When Threats Combine: Why Financial Crime Specialists and Cybersecurity Experts Need to Team Up
The worlds of financial crime and cybercrime are colliding, converging into one. The biggest threat to businesses globally is the new cyber-enabled financial crime. Yet businesses and even financial institutions tasked with protecting our money continue to fight this combined threat with multiple separate defense systems and multiple separate defense teams.
The situation is like a military leader trying to fight different enemies on different fronts. While those enemies remain in different fronts, it makes sense to send separate defense forces against them, each focused on fighting only the enemy assigned to it. But what if those enemies merge and launch joint attacks? A smart military leader would merge his forces against the joint attacks.
That’s not happening in financial institutions, though. Rather than having financial crime and cybercrime teams work together against this merged threat, institutions most often maintain them as separate entities. That’s as ridiculous as a military leader sending two separate units against an attacking force, but telling them not to coordinate their attacks, to fight only certain attackers and to ignore the other attackers.
That is the environment that currently threatens financial institutions in their war against financial crimes, fraud and cyberattack. Financial crime and cybercrime increasingly merge. Yet counter-financial crime teams and cybersecurity teams largely remain unconnected. How have we gotten here? And what can be done to meet this new challenge?
The growing convergence of financial crime and cybercrime
With our increased dependence on technology, money — which once was strictly a physical entity — has increasingly become 1s and 0s stored and processed on information systems and transferred through cyberspace. Vast amounts of money now reside in this ungoverned space where no government has full jurisdiction, making it a safe haven for criminals to operate with less detection.
It is only natural, then, that criminals increasingly move their efforts there. On one hand, the cyber world offers traditional perpetrators of financial crimes inviting access to amounts of money that would be almost impossible to obtain elsewhere. On the other hand, it offers a lucrative environment for skilled cyberattackers to monetize their skills.
This confluence of opportunity and anonymity facilitates crimes on a scale that otherwise would be beyond criminals’ reach. Such was the theft of US$45 million through a complex scheme that a large network of cybercriminals, common street criminals, and money launderers pulled off in a matter of hours at ATMs across the globe.
Even more staggering was the US$81 million theft from a Bangladesh bank (with similar attacks on additional banks, whose losses have not been publicly reported). This complex theft was accomplished by combining the skills of cybercriminals and fraudsters to subvert the bank’s SWIFT account, thus co-opting the global interbank transfer system over which billions of dollars move from bank to bank daily.
Other than their scope, these are not isolated incidents. Cybercriminals, perpetrators of financial crime — and even rogue governments like North Korea — collaborate to commit complex thefts. In fact, cybercrime has now become more profitable than the drug trade.
The continuing separation of financial crimes defense and cyber defense
Defense against these conjoined attacks is hampered when defense systems operate in separate silos. Criminal attacks on both systems are growing increasingly complex.
What drives financial crime defense into isolation
In the financial crime arena, it is important to realize that the term “financial crime” forms a broad umbrella over a variety of crimes, from fraud to money laundering to terrorist funding to sanctions violations and much, much more (learn more here).
Fraud — just one of the types of crimes that falls under the umbrella — comes in many forms, with each form often combated by specialized teams such as first-party fraud team, credit card acquiring fraud team, credit card issuing fraud team, online banking fraud team, etc. Even more, fraud teams are often divided into fraud strategy teams, fraud monitoring, fraud investigations, and more. Similar situation happens often for other types of financial crimes as well.
Regulations for each type of financial crime grow constantly — and often in isolation from regulations for related crimes. That motivates institutions to focus on each type in isolation, as does the tendency for an institution to dive deeper into preventing recurrences of whatever type of financial crime has most recently stung it, while paying less attention to other types. Thus, defenses become fragmented even within the financial crime arena.
On top of that, fraud defense systems are not designed to detect the cyberattack component of cyber-enabled financial crime. They typically are not capable of detecting the crimes until the cyberattacks have already compromised the institutions and perpetrators are seeking to monetize the data they acquired or launder the funds they illegally obtained.
