cyber risk liability. Strategic threat intelligence is about making the “unknown known” and then giving the decision maker proper context to make a more informed decision on how to act.
If you’re a decision maker, do you know what your balloon looks like?
Adam Meyer is chief security strategist at SurfWatch Labs