As one of Canada’s leading financial cooperatives with more than 1,400 employees and over $11 billion CAD in assets, this credit union (and HYAS client) is a constant target for cybercriminals. That’s no surprise. But what might come as a shock to the next bad actor who sets their sights on this bank? Its security operations team tracks threat actors right down to their doorsteps — whether they’re in Central America, Cyprus or a remote farm in their own province. Those are three real examples of this team’s fraud response since integrating HYAS Insight’s adversary infrastructure intelligence into its tech stack.
As the credit union’s manager of IT cybersecurity explains, the Canadian authorities’ capabilities for fraud investigation lag behind the United States, where the FBI and the Secret Service both have dedicated cybercrime divisions. In the province where the bank is headquartered, he says that “if you walked into a local savings branch with a gun and robbed it and you only got a thousand bucks, there would definitely be a pretty big investigation. But if you launch a phishing campaign and defraud the credit union for a hundred thousand dollars — well, we struggle to get the level of support that we need.”
He notes that in his province, there are just two people who work on cyber fraud cases. As a result, the credit union has to take matters into its own hands and conduct its own investigations. With HYAS Insight in place, those investigations — and the team’s responses to threats of all kinds — are faster and more effective than ever.
Sign up for the free HYAS Insight Intel Feed! Get unprecedented insight on threat actors, malware families, and network resources to strengthen your cybersecurity defenses. Register now.
We realized that we had a threat intelligence problem - we were not turning our spend into the results we expected. We’d been using a traditional threat intelligence provider, which had been integrated with our sensor systems, for a number of years. When you depend on threat intelligence as much as we do, a high false positive rate is really noticeable, and you don’t necessarily know or trust where a lot of that data comes from.So when it came down to detailed attribution and really knowing our adversary, our current threat intelligence program just didn’t provide that to us.
We needed assistance from local law enforcement for take-downs, but they required us to provide the type of intelligence they could take action on in order to build a viable case against the bad guys. So it was obvious, we needed to profile threat actors better, with clear, actionable details.
“When you depend on threat intelligence as much as we do, a high false positive rate is really noticeable, and you don’t necessarily know or trust where a lot of that data comes from.”
I’d say fraud response is our primary use case. We use HYAS’s wide-ranging infrastructure intelligence to connect the dots between adversary infrastructure, malicious activity, and other information to build a better threat actor profile and ultimately stop the threat. But we have also integrated HYAS Intelligence across other security layers like our network authentication process. We had one incident six months ago. A user responded to a phishing email and gave their credentials up. A threat actor attempts to log on and trips off the multi-factor authentication. The user, not recognizing the deception and assuming it’s his own network activity, acknowledges the authentication and provides a green light to the bad guy. But our sensors fire, because the request is coming from Cyprus and the infrastructure looks dubious. So the account gets locked and gives us time to confirm the dubious reputation of the infrastructure communicating with our network and to verify we don't have employees traveling in the region. This is a great example of the ROI we get out of HYAS Insight.
The main problem HYAS Insight solves is the slow speed our fraud team experiences when trying to connect the dots. My team is able to quickly perform global infrastructure look-ups and get the intelligence they need without having to sort through a bunch of minutiae and other noise that dogs many other intelligence products. You don’t have to wait for that information. HYAS provides clear verdicts on infrastructure IOCs for date-sorted infrastructure details to get our team answers quickly. But it also provides tons of detail that lets my team find needles in a haystack. You’re able to quickly access DNS history, unique registrar information, and other details and matrix that against related infrastructure, actor information, and malicious activity all in one place.
Because we use HYAS threat intelligence, we’re able to act aggressively and often catch attacks in the early phases of the kill chain, or even before infrastructure is weaponized. We’ve had some significant incidents where HYAS’s infrastructure intelligence was pivotal in mitigating the impact on our credit union. In one instance, we saw a threat actor phishing our employees and sending them to a fake website. We found the domain details by using HYAS Insight. We did the DNS lookup and found four other credit unions that were also being targeted by this threat actor using the same infrastructure. HYAS gave us registrar details no one else can provide. We were able to advise all four about the active phishing campaign, share what we learned over the course of dismantling parts of the infrastructure, and better protect the financial industry at large. And we learned a lot about the threat actor; now we know what to look for in future attacks and we can keep building a case and working with law enforcement with the hopes that the threat actor ends up behind bars.
We felt great helping other members of our industry, though one of the credit unions did not take the threat seriously enough. The fraudsters were able to use this infrastructure in an attack that brute-forced some weak passwords and led to a costly incident for the credit union.
"We did the DNS lookup and found four other credit unions that were also being targeted by this threat actor using the same infrastructure. HYAS gave us registrar details no one else can provide."
Yes, we get major cost savings in average time spent on an investigation. Before HYAS Insight, we had a much more fragmented view on the infrastructure being used by our adversaries. Now we get access to global WHOIS and tons of correlating infrastructure intelligence all in one place. We do much less “stitching together” of information from many sources.
One thing we see often is a bad actor buying a domain under one hosting service; then they’ll move it two or three times to different hosting companies or even different registrars. We call it domain bouncing. Sometimes we see them shuffle domains really quickly. And with HYAS Insight we can see them cycle the DNS, and we can also get intel on new malware association or recent C2 activity and therefore better understand the adversary’s TTPs.
One thing that really helped my team was being able to prove to our board of directors and our executive risk committee that our intelligence was highly accurate. It has given us a lot of credibility as an asset in the organization, and leadership looks differently at our resource and staffing requests because they know we’ll turn these investments into real improvements in resiliency for the organization.
I get comments and questions from our CEO and our senior executives when cyber attacks escalate to their tier of visibility. Most of the time, I am telling them how quickly we handled it and how the credit union suffered no notable losses. That speaks volumes to the team’s capability. And when they see you taking names and kicking a$$, they say, You guys are always doing a great job keeping both us and our members safe.
“One thing that really helped my team was being able to prove to our board of directors and our executive risk committee that our intelligence was highly accurate. It has given us a lot of credibility as an asset in the organization.”
When we’ve talked to law enforcement — we’ve talked to the Secret Service and the FBI in the United States — and when we tell them our intel is from HYAS, the light bulb goes on: Yeah, they’ve got credibility in the industry; we can trust what they say.
One more thing I’d like to add is HYAS’s level of involvement with us from the start. They are really keenly interested in how we do business and how they can best support us. We’re not the biggest client in the world, that’s for sure but even the HYAS CEO makes the time to meet with us and understand what we need to do and where we need to go.
Connect with us to learn how HYAS's unrivaled threat intelligence and investigation capabilities can augment your existing security stack and protect against advanced cyberthreats.