Using Threat Intelligence to Counter Platform Abuse

by | Aug 3, 2020 | Blog

Companies whose products serve as collaboration platforms play a key role in our increasingly cloud native and remote work environment. The technology allows companies to achieve clear business opportunities, but also cause unique security challenges. Not only must they protect their corporate and development systems like all enterprises (endpoints, network infrastructure, container and VM security, etc), they also need to protect customers’ data on their platforms.

To disrupt fraud and abuse, these companies must ensure security is embedded in their development and product management culture. Threat intelligence can play a critical role in this process.

For the largest enterprises that have dedicated resources such as trust and safety teams to build internal threat intelligence programs, defending against fraud and abuse is feasible. However, what are smaller businesses to do?

Below are some considerations from our recent discussions with one such security leader, Egnyte Chief Security Officer and Co-Founder Kris Lahiri.

Take the following example:

A malicious actor used different credit cards to buy different anonymous accounts because a payment gateway would not stop the activity. Using those new accounts, the actor can conduct phishing attempts against the contact list of a compromised email account.

Actors are able to mold their actions to resemble normal user behavior that technology controls would not flag as anomalous. And in a vacuum, the activity may represent only a minor threat. However, when taken in the aggregate and fraud techniques are leveraged at scale, the impact can be severe. Enterprises need to think about threat hunting outside their firewalls as an additional layer of stopping and identifying malicious behavior.

In the example above, threat intelligence may have been able to pre-identify credit card data associated with malicious activity that could be blocked from purchases. Knowledge of the types of malware being uploaded to the platform for use in phishing could also prevent those attacks ahead of time.

Criminal actors typically have to establish infrastructure to commit their malicious acts. Combining the right external telemetry with internal data, platform security teams can put the proper automation into place to combat fraud and abuse. Adding external threat hunting that includes customer environments will provide yet another potential source of threat indicators.

If an actor cannot use existing base infrastructure to connect to an application in the first place, the expected gains from the criminal activity may not justify the time and expense required to start over and establish new infrastructure from scratch.

Implementing threat intelligence and advancing to external threat hunting may seem like a major investment and can be rife with false positives if the proper external telemetry is not collected, aggregated, automated, and analyzed. However, executed appropriately, it can help level up an enterprise security posture to the point an actor may choose to move onto an easier target.

Contact us to learn how Managed Intelligence™ can accelerate defense against fraud and platform abuse.