Monitoring for Illicit Insider Activity Shouldn’t Focus Exclusively on Dark Web and Criminal Forums
Insider risks are on the rise, according to the Ponemon Institute 2018 Cost of Insider Threats study (PDF), and the financial services industry is paying the highest price, at a total annual cost at $12.05 million. This isn’t surprising given that in many respects banks and financial institutions hold the keys to the kingdom, containing vast amounts of sensitive and financial data and playing a critical role in national infrastructure. How do cybercriminals go about getting copies of these keys? One way is to find or actively attract insiders who may be disgruntled and seeking retribution, or simply looking to make a profit.
Searches across the dark web reveal that it is not uncommon for insiders and cybercriminals to trade in high-value data or credentials across dark web and criminal sites. Some of these sites set up dedicated sections for insider information discussions. In these forums, individuals may ask about the best places to sell insider information or claim to be selling insider access. Meanwhile cybercriminals shop for data or use these venues to attempt to recruit insiders. We can find examples of these forums within both general and specialized dark web marketplaces.
Insider activity on general dark web marketplaces
Insiders or criminals recruiting insiders will often look to criminal platforms in order to connect with their accomplices. Dark web marketplaces and their associated forums can be used to make requests for insiders with specific knowledge or access. In February 2017, when the dark web marketplace AlphaBay was still operational, one user made multiple posts to the forum claiming to have access to a Society for Worldwide Interbank Financial Telecommunications (SWIFT) payment gateway and sought an experienced partner to help them monetize it. The user claimed to possess data that provided full administrator access to this system and would provide information on where SWIFT transfers should be sent, offering 10 to 20 percent of the profits in exchange for their services.
This user had previously added similar posts to the “Wanted” section of AlphaBay claiming to have access to an Automated Clearing House (ACH) system at a logistics company and an automobile dealership in the United States. In these posts, the user even offered a bank drop service to receive and transfer payments to any account specified by the customer, charging 50 percent commission.
Specialized insider marketplaces on the dark web
Given the uncertain future of dark web marketplaces and the clandestine nature of insider activity, specialized insider marketplaces are emerging. While large datasets containing personally identifiable information (PII) or credit card details can be monetized fairly easily and are likely to be shared and sold across online forums and marketplaces, the most valuable insider information is not advertised openly online. Insider access is often a very case-based and demand-driven process that is not well suited to general marketplace or forum models.
As a result, some insiders prefer to conduct business in person to avoid raising the suspicions of law enforcement. Those that do trade insider access online look for cybercriminal locations that offer a level of exclusivity and closed or limited access – not only in the hopes of staying below the radar of the authorities, but also because insider information only remains valuable as long as access to it is limited to a small, restricted and trusted group. Specialized dark web sites like The Stock Insider maintain the appearance of legitimacy and exclusivity by claiming to have access restrictions. These restrictions provide inside sources and buyers with a level of perceived protection as they feel their identities are less likely to be exposed or compromised by having too many members in these networks.
How to Detect and Mitigate Insider Risk
While there is substantial interest in the data insiders have for sale, organizations monitoring for illicit insider activity shouldn’t focus exclusively on dark web and criminal forums. Instead, start by looking inside and engage in the following three activities:
1. Implement the principles of Zero Trust, including “trust but verify” through continuous monitoring, implementing segmentation, and restricting access on a need to know basis.
2. Know where your valuable data resides so that you can prioritize your resources on the right defenses, including processes and technologies.
3. Understand how an insider would monetize that data to help focus your external investigations.
Now that you have looked inward and strengthened your defenses accordingly, you can:
1. Monitor the open, deep and dark web for mentions of your brand and toxic information.
2. Work with legal teams to determine the appetite for purchasing items and services sold by potential insiders on criminal forums and market places.
3. Purchase or use a third party to acquire items and services sold by potential insiders to keep them out of the hands of criminals.
4. Conduct investigations on recruiters and the
sellers of goods and services to understand the history and reputation of an individual. Use Open Source Intelligence (OSINT) research and gather meta data where possible to aid in any investigations.
5. Don’t forget about the accidental insider. According to the same Ponemon study, when it comes to insider risk, employee or contractor negligence is the root cause of most incidents rather than a malicious insider selling the keys to your kingdom.
Interest in insider trading across the online criminal ecosystem is high. But the most effective way to protect the keys to your kingdom is to start by looking for ways to mitigate insider risk.