We are relentlessly advancing the art of threat-informed defense, anchored by a belief that we can improve our defenses with a systemic application of a deep understanding of adversary tradecraft and technology.
Read more about the cutting-edge research and development being done with input from our participant organizations, featuring some of the top security operations centers.
We are leading the leading edge of innovation. Explore the latest news, insights, R&D, and special projects from our advanced tech experts and partners.
Our tech foundation is addressing the complex problems that face our nation today. Find out how you can join our efforts as we spur innovation for public good.
In developing countries, people rely heavily on their cell phones to move money, from paying for goods to receiving compensation for work. The mobile digital financial systems (mDFS) supporting these daily transactions play a critical role in micro-economies across the world.
MDFS are incredibly complex, involving a multitude of factors—socioeconomical, cultural—and wide range of participants, including wireless companies, banks, government agencies, and more.
Protecting these systems is equally as complicated. MITRE Engenuity™, MITRE’s foundation directed at uniting industry for the public interest, stepped up to the challenge.
To get the job done, Cynthia Wright, Adrian Gonzalez, and Sebastian Forgues leveraged several of our cross-cutting capabilities, combining statistical analysis with cybersecurity expertise to address system security issues.
A 30,000-FOOT VIEW OF A COMPLEX CHALLENGE
Big Picture: Large swaths of the global population rely on their mobile devices to make payments and get paid. Unfortunately, the financial technology (AKA fintech) processes supporting such transactions are extremely vulnerable to fraud.
Challenge: Protecting mDFS is a multi-faceted challenge because each participant in the fintech ecosystem interacts and manages their role differently. MITRE Engenuity’s team set out to create a decision tool, or cyber risk model, to help direct industry and government toward solutions-oriented investments.
Approach:Similar to 3D glasses, the complete picture of mDFS security is unclear unless it’s viewed through both technical and non-technical lenses simultaneously.
Dual-lens complexity in action: Forgues cites an example of a woman using her phone to buy goods from a shopkeeper at a market. The transaction is text or SMS-based and not associated with or insured by a bank.
There are myriad technical touch points for something to wrong during any given transaction.
Criminal activity: “Shoulder surfers” could steal her password information.
Technical failure: Service providers could have an outage at the exact moment she presses “send.”
Political activity: Government could shut down cell tower service or be hacked.
There are also numerous non-technicalfactors that could contribute to her text transaction going awry.
Education level: She’s not mathematically savvy and could be swindled by the shopkeeper.
Gender equity: If the woman wears a burka, but the wireless provider requires facial recognition for authentication, she may be unable to access her money.
Outcome: The team used open-source research to cull technical and non-technical data inputs, like the scenario outlined above. From there, they built on MITRE’s ATT&CK® framework, which tracks cyber adversary behavior, to develop an interactive cyber risk model outlining the top 20 risks (out of several hundred) threatening digital financial systems globally. They then transformed the model into a web-based software application available for the public to run individualized risk assessments.
Layered challenge: Due to its complexity, industry and governments haven’t yet recognized the value of this open-source tool.
BRINGING A NEW VIEW TO A LONG-STANDING PROBLEM
“It’s a rising tide that can lift all boats,” Forgues says of the project’s potential impact on the mobile fintech ecosystem broadly.
The team is working on the following next steps:
Invite industry stakeholders within mDFS to apply the framework to their processes and invest in targeted solutions for coverage gaps.
Prompt governments to strengthen infrastructure, policy, and education to reduce system risk.
Put data on the international community’s radar, including the United Nations and other governing bodies, to inform improved infrastructure standards. “It’s low investment for really high impact,” Forgues explains.
The project’s risk model approach can be applied to many other sectors’ cyber threat areas, including agriculture, shipping, health information, and more.
Interested in learning more?An 87-page white paperoutlines MITRE Engenuity’s process and findings in detail.