Something I regularly get asked is, “How do enterprises use HYAS Insight to accelerate their investigations?” I spoke with a HYAS customer a few weeks ago and to understand how they track and identify fraudsters. First West Credit Union is a financial institution in western Canada with $8.4B USD in assets and 1,400 employees. I had the pleasure of interviewing First West’s Manager of IT Security and Operations to understand his perspective and experience in leveraging HYAS Insight. What follows is an excerpt from a First West Credit Union case study that provides a few examples of the institution undertook fraud investigations and responded to security incidents with help from HYAS.
Some fraud and cyber security incidents that HYAS has helped First West resolve include:
- APT-C: The team was able to locate an email address that was tracked back to an individual in Central America and profile the threat actor. The adversary, internally dubbed APT Carlos, established domains for phishing attacks. The adversary typically took two weeks between establishing the domains and employing them in an attack. The advanced knowledge provided by HYAS Insight enabled First West to request the takedown of the domain for brand infringement before it was used in an attack, as well as locate and block other domains that were obviously nefarious. “If you have good intelligence and are able to quickly react, you can avoid significant financial damage. We had good intelligence with HYAS Insight and were able to react quickly to avoid a big fraud bill.”
- APT-P: Financial institutions face adversaries that can be well-funded and sophisticated in their tactics, techniques and procedures (TTPs). First West recently encountered a growing fraud bill for reasons that could not be determined. The team puzzled over this until one day the team stumbled across a fake ad on Google Ads. The advertisement led to a compromised Wordpress site that redirected to a phishing site that mimicked the First West website. The adversaries had established their own hidden infrastructure that mimicked the First West website, and led consumers to the site through “trustworthy” Google ads. The fake phishing site was not indexed by search engines, so it was difficult to locate. “The adversary was capturing credentials as users would click on what they thought was a legitimate ad that they could trust. They were paying for the ad clicks that led to their phishing site. HYAS allowed us to investigate the phishing domains using WHOIS information and other data to identify the infrastructure and quickly shut it down.”
Digital Forensics and Incident Response
The First West Security Operations team also investigates and resolves potential compromise within the credit union infrastructure. One credit union employee responded to a phishing attack and gave up their credentials. The threat actor attempted to log in from overseas using the credentials, and the user approved the two factor authentication request without much thought. This generated an alert in internal systems that locked the account. The Security Operations team investigated the incident and was able to geolocate the adversary in Cyprus and rule out a potential false positive alert. Commented Smith, “HYAS Insight precise geolocation enables us to distinguish between traveling employees and potential bad actors.”
There are loads of lessons that can be gleaned from the First West experience to improve how your team goes about investigating fraud and responding to security incidents. The entire case study detailing First West’s experience is available here. If you want to talk with us about how HYAS can help your organization investigate adversary infrastructure and understand the threat actors behind cyber incidents, give us a shout.