Stroz Friedberg Named A Leader In The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 Report - Read Now

Insider Threat eCosystems: the use of machine learning and data visualisation in insider fraud investigations

HomeThinking → Insider Threat eCosystems: the use of machine learning and data visualisation in insider fraud investigations

Author: Ana Pereu, Consultant, Cyber Security and Vinodpal Minhas, Director, Cyber Security

Over the last decade, financial institutions have increasingly tried to employ machine learning systems to cope with more sophisticated criminals and meet rising client expectations. Banks, for instance, are known to use transaction monitoring systems driven by machine learning to recognize anomalous transactions that deviate from the system’s conventional, rules-based predictive behaviour. According to the 2019 Anti-Fraud Technology Benchmarking Report published by the Association of Certified Fraud Examiners, 55% of the organizations surveyed expect to increase their budgets for anti-fraud technology over the next two years, and 25% of companies surveyed said they expect to adopt AI and/or machine learning in the next one to two years.[1]

But while a lot of these efforts are focused on pro-active supervised models to identify patterns and behavioural anomalies, AI-powered and data visualisation tools have evolved far beyond binary rules-based systems, and companies beyond financial institutions appear to be turning to machine learning tools in insider threat investigations relating to money laundering, fraud and terrorist financing. More so, machine learning and analytics tools can be used in employee investigations related to theft of intellectual property materials, leaks of sensitive data by an insider, and violations of non-compete and non-solicit clauses by high level executives.

What are Insider Threats?

The term insider threat is largely self-explanatory, although the extent to which individuals can pose an internal threat to a business is much larger than often perceived.

Broadly speaking, an insider is an individual who knowingly or unintentionally can cause harm to a company by misusing legitimate access to the company’s assets and bypassing security systems to commit a malicious act.[2] Beyond current employees within an organization, an insider threat actor can be a contractor, external consultant, business partner or affiliate, former employee, or even a board member for example.

In the context of financial crime specifically, insider fraudsters are often guided by three elements:

  • Pressure, referring to factors that can motivate employees to commit fraud, including financial difficulties or a desire to achieve or maintain a certain standard of living
  • Rationalisation, relating to employees’ ability to adjust their mindset into thinking their acts are justified
  • Opportunity, which involves seeing an opportunity to commit the act such as weak controls around company assets

 

Within a cyber security context, insider threats are fairly similar – insider risks might come from anyone with knowledge and/or access to the organization’s confidential data, as well as network and information security systems. According to the Verizon 2019 Data Breach Investigations report, 34% of all 2018 breaches were caused by insiders.[3]

What is AI and Machine Learning?

Although artificial intelligence (AI) and machine learning (ML) are often used interchangeably, AI is the broader umbrella concept, while ML is a subset of AI. While both terms are widely used in relation to big data analytics, AI largely refers to functions resembling or replicating human cognitive abilities, while ML focuses on data analysis methods where the tool learns from the data it processes and therefore it becomes “smarter”, acquiring capabilities to recognize patterns and change algorithms to pull the most relevant data with little human intervention.[4]

Although many organizations, especially financial institutions, employ some sort of predictive rule-based programs, with the rise of more complex threats and more sophisticated actors, some of these tools may lack the ability to capture and prevent these incidents in a timely and efficient manner, especially in cases where the activity is committed by an insider. According to a 2019 report from IBM, the top five main challenges organizations face during investigation processes are:[5]

  • “Investigations take too long to complete
  • Incompatible/outmoded systems/tools
  • High number of false positive/ unsubstantiated alerts
  • Lack of data/insight around customers, accounts and entities
  • Too much information to sort through in time allotted”

 

The use of more sophisticated ML and data visualisation platforms could largely address and eliminate the above concerns, as their use makes investigations more targeted and effective.

Aon’s Cyber Solutions (ACS) employ ML tools to conduct textual and statistical analytics, interrogating large sets of unstructured data for a variety of investigations, ranging from fraud to potential insider threat investigations. ML tools employed for investigative purposes provide various efficiencies to the process and advantages for the outcome of the investigation. After an initial input from analysts, the ML platforms help determine patterns among the data to generate an understanding of the remaining corpus of materials being investigated. Many ML tools can also be designed to conduct behavioural analytics that contribute towards determining a pattern and therefore, are capable of flagging anomalies in the dataset as well as helping to eliminate false positives. Companies are often concerned with the sheer amount of information to be reviewed in an investigation; however, ML may be more efficient in culling through large datasets, building on its learnings as it encounters more data.

These ML tools are complemented with interactive visualisations, providing augmented intelligence and comprehensive searching capabilities, all whilst feeding into the investigation specific ML model. The interaction between the investigators and the ML model allows for a more fluid approach to interrogating the data in question. The models are capable of adapting to the findings and learnings of the investigations, using the patterns identified to help form an “understanding” of the issues at hand. This technology has evolved to allow the models to be transferable and portable between investigations. The application of these portable models allows investigators to apply the learnings and identification of consistent and common themes to unique datasets of a given investigation, providing the team with a “head start” in finding the pertinent information.

In an age of compressed media and click-baitable news, the ML tools have adapted to encourage the use of interactive visualisations providing a comprehensive analysis of multiple facets among unstructured data. This includes, but is not limited to: communications analysis, email threading, and data timeline views. Historically, investigators would manually need to collate the underlying metadata from the files in question to build a corresponding picture of how individuals and data interacted with one another. However, with the application of AI and ML technology, intuitive, interactive and graphical representations of data can greatly enhance the speed and efficiency of a given investigation.

