In Episode 3 of Know Your Adversary™, our discussion takes a look into the world of online platform abuse and fraud. We explore threat actors’ use of bots to make bulk purchases online. We also tell the story of a security researcher on the wrong side of the law. Learn about the path he took from disclosing a breach to demanding a ransom payment. Shawn tells us about two major threats he faced prior to taking on his current role. Each of those threats warranted different levels of attribution. In the first case, he was faced with bot programmers who abused the platform to “cut in the digital line” when major retailers were having online sales. In the second case, he was faced with a security researcher who compromised a third-party supplier, exfiltrated sensitive data, and threatened to go public if a ransom payment was not made. Our guest is former Chief Information Security Officer at Rapid 7, Shawn Valle.
Here are some of the key takeaways from the episode:
Different types of fraud, but similar techniques. While fraud on technology platforms differs from fraud against other industries, many of the techniques used to combat the abuse is the same. This is especially true when it comes to threat actor engagement.
Whether we are discussing “Trust and Safety” issues related to online platforms or fraud related to scams against employees, applications, or customers, both types of exploits result in reduced consumer confidence. In both cases, as Shawn explains, organizations must take aggressive steps to engage directly with threat actors to stop and attribute the fraud and ensure confidentiality, integrity, and availability of services.
Not all levels of e-crime require attribution and unmasking. The extent to which a victim will pursue threat actors varies. Many fraud prevention programs exist simply to identify the tactic being used to commit the fraud and ensure the fraud stops so the product or service can function properly. In many cases, the effort necessary to identify, pursue, and arrest the fraudsters is simply not worth expending resources.
Many levels of loss and reputation impact do require the attribution. As we discussed in last month’s episode with Randy Pargman, when security researchers or insider threats make contact with a victim and threaten a sizable payment or face public disclosure, attribution that goes beyond tactics and techniques is necessary. Shawn discusses another real-world example.