Meeting hackers head-on
In a climactic conclusion to an insider threat story that has been developing since 2015, Morgan Stanley agreed to pay a fine of $1 million to the US Securities and Exchange Commssion (SEC) in June this year for failing to protect private customer data.
The leak in question took place between 2011 and 2014, as a former Morgan Stanley employee, Galen Marsh, downloaded the bank’s client information onto his personal computer using a very simple hack of the client data management system. His personal computer was then allegedly accessed by an unknown third-party hacker who posted the information on the public code sharing site, Pastebin.
Morgan Stanley itself discovered the breach during a security sweep on Pastebin and traced the information back to Marsh, whose employment was terminated. He was subsequently criminally charged and fined in 2015.
Early threat detection
Marsh conducted at least 6000 searches on the client management system to download 730,000 customer account details. These queries were built by entering Morgan Stanley Smith Barney (MSSB) branch identifiers, to which he had access and then entering different financial advisory numbers until he obtained the correct combination. The information was then downloaded to his personal computer, rather than a Morgan Stanley issued machine.
Let’s break down the scenario in which Marsh was apprehended the first time that he downloaded client data onto his personal computer. This happened in 2011. Marsh had been working at Morgan Stanley since 2008 and was familiar with the organisation’s client management system.
He was presumably downloading data from an account on which he was working, when he realised that he was able to change the filters on the system. Perhaps he did this at work and waited until he was at home to log-in again from his personal computer. After this discovery, he took actions that would have raised the following flags in an alert system.
■ Logged in from a personal computer: by itself, a low risk – yellow
■ After logging in, selected a branch identifier to which he was not assigned – immediate red flag
■ Fiddled with the financial advisory numbers until he found the correct one – orange, could happen, but presumably not more than once during a session
■ Downloaded the data onto his personal machine – immediate red flag, presumably no one should download anything from the client management system unless it is on a Morgan Stanley machine
■ Presumably repeated steps two, three and four above several times until he logged out for the night – a layered alert showing increasing counts of suspicious actions
Ultimately, Marsh undertook these actions thousands and thousands of times during the course of his employment. That’s terrifying to security teams and understandably so. Had Morgan Stanley been monitoring for these items, using a centralised platform for the analysis of log-in data and client management system activity (including where the downloads were going), a security analyst could have received an alert showing the layering of these threat events, producing a very high-risk score.
Although it is clear that the client management system could have been better secured, a high-risk activity alert could have informed Morgan Stanley of the breach at the very beginning of this activity and allowed it to rectify the situation before it escalated to hundreds of thousands of customers.
Could the third-party hacker have been apprehended earlier?
The fact that Morgan Stanley found the hack itself shows that it was, in fact, conducting some security controls.
Pastebin, a platform initially created to allow developers to easily share and store code, is now a known repository for illegally obtained information, such as credit card numbers, bank account names and social security numbers. Lately, Pastebin has been associated with hacking groups such as Anonymous, Guardians of the Peace and DemonSec, all of which have had run-ins with the US Federal Bureau of Investigation (FBI).
As part of their daily security practices, banks should certainly scour the internet for their clients’ personally identifiable information. However, once the data has been sold or shared online, the breach has already taken place. It is more effective, therefore, to catch an insider threat in the early stages of a hack, particularly one which seemed to have taken place so systematically and for so long.
Online hacks are the bank heists of old. The Identity Theft Center listed 454 data breaches to mid-August 2016 in the US, with more than 12 million people exposed. However, where there is a higher incidence of breaches, there is also a higher potential for apprehension. Companies are analysing log-ins, print logs, remote access and web access to paint a vivid picture of insider threats and how they are operating. In fact, the FBI found in 2014 that most data breaches were caused by disgruntled employees, not external hackers.
We don’t know Marsh’s motivations – was he disgruntled, angry, or seeking retribution? It’s not even clear what he intended to do with the data he stole. What is certain, though, is that all of his actions left telling fingerprints and that if only the light had been angled correctly, they would have begun to glow.
* Eleonore Fournier-Tombs is a RedOwl field data scientist