TIPS #17: Subversion: The silent third dimension of cybercrime

Issue: Security teams tend to focus on tactical and sensational cyber threats that steal data or sabotage systems, rarely examining strategic long-term threats that seek to subvert data and systems.

“Loud” and visible cyber threats like ransomware, phishing, and data theft can derail company operations and cost thousands or millions of dollars in response and recovery. Understandably, most security teams and leaders focus their efforts on incidents like these which seek to extort funds, incapacitate systems, or steal data.

“Quieter” subversive threats can be just as (if not more) impactful but rarely receive the same attention. Subversion is a long-term campaign in which a threat actor- often a (or with the cooperation of a) credentialed and trusted insider like an employee, partner, or customer- abuses access to a company’s systems and data for their own benefit. Threat actors who seek to subvert are often motivated by long-term financial, espionage, or ideological objectives. While subversive actions are stealthy by nature, they can also enable “louder” crimes such as data theft, destruction, or exposure.

Subversive threats are insufficiently addressed by most companies’ security postures, policies, and tooling, due in part to a mismatch between the strategic nature of subversion and the tactical approach of most security teams. Prioritization can also be fueled by a misperception that subversive threats are less damaging.

One well-known case of subversion is that of former JPMorgan Chase traders who used their access to manipulate the precious metals market from 2008 to 2016, placing and canceling tens of thousands of orders to create false supply and demand for their own benefit. Market participants lost over $10 million as a result. Two traders were fined and sentenced to prison in 2023 and JPMC agreed to pay $920 million in connection to the case and a separate (but similar) case of U.S. treasuries market manipulation. 

Another recent case of subversion is the 2023 Tesla data breach, in which two former employees violated the company’s security and data protection policies, stealing over 23,000 documents with the intent to leak customer complaints regarding Tesla’s self-driving features. The employees shared the documents with German media outlet Handelsblatt and exposed sensitive personally identifiable information (PII) for over 75,000 current and former employees. 

Other examples include:  

• An unscrupulous contractor who simultaneously works for a company and its competitor, earning compensation for degrading the company’s IP and creating a competitive disadvantage. 
• An employee who secretly poisons a Large Language Model (LLM) used by HR, leveraging targeted training data to create model outputs that increase their target compensation range during annual reviews. 
• A new banking customer who intends to use their account to facilitate fraud or embezzlement. 
• A financial institution employee who is coerced to modify payee benefits to enable money laundering, in return for a commission on the laundered funds.  

Impact: Subversion can lead to reputational damage, long–term competitive degradation, and other persistent impacts.  

The long-term manipulation of company data and systems introduces the potential for compounding negative impacts. It’s often difficult for companies to detect who did what, why, and when. 

Broadly, though, impacts from subversive actions can include reduced product or service performance, competitive disadvantage, loss of customer trust, brand deterioration, diminished cybersecurity, and increased risk exposure. For example: 

• Modifications to source code in private repositories or Concurrent Version Systems (CVSs) can create operational product backdoors or performance degradation and cause software vulnerabilities, lower sales, and reputational damage.  
• Manipulated messaging or marketing systems can expose sensitive information to competitors and eliminate market advantages.  
• Poisoned machine learning training data can reduce model performance, degrading business processes that rely upon the model and creating the potential for financial losses and security vulnerabilities.  

Depending on the circumstances of a subversive incident, companies may also need to initiate data breach disclosures, pay fines for regulatory violations, and offer compensatory services to affected individuals. 

Action: Secure genAI models and the applications, data, and permissions they leverage. 

1) Never trust, always verify  

Subversion fundamentally abuses trust. Implement zero trust principles to securely enable access to company networks, systems, and accounts. 1Kosmos helps companies secure digital identities with advanced biometric MFA and passwordless enterprise authentication.   

2) Preventative data security and governance

Subversive threats target and abuse data within company systems. Companies must establish and maintain effective data security policies and practices to mitigate risks and meet regulatory requirements. Symmetry Systems’ data security posture management (DSPM) platform visualizes and reduces data risks.  

3) Implement least privilege principles

Grant employees the minimum access necessary to perform their duties to enable a clean and secure permissions environment. This makes it more difficult for threat actors to move laterally and subvert systems and data. SPHERE identifies and eliminatesover-privileged access and protects critical data at scale. 

4) Test and strengthen AI model security

AI models must be monitored and tested from training to production to close security gaps and avoid unintended risks like hallucinations and bias. Bishop Fox assesses AI and ML models and integrations, testing user experience, guardrails, content filtering controls, and model behavior to detect and prevent abuse.  

5) Detect anomalous customer and employee behaviors

It’s critical to have visibility into customer behaviors to identify and remediate anomalous and malicious actions, especially for financial institutions. Lynx’s fraud prevention and anti-money laundering solutions leverage daily adaptive AI models to provide unparalleled detection accuracy, low false positives, and market leading response times.  

It’s also important to protect employees from credential theft and monitor for unusual behavioral patterns. Constella Intelligence helps companies protect user and employee identities by monitoring identity exposures, supply chain compromises, and customer account breaches.    

6) Incident response planning 

Recovering from long-term subversive campaigns is a complex process that requires a holistic approach. Surefire Cyber helps companies create a comprehensive incident response plan to determine the scope of recovery and remediation.

Image by Mohamed Hassan from Pixabay