Fraud Investigators Need to Collect Information Without Revealing Their Identities
Fraud and other financial crimes are a complex, constantly evolving problem due to the advancement of digital technologies and the use of cyber tools. The U.N. Office on Drugs and Crime estimates that up to $2 trillion is laundered every year, representing between two and five percent of global GDP. And while these issues affect organizations in every industry, banks and other financial services organizations are especially vulnerable – from small-time individual players looking for a quick payout, to government-sponsored terrorist organizations who use stolen money to finance illicit activities on a global scale.
This type of research needs to be done carefully, obscuring the analyst’s location and real identity. Researchers often create false personas, impersonating buyers of stolen data, affiliates of shady corporations or even fellow hackers – hoping to get close to bad actors’ sources without revealing their own true intentions.
Initially, the bank’s security team proposed outfitting each fraud researcher with a dedicated laptop, running a virtual machine to minimize the risk of exposure. However, this approach was costly both in terms of equipment and resources to procure, maintain, scrub, reimage and configure these laptops. And even if the bank had agreed to bear the capital expenses and personnel costs of this approach, it still didn’t offer researchers a guarantee of anonymity or a believable and untraceable way to portray personas that would be useful to their investigations.
"Managed attribution, combined with remote browser isolation, helps us visit all kinds of sites and take down threats proactively. This helps us protect both our customers and the bank.”- Cyberthreat Intelligence Analyst at a Major North American Regional Bank
Going Deep Into the Dark Web With Silo for Research
The bank’s threat research group is a dedicated team of professionals under the larger cyber risk organization. The team’s main concern is dealing with phishing sites that target the bank’s customers – both individuals and businesses. The hackers use social engineering to try and get account numbers, passwords and credit card details, and the information is later posted for sale on illicit carding forums.
The team’s job is to browse these forums and dark web marketplaces looking for clues that could lead them to the bank’s stolen credentials and hopefully expose the perpetrators – both buyers and sellers. Often the phishing kits and techniques are for sale too, offering ways for other hackers to target customers using proven methods and messages.
The bank uses Splunk, a software that monitors and analyzes machine-generated big data. Splunk would alert the security team of referrals to the bank’s site from shady online locations, but analysts still need to go deeper and investigate, which is risky and requires anonymity and careful attribution.
Silo for Research Facilitates Secure, Anonymous and Misattributed Investigations
The bank chose Authentic8’s Silo for Research for its ability to facilitate secure, anonymous and misattributed investigations across the open, deep and dark web. Silo for Research provides multiple layers of protection on the web and prevents exposure during investigations. With Silo, the bank’s analysts are able to safely access websites from IP addresses and locations of their choice – whatever best suits their mission – and collect data without exposure to exploits or revealing their real identity. “I can’t have bad guys figuring out who I am by looking at my IP address,” says a cyber threat intelligence analyst at the bank. “They’re logging and recording everything about you when you visit one of their sites.”
Anomali ThreatStream Alerts about Threats in Real Time, Silo Helps Get to the Source
Another solution that the bank’s security team has in their toolbox is ThreatStream by Anomali, a software that helps automate and aggregate the collection and management of threat intelligence. ThreatStream alerts security teams in real time if it finds malicious content. In one specific instance, the team received an alert that someone was scraping the bank’s site for images, and the threat intel team was called to follow the trail to the phishing site. Using Silo for Research, the team engaged with the malicious site, was able to locate the phishing kit and had it taken down.
“We could investigate it completely anonymously, without fear of exposure or retribution,” explains the cyber threat intelligence analyst. “And even if you mess up and the target realizes that you’re not who you say you are, you can just ‘burn’ the account and simply create a new one. Silo for Research makes it easier to accomplish our goals, locate the threats against the bank and neutralize them.”
Proactive Threat Prevention
As a regional financial institution, the bank didn’t expect to be a target for attacks by international hackers, and yet, a number of phishing sites they’ve investigated appear to be operating globally. The security team has also seen their share of attacks from homegrown hackers, aiming to trick people into believing that emails landing in their inbox came from their trusted local bank.
With Silo for Research, the bank’s security team is now able to proactively take action against all types of fraud – local and global – by following up on alerts and getting to the source safely and anonymously. Silo also allows the bank’s analysts to record their investigations, so they can retrace their steps, perfect their techniques and even share information with law enforcement agencies. In the future, the bank plans to further strengthen their threat research capabilities by building a full-service lab for malware analysis. “We will put Silo there!” concludes the cyber threat intelligence analyst.