Protecting Against the Threat of Insider Trading Cyber Attacks
Alexander Beattie, Enterprise Director UK & Ireland, Anomali
The massive data breach at Equifax, in which the personal information of 145 million consumers is thought to have been exposed to cyber criminals, has once again focused media attention on the issue of insider trading. It is alleged that three Equifax executives profited by off-loading $2million worth of the company’s stock at favourable prices.They did this just days before the breach was made public, knowing the news would bring the share price crashing down as soon as it broke.
Perhaps the most audacious example of this came to light this September when the US Securities and Exchange Commission (SEC), the country’s top financial regulator, revealed that it was itself the victim of a data breach. The hackers, in this case, are thought to have attempted to steal insider information about listed companies filed on the SEC’s computer systems that could be used to make illicit gains in the share market.
Also in December 2016, Chinese cyber-criminals were charged with breaching the websites of a number of US law firms in order to get hold of confidential information about mergers and acquisitions which allowed them to make nearly $3mthrough insider trading.
Evidently, threats of this kind are on the rise. And worryingly, as well as banks, traders, regulatory bodies that are directly linked to the markets, listed companies and the lawyers, financial consultancies and other organisations that work with them are all at risk of this kind of threat.
The range of information that constitutes valuable insider trading insights is extremely broad. As well as yet-to-be-released details of company results or mergers and acquisitions, insider trading can include prior knowledge of any news or events that might drive the value of securities or bonds upon down – such as a company’s new capability or manufacturing process, or even the details of its new marketing strategy.
The attacks are well planned, designed to earn millions and often orchestrated by gangs many thousands of miles away, such as inEastern Europe or Asia. There is even evidence of exclusive online forums on the dark web providing a black market for cyber-criminals to buy and sell insider information and hacking secrets.
Unlike the recent high profile ransomware attacks, the victims of insider trading breaches are never meant to find out that their computers have been compromised. Once they manage to hack into an organization, the perpetrators’ objective is to remain under the radar, maintaining the compromise for as long as possible in order to continue making illegal gains.
In the case of the breach of the financial newswires mentioned above, the attack is believed to have provided hackers with insider trading information for a period of around three years.
The culprits in these attacks rely on a variety of methods usually involving social engineering schemes aimed at conning or baitingemployeesinto giving up passwords or login informationor misleading them into installing malware onto corporate networks.The malware allows hackers to get inside the network and discretely pass information outside without anyone’s knowledge.
The Chinese hackers that compromised theUS law firms’ computers used malware that allowed them to access and download many gigabytes of confidential emails.
Another tactic is to cultivate and reward employees for acting as‘malicious insiders.’These employees are persuaded to knowingly plant malware onto their employers’ networks. Some of the underground dark web forums that are frequented by hackers are believed to be channels for recruiting employees to this type scheme.
Withcyber-criminals getting smarter and more organised, protecting against such threats becomes more challenging. Beyond the basic firewalls and security software and policies, what should at-risk organisations be looking to do?
One of the biggest priorities is to find ways of identifying suspicious or malicious activity before it ever reaches the network. This is where threat intelligence platforms and intelligence sharing come in.
Threat intelligence platforms are used to continuously gather and analyse raw data feeds about existing or emerging threats and threat actors, their patterns of activity and the vulnerabilities they are exploiting.They filter these data streams, which come from a variety of sources, to produce useable information that can be integrated into a company’s IT security systems. This helps organisations identify, understand and protect against current live risks and threats, especially those most likely to affect their own particular environment.
Moreover, organisations should be sharing information such as learnings and insights about the threats they are facing with others who might be in a similar position.Within trusted circles such as Information Sharing and Analysis Centers (ISACs), they can increase their knowledge of likely threats and- by pooling their information – identify new threats and vulnerabilities that might never have come to light had they been working alone.
In the UK the Financial Conduct Authority (FCA) is an advocate of threat intelligence sharing, having established a number of Cyber Coordination Groups to achieve a better collective cyber capability with the country’s financial community. Similarly in the Middle East the UAE Banks Federation (UBF) have come together to form an Information Sharing and Analysis Center (ISAC) to better identify, protect, detect and respond to cyber-attacks.
Another important defensive measure is changing the underlying culture and attitudes towards IT security among staff. This is an issue that Nausicaa Delfas, Executive Director of the FCA, raised in a conference speech earlier this year.She stressed that a “secure culture” goes beyond creating rules and policies which can be easily ignored by employees.
Instead Delfassuggests borrowing from behavioural change models that rely on the idea that the “individual will take action if the perceived benefit outweighs the cost of taking action”.So, for instance, as well as education programmes designed to give employees a sound understanding of cyber-security threats and the warning signs to look out for, organisations could introduce fake phishing scams. Staff who avoid or call out these dummy attacks could be rewarded, while further action could be taken on those who persistently fail to identify them.
However, the breach of the SEC’s systems suggests that even the most mature andsecurity minded of organisations can still be vulnerable to this kind of attack. No at-risk organisation should ever become complacent. Therefore, in order to properly defend yourself, implementing a range of measures, like those mentioned above, is key in helping to counteract the threat.