What drives cybercrime defense into isolation
Meanwhile, in the cybercrime defense arena, the complexity involved in detecting the financial crime component of cyber-enabled financial crime is far more sophisticated than what is typically involved in traditional cybersecurity. Cybersecurity systems are vulnerable when falsified identities rather than cyberattack methods are used to breach defenses, such as in the 2015 IRS breach of its Get Transcript application that was used to obtain sensitive information of hundreds of thousands of U.S. taxpayers.
In contrast to financial crime defense, cybersecurity systems are not nearly as adept in detecting suspicious patterns of activity from various sources as fraud detection systems are. They, thus, are less likely to take swift action on patterns that, while not necessarily immediately compromising the system, nevertheless represent activity that could damage the institution.
The human factor that drives isolation
Add to that the human tendency to compartmentalize. When faced with regulations that treat different types of threats in isolation, the tendency is to keep them isolated. When dealing with hierarchies that are already separate, the tendency is to maintain the status quo. When dealing with increasing complexity in the types of threats, the tendency is to not add even more complexity by trying to navigate a solution that would require a shakeup of existing structures and systems.
The knee-jerk reaction, then, to the growing complexity — and merging — of both kinds of attacks is to continue investing in each defense function separately — hire more people, invest in more technology solutions — without seeing the many synergies between the different functions. For example, I know a bank that has over 20 different financial crime teams and more than 40 different analytics tools and teams supporting them, all doing the same thing — analyzing transactions and other data to detect malicious behavior — with only slightly different goals.
The evolution of cybersecurity
In the past, our cybersecurity approaches focused primarily on the first few steps of the cyberattack life cycle — preventing attackers from gaining access to our systems. We — cybersecurity practitioners — hardened our systems, installed antivirus solutions, patched software vulnerabilities and blocked blacklisted IPs and URLs. Cybersecurity used to be focused on perimeter security.
We found that merely protecting the perimeter wasn’t enough, though. We also encountered internal malicious activities on our networks. So, we started gathering insights from our networks, servers and endpoints. We started collecting logs and network flows and increasingly focused on analyzing those to detect anything suspicious.
Over time, though, cybercriminals devised many ways to circumvent traditional perimeter-focused security measures, as well as our initial attempts at using analytics to detect malicious activities. And those criminals became very successful at it. They distribute their attacks across many IPs. They act slowly and patiently to avoid triggering alarms. They take the time and effort to mimic normal transactions.
As a result, they often appear as a regular employee to initial defense systems and successfully maintain access to victims’ systems without detection for long periods of time. A 2016 report on security breaches shows that the median time before companies discover attackers in their networks is 146 days globally, and a startling 520 days in the Asia-Pacific region.
With cybercriminals so good at mimicking regular insiders, we started monitoring more and more of the whole technology stack, looking for changes to files and systems that might indicate something suspicious. We increasingly correlated all that information. Instead of just checking whether a user has logged in with the right password, we started verifying whether the user has also logged in from a regular device and IP.
We started applying analytics on even more data. Improved solutions allowed us to check whether a user logged in at regular times, from which location, how much data they uploaded or downloaded and whether their actions deviated from their usual activity pattern.
We check whether the user’s recent login location and time matches their previous one. If it doesn’t, our system can tell us whether it is even realistic that the user traveled the distance between the two locations in the time between the two logins.
We automatically check the user’s behavior pattern is usual for their business group or demographic peers. We use advanced analytics approaches to establish behavioral baselines and patterns, and employ UEBA — User and Entity Behavior Analytics — to build statistical models that alert us if a device or a user tries to execute an action that statistically deviates from their pattern or the pattern of their business or peer groups.
In addition, we even have solutions that monitor internal user communication (e.g., emails or phone calls) and perform sentiment analysis to help identify disgruntled employees.
By collecting threat intelligence information, we better understand cyber attacker modus operandi and build those illicit behavior patterns into our detection system to improve our chances of detection.
In short, we found, that cybersecurity in today’s threat environment requires far more than the perimeter protection that was our original focus. We found, by analyzing system logs and networks over time, that it also requires using advanced analytics across as much data as possible, spanning everything from device data to user business transactions to the context in which users execute transactions, and supplementing that with threat intelligence.