In any given investigation, the following features are some of the most common applications of data visualisations:

  • Identifying which individuals are communicating with each other, providing statistics on the frequency of the communications and the common topics of discussion;
  • Identifying when conversations move to non-corporate channels (e.g. forwarding emails to personal addresses), adding new people to email threads, or BCC’ing other colleagues on sensitive conversations;
  • Identifying when conversations split off into new chains, who has access to which information within a given email thread or even if pertinent emails are missing from the data collection;
  • Highlighting peaks or troughs in the email traffic, which can typically provide context around the time of an incident.

 

The application of data visualisation and behavioural analytics conducted by ML and AI-powered tools may not only reduce the time of the investigation and the prevalence of false positives, but it can also  help provide broader insight into individuals of interest and broaden the scope of an investigation.

Using Machine Learning In Fraud Investigations

Now to better exemplify the application of ML and data visualisation tools in an investigation, imagine a hypothetical internal fraud case taking place at an investment management firm. An employee within the investor administration team of that firm sends email instructions to its payment processing team in order to divert investor funds into dozens of the employee’s personal bank accounts. The fraudster carries out the scheme over three years, yet the firm has only recently become aware of one case where their client flagged a missing payment and multiple discrepancies on their payment request form. A scenario like this would inevitably leave the firm worrying about several things: the total number of instances where the fraud was committed; the scale of the fraud; potential accomplices; notifying all the clients potentially affected; and undoubtedly, the firm’s own reputation.

In seeking to uncover the total value of the funds lost, identifying the timescale of the fraud and any potential accomplices, investigators would be expected to review millions of data artefacts, including: corporate emails; instant messages; the suspect’s corporate network drive; as well as the same artefacts belonging to potential accomplices. Requesting payments on a regular basis, without any additional questions, demonstrates the level of responsibility and trust the firm would have had for a person of that stature. And since fulfilling payments is part of the roles and responsibilities of the suspect’s position, investigators would not only need to identify the email instructions, but carefully distinguish between legitimate and fraudulent requests.

Various AI and ML-powered tools could be employed in the scenario described above to identify instances resembling the confirmed fraudulent instructions. An investigator could utilise the tools to apply filters across the data collected, with a view to identify personal exchanges conducted on the suspect’s corporate devices, focusing on email exchanges with partners, friends. services providers. banks. and/or financial advisors. Using the full suite of data visualisation tools available, investigators might be able to identify the frequency of the email exchanges, other individuals involved in the transactions and conversations between the investors and the suspect. Additionally, by feeding the example fraudulent email into ML platforms, these platforms will attempt to intelligently search the corpus of material available to retrieve all other emails containing the same or similar language. As personal accounts are identified in email exchanges with close associates or on non-work related matters, these email addresses can be searched across the corpus of documents identified by the ML platforms to help narrow down the pool of documents required for analysis.

Although document review using ML might provide solid evidence of fraudulent activity, investigators may also want to look for indicators of behaviour often associated with fraud – notably, evidence of conspicuous consumption. Besides broadening the scope within the document review, investigators should look to gather open source intelligence (commonly known as OSINT), and locate the suspect’s valuable assets (commonly known as asset tracing). According to the UK government’s guidance on indicators for potential fraud, individuals involved in such activity will likely seek to convert or divert the fraudulent funds into items of personal use. These might include cars, houses, exclusive club memberships, boats, jets or jewellery. Asset tracing, OSINT and social media analysis are useful processes in potentially uncovering indicators of conspicuous consumption as investigators could look for properties acquired at the time of the fraud, as well as luxurious items being displayed on the suspect’s or his family members’ social media accounts. Along with the information obtained through the review of the data artefacts, an investigator can build a holistic picture of the suspect’s behaviour and gain a comprehensive insight into his life outside the workplace.

Fraud detection and investigations continue to be a challenge and as traditional fraudulent activities are being replaced with more sophisticated schemes, the need to use AI and ML in fraud investigations cannot be stressed enough. Advances in the technology supporting these analysis platforms mean that systems can now learn, adjust search criteria and uncover patterns, aiding in the rapid and more efficient detection of incidents of fraud, suspected culprits and the overarching impact to an organisation. In conjunction with OSINT, AI and ML-powered tools are useful in providing a “story” about a suspect’s behaviour, subsequently answering questions about the modus operandi employed by the threat actor and possibly, even their overarching motivations. Additionally, such investigations can often uncover potential weaknesses in an organisation’s operating structure, identifying these given “windows of opportunity” for the fraud to take place. Subsequently, this can allow the organisation to introduce appropriate counter measures to future-proof their business from similar insider threats.

[1] https://www.ibm.com/downloads/cas/WKLQKD3W
[2] https://www.cpni.gov.uk/insider-threathttps://securityintelligence.com/posts/what-are-insider-threats-and-how-can-you-mitigate-them/
[3] https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
[4] https://www.forbes.com/sites/bernardmarr/2016/12/06/what-is-the-difference-between-artificial-intelligence-and-machine-learning/#5715f04e2742
[5] https://www.ibm.com/downloads/cas/WKLQKD3W

This is for information purposes only. Professional advice should always be sought regarding specific risk issues.



Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.


Copyright 2021 Aon plc. All Rights Reserved.


Copyright 2021 Aon plc. All Rights Reserved.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.