Cyber Threat Intelligence Fights Fraud, Waste and Abuse
Big data is the government's most lethal weapon.
Fraud, waste, and abuse (FWA) remains a major challenge to the federal government. From 2012 to 2016, the 73 federal inspectors general (IGs), who are on the frontline of fighting FWA, identified $173 billion in potential savings and reported $88 billion in investigative recoveries and 36,000 successful prosecutions and civil actions.
Concurrently, global fraud risks are growing more sophisticated, empowered by the rapid growth of technology and current weaknesses with an organization’s FWA controls. In February 2018, the Center for Strategic and International Studies, in partnership with McAfee, reported “that close to $600 billion, nearly 1 percent of global GDP [Gross Domestic Product] is lost to cyber crime each year.” Also from February 2018, the Thales Data Threat Report concluded that “federal data is under siege.” Meeting this challenge requires a multifaceted approach that goes beyond traditional FWA and cyber investigations and requires a clear understanding of the threat landscape.
One weapon the federal government has at its disposal is its vast amount of data. This data—structured or unstructured—can be key in efforts to fight FWA. Typically, FWA investigations focus on two general areas: corruption and asset misappropriation. Within those two areas, investigators can focus on items such as bribery, illegal gratuities and payroll fraud.
Federal agencies’ ability to analyze unstructured data, which is thought to represent 80 percent of all data, is a game changer. Further, agencies have added data analytics software and professional services to their toolkits. The ability to harvest and analyze structured and unstructured data is essential in battling FWA, but the analysis alone is not enough. While analyzing data can provide organizations with deeper insights and enhanced understanding, pairing it with cyber threat intelligence (CTI) can help assure agencies don’t miss potential threats.
CTI’s rise in recent years is rooted in its ability to provide enhanced visibility into threats and produce actionable information. In 2016, a SANS Institute survey of government and private sector threats found that although organizations were increasingly establishing CTI capabilities and programs, most of these programs were still lacking in maturity. As a result, most of them could “only comfortably research and utilize between 1 and 100 threat indicators weekly.” Even with this fairly limited capability, organizations that were using CTI noted in the survey that “the top benefit of CTI was to enable better decision making,” followed by “visibility into threats and faster/more accurate response.”
Some federal agencies and their IGs are now using forensic analytics to manage the complexities associated with structured data, including sales records, payroll details, inventory records and financial reports, as well as unstructured data such as e-mail, instant messages and payment text descriptions. Forensic analytics can assist in the combing of large volumes of data, identifying and isolating some of the noise in the data, and providing FWA leads and evidence. The information becomes even more powerful when it is paired with CTI. Specifically, by layering an agency’s existing threat data streams with network, security and identity management, CTI analysis allows organizations to address gaps in visibility and more effectively respond or even prevent FWA. CTI can be a great asset in analyzing user behavior data, vulnerability data, social media activity, web activity, third-party risk, monitoring of persistent threats, cyber crime and more.
By employing CTI, agency management moves to a proactive cyber defense posture rather than reacting to sudden breakdowns or IG findings. The goals are to block fraudulent cyber activity or to detect it early. Then, in close coordination with forensic analysts and FWA investigators, to ensure proper handling, storage, and chain-of-custody for any digital forensic evidence.
CTI can also serve as a liaison between the agency’s chief information officer, chief information security officer and the IG in addressing threats. Finally, CTI can provide support to compliance with federal regulations and guidelines relating to FWA, including those issued by the Office of Management and Budget and the Government Accountability Office, by continually focusing on malicious cyber activities.
John Kupcinski is director of KPMG's Federal Cyber Security group.