The evolution of financial crime detection
Meanwhile, in the Counter-Financial Crime space, we took a slightly different approach. Initial analytics solutions there monitored financial transactions to detect fraudulent activity. We looked at how fraudsters, money launderers and terrorist financiers behave and built rules into our analytics solutions to help us detect those patterns of illicit activities. For example, if a new customer tried to transfer a large amount of money to countries flagged for terrorism support or to offshore tax havens, we received an alert.
Our financial crime/fraud detection solutions kept getting smarter. In financial crime, we started looking at the time and location from which transactions initiated. We started automatically checking whether travel time between two different ATM withdrawals was realistic. We started learning more about our customers, as well as parties they interact with in financial transactions, and started building patterns of behavior and using statistical models to detect anomalous behavior.
We realized our analytics could become even better if we knew more about the devices our consumers use. If we see the same device try to execute numerous online payments with numerous different credit cards, we should investigate. The same device used to apply for different cards or loans under different names also indicates something suspicious. So, we started building patterns of behaviors for devices as well as users.
We then went further down into technology stack. Some fraud detection solutions monitored device behavior even when the device was not connected to financial institution. For example, if a device visited a website known for distributing malware, the next time that user connected to online banking, the institution received an alert that the device might be at risk (although without identifying the specific site visited).
A growing confluence
Thus, even as cybersecurity and financial crime defense systems remain independent of each other, the best practices that each uses increasingly move toward the initial approaches of the other.
Cybersecurity started from monitoring technology systems and comparing activity on them to known cyberattack methods. We then combined that over time with advanced analytics about users, their business groups, and transactions, moving up the technology stack as an additional way to detect malicious activity from user behavior.
In the financial crime/fraud space, we traveled in the opposite direction. We started from analyzing user behavior and comparing it to behaviors common to financial crime efforts. We then combined that over time with information coming from technology, moving down the technology stack as an additional way to detect financial crime attempts by analyzing user and device interaction with financial systems.
Thus, cybersecurity detection solutions and financial crime detection solutions, which were completely separate in the past, increasingly overlap today.
Taking steps toward combining the silos
The first step toward combining the silos could be to look at the technology. When financial institutions decide to refresh their technology, they could seek a single set of solutions to use for both cybercrime and financial crime detection as a single, unified team. Even if combining the teams is not immediately feasible, working to improve communication between separate teams and separate solutions would still help the institution better combat what remains a unified threat. With more comprehensive data flowing between teams, more threats could be detected.
Many banks currently check the location of ATM withdrawals. If a user makes one withdrawal in Hong Kong and another one an hour later in Moscow, most systems flag the withdrawals because of the impossibility of a user traveling that distance in an hour.
With more comprehensive data available, this safeguard could be extended across all channels. For example, if a user logs in to online banking from Hong Kong and then tries to make an ATM withdrawal in Moscow one hour later, the financial institution should similarly be alerted. Surprisingly, though, because of lack of communication between teams in most banks, very few today do even these kinds of simple checks across the two payments channels. Let alone correlating data across all the channels and all potential data sources.
Thankfully, this is beginning to change. Some more advanced financial institutions started combining those different detection teams under one organization and a single executive to benefit from the detection across the silos. Increasingly, financial institutions are also building cyber-fusion centers — a single place in which all different detection solutions are brought together and monitored by a combined team.
The environment in which the war against financial crime and cybercrime is fought continues to change, and the ways we fight it must continue to change, as well, for financial institutions to stay ahead. Regulations need to reflect this new reality, and the separate forces defending separate towers in the battlements against this frequently merged enemy need to recognize the common cause they fight and the benefits of working together.
Financial crime teams and cybersecurity teams each have unique skills and tools that, used jointly, can protect their institutions more effectively. The more these teams work together, the better they can identify and frustrate the efforts of criminal elements that seek to compromise their institutions.
(Disclaimer: Postings on this site are my own and don’t necessarily represent PwC positions, strategies or opinions.)
Originally published at Ivezic.com on January 3, 2017.