With support from the United States Department of Homeland Security, Carnegie Mellon's CERT® Insider Threat Center recently published a report titled "Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector."
Among the many interesting findings, two stand out:
1. Criminals who executed a "low and slow" approach accomplished more damage and escaped detection for longer.
2. Most incidents were detected through an audit, customer complaint, or coworker suspicion.
In fact, software and systems were involved in only 6% of cases to detect fraudulent activity. This indicates one of two things: that detecting insider fraud is either incredibly hard or that we are not very good when it comes to detecting suspicious or fraudulent activity. Perhaps some of both.
In complex environments, it is extremely difficult to differentiate what is valid activity and what is suspicious. What the CERT report tells us about the success of the "long and slow" approach is that insider fraud is even harder to detect than we thought, and the more subtle the attack the greater the damage. What this means to security professionals is that when it comes to insider threats, while the low-hanging fruit is easier to grab, the sweetest apples are just out of reach. In other words, it's worth the effort to pursue the most cautious and difficult-to-detect insider threats because the payoff is greater.
If you don't want your customers to be the first to detect an instance of fraud (as they are 30% of the time), a powerful and in-depth approach is required. Beyond just policies to "review logs regularly", organizations must become much more proactive in understanding who has what access to what information and when, so that they can detect when suspicious activity occurs. With privileged identity management, access governance, data loss prevention and risk-based security, organizations can gain a credible defense against insider fraud - even the careful attacker playing the slow game.
Tortoise and Hare illustration by Jean Grandville in the 1855 edition of La Fontaine's Fables. Published before 1923 and public domain in the U.S.