Financially motivated actors are innovating their fraud, abuse, and eCrime approaches to find new ways to exploit victims. I’m continually amazed by the innovation in how actors are gaming the system.
MEDIA 7: Could you please tell us a little bit about yourself? What inspired you to pursue a career in cybersecurity?
DAVID ETUE: Hello! Thanks for the opportunity to talk today. I am the CEO of Nisos, where we provide managed intelligence offerings to transform how cyber intelligence enables organizations to disrupt motivated and sophisticated adversaries.
What inspired me to have a career in cybersecurity? I started using technology as a young kid, including being a sysop (systems administrator) of a BBS (bulletin board system) in high school. I was fascinated by how different systems could interact to share information. I also got my first insight into how technology could be abused. Having to defend a system from attacks, trying to keep others from stealing access to our modems to make long-distance calls, and seeing people share illicit content opened my eyes to how having a deep understanding of how technology works could enable you to better defend it.
Those experiences piqued my interest in information security. I kept focused on it as a hobby and then I got the opportunity early in my career to become more involved. It wasn’t considered a career path back then like cybersecurity is today, but there was something about it that I just loved. What I’ve realized since is that it has three key attributes that I found really fulfilling. Firstly, the rate of change is very high. We have adversaries who innovate every day and we have to counter that innovation.
Secondly, it is a key intersection of technology and business. There is an old adage that the only secure computer is one that is turned off and locked in a safe, making it not very useful. Finding the right balance of technology enablement and risk mitigation is an awesome challenge. Finally, the mission matters: technology has become an essential element of how we live, and adequately defending that is critical to society. It’s great when something you love also turns out to enable a great career opportunity.
M7: How do you think medium-sized enterprises should make optimum use of intelligence?
DE: Intelligence is a key enabler of proper prioritization of resources and focuses when responding to an event. Every organization lacks the resources to protect everything perfectly, so must make decisions on how to apply scarce resources. Understanding your likely adversaries and their tactics, techniques, and procedures (TTPs) is something I’ve found highly approachable to organizations of all sizes. Understanding those factors, enables prioritizations that optimize defense against the more likely attacks. Intelligence can help inform upfront assessment, and external threat hunting and intelligence updates provide continuous feedback for learning and adjustment.
When responding to events, there is often critical context “outside the firewall” that enables better response to an attack. It can show how the attack is occurring and potential methods to mitigate the attack that aren’t visible to the Security Operations Center (SOC) from internal system telemetry. It can often illustrate if you are being targeted directly versus your industry versus an opportunistic attack. Attributing the actor behind the attack can offer insight into the motivations and goals of the attack. It can also open new response methods for some classes of actors, including legal and law enforcement.
One of the biggest challenges a medium-size enterprise is presented with is getting the signal-to-noise ratio right so they can focus on impactful intelligence. Definitionally, intelligence is information that is actionable to drive a decision. Unfortunately, a lot of threat “intelligence” out there isn’t actionable without expertise or organizational context and creates noise. This is the area that has prevented most organizations with small intelligence teams from making the impact they desire. Ensuring what they get is actionable is critical if you don’t have the internal expertise and capability to turn information into intelligence. That is what excites me so much about what we do at Nisos. We have the expertise to bring context to deliver finished intelligence to make it actionable for our clients.
As more of our interactions become digital, it presents new opportunities for financially motivated malicious actors to take advantage of and conduct fraudulent activity.
M7: What is your approach at Nisos to solving adversary-centric problems?
DE: Threat actors are a “who”, not a “what” and we provide our clients with insight into their adversaries (the “who”); their tactics, techniques, and procedures (the “how”); and their motivations and intentions (the “why”). Importantly, we deliver that in a way that is actionable to our clients and goes beyond traditional cybersecurity attacks including fraud, risk, reputation, key person, and other non-traditional business risks.
We have designed our intelligence collection and analysis with this adversary-centric approach, and also have a number of operators who managed adversarial operations on behalf of government agencies and therefore have a unique perspective on the challenge.
There is a naïve perspective that knowing your adversary isn’t necessary and that you should just protect your systems and all will be okay. As mentioned previously, we need to apply our scarce resources wisely, and understanding our adversaries gives an important lens to that decision. Additionally, the attribution or unmasking of adversaries can give insight into how to best mitigate an attack, and also can open up additional response methods including legal and law enforcement approaches.
M7: What do you believe are the top cybersecurity threats that have arisen post-COVID-19?
DE: COVID-19 has accelerated our adoption of, and therefore dependence on, technology by leaps and bounds. We have jumped 5+ years on the adoption curve out of necessity and invention. While remote work and e-commerce rightfully get a lot of attention, it has also impacted how we get health care, how we experience performance art, and so many other things. In many cases, we adopted these technologies out of necessity and therefore increased our attack surface without adequate time for planning security given the broader adoption and new use cases.
So broadly, I have a serious concern that we are adopting technology faster than our ability to secure it, which provides adversaries significant opportunities. Additionally, a global recession impacts employment and past research points to growth to people pursuing illicit paths in those times increasing the number of adversaries we need to defend against. We need to deal with that increased attack surface, broader technology dependency, and potentially additionally motivated adversaries.
The other risk I think about related to the changes driven by COVID-19 is how systems can be used to maliciously leverage human relationships. Much of the recent acceleration of technology has been driven by how we interact, requiring more trust in electronic interactions, but often without support for that trust in the underlying technology has changed.
Financially motivated actors are innovating their fraud, abuse, and eCrime approaches to find new ways to exploit victims. I’m continually amazed by the innovation in how actors are gaming the system. We see it everywhere—from the gig economy to advertising fraud to counterfeit goods to fake customer service and more.
One of the key areas impacting trust is disinformation and misinformation. The spotlight has rightfully been shined on geopolitical disinformation, but it is also occurring elsewhere. Our security measures were typically designed to protect the technology and not focused on the trust and safety of the interactions occurring on them.
This has become a tool available to every class of adversary, and you can see the early adoption - fake product reviews to influence buying decisions, misleading company news to drive stock prices, local application to politics and charitable endeavors, and more. I expect continued adversary use of misinformation as a tool, and a need to adapt our systems and intelligence to address it.
Organizations are ramping up security monitoring to try to know what is happening on endpoint devices. It’s a unique opportunity for security to advocate for the employee experience.
M7: How do you ensure data security while your employees work from home?
DE: I think we need to think differently about the problem. There are many things that security and infrastructure teams are doing to improve security posture. There are some baseline controls that if not already deployed, should be. Strong authentication and proper security controls for internet-facing systems, and endpoint security visibility are the key ones that come to mind.
However, when you experience a significant change like we have with pandemic-driven work from home, it really requires stepping back and getting a new perspective on your approach. Poor security hygiene on a family member’s device could create lateral movement risk to a corporate device. That security control that prevented non-corporate approved printers needs to be turned off because the corporate ones are no longer available.
Intellectual property is now in the employee’s home office. I’d argue that all of those risks have been present for years, but they’ve grown in prevalence. In general, I think zero trust principles are one of the best paths forward from a technology perspective.
Another element that we need to look at is the mental health and engagement of our teams. It’s short-sighted to think that this doesn’t impact our cybersecurity posture. If people are exhausted from not figuring out work-life separation, are depressed, or feel disconnected from work, what will that cause? They may not realize the phishing attempt isn’t a real request. They may not report a security incident. They may decide to find employment elsewhere in search of an environment that feels more inclusive or supportive.
Organizations are ramping up security monitoring to try to know what is happening on endpoint devices. While it may be right to add more monitoring given the change in risk posture, a “Big Brother” emotion without the appropriate employee support infrastructure to accompany it, isn’t well-positioned to achieve the planned risk reduction outcomes. It’s a unique opportunity for security to advocate for the employee experience.
M7: What is your advice to our readers to prevent and be aware of fraud and eCrime?
DE: As more of our interactions become digital, it presents new opportunities for financially motivated malicious actors to take advantage of and conduct fraudulent activity. It is important to understand these trends as you use technology, as you engage with customers and partners, and as you deploy and manage technology platforms of your own.
As I mentioned before, the continual innovation by adversaries is amazing. While unsophisticated actors engage with methods that are easy to detect with the old adage, “If it sounds too good to be true, it probably is”, investment in more sophisticated attacks is prevalent. We have seen audio deep fakes, account farming, synthetic identity fraud, as well as the sale of fraud-enablement tools in the underground.
When launching a technology platform, security teams will often generate “abuse cases”, which is like a “use case” but from the perspective of how an adversary could misuse the platform. Abuse cases need to evolve from being focused on the confidentiality, availability, and integrity of the system to also cover fraud and abuse cases. I’ve found it helpful to define fraud as actions that create losses for your organization and abuse as actions that use your platform to cause losses to others and to ensure your abuse cases cover both.
Examples of fraud would be activities like unpaid premium accounts or creating gift cards illegally. Examples of abuse would include using your platform to run scams or fake product reviews impacting what products a consumer purchases. Beyond developing to prevent those cases, it is also important to monitor for activity outside of norms, have the ability to determine if it is malicious and if so, respond. We continually are evolving our monitoring and response capabilities at Nisos as adversaries innovate.