Over the years, I’ve seen a significant number of incident response (IR) cases that have stemmed from a business email compromise (BEC), which should come as no surprise considering recent studies show that approximately 90% of cyberattacks begin with a phishing email. A BEC occurs when an adversary uses email to defraud an organization or gain access to sensitive information. Attackers gain access to email accounts through phishing emails, password attacks, unsecured wi-fi, credential stealing malware, etc. Some attackers like to stay in the email environment, where they can snoop around, change rulesets, and impersonate people, in hopes of tricking others to complete specific tasks; while more sophisticated hackers find ways to move from email into the IT environments of their victims where they usually deploy ransomware. Whatever the approach may be, the end goal of the attacker is to find the quickest way to steal money and/or information without being detected.
Because of the prevalence of BECs, it’s not uncommon for organizations to handle these types of incidents on their own if they believe there hasn’t been too much damage (keep in mind that what they “believe” and what actually happened may be vastly different). Once spotted, an attacker can usually be kicked out of a user’s mailbox through password changes and enabling multi-factor authentication (MFA). The organization can then make a risk-based decision as to whether further action is required.
While it’s easy to assume that the situation was handled by kicking the attacker out of the mailbox, unfortunately, many businesses have learned that what you don’t know today, can harm you tomorrow. Which is why, if you ever suspect a BEC, you should call in your legal counsel and a cybersecurity professional to investigate how far the adversary progressed – and whether or not they are still in your email environment or IT network. Based on the findings, there may be legal obligations your organization must comply with.
After an organization has fallen victim to a BEC, a review of available log data, devices, and settings comes into play. If a proper IR investigation is not conducted (although we highly recommend having one and they are usually required by insurance carriers if a claim is filed), stakeholders should, at the very least, consider preserving the impacted user’s mailbox, all relevant log data, and devices at the time of the incident in case information is used or leaked at a later date. At Avalon Cyber, we’ve seen many cases where this was not done initially and how it impeded the IR investigation later.
We all know there’s no silver bullet in IT security, no one-and-done action that can prevent all attacks, or even one framework that can check all of the boxes, but we do know that a defense-in-depth strategy can give these online thieves a run for their money (pun intended) by making it difficult to break in, and even harder to stay in (if, in fact, they do breach a system).
Now that we’ve discussed ways to help prevent malicious emails from reaching users, what happens when these technologies fail, and a phishing email is successfully executed? This is where I believe the use of a Security Information and Event Management (SIEM) could be beneficial. By utilizing a SIEM, input from your email environment, servers, firewalls, antivirus agents, intrusion prevention systems, and much more can be collected, correlated, and alerted on within one place, so immediate action can be taken no matter where the threat occurs. Those of us who have been involved in an IR case know how easily adversaries can move laterally into other hosts/applications. And speaking of IR cases, a SIEM also provides “one place” to conduct most, if not all, of your IR investigations too.
A non-exhaustive list of a few things to look for if you suspect a BEC are as follows:
- Account logins outside of the expected geographical areas by reviewing/pivoting on IP addresses
- Review of numerous failed login attempts, followed by successful ones
- Analysis of incoming emails that look skeptical or may be leveraging a spoofed domain
- Recent rule changes, such as forwarding emails containing certain language or other specific criteria to a folder, new delegates, etc.
Remember, a SIEM is what you make it and can be fine-tuned however an organization sees fit. You can create rules to fire off alerts based on just about anything you want, as long as the logs and/or agent activity are coming into the SIEM. Most SIEMs come with out-of-the-box alert rules in place, but it’s recommended that your security team takes the time to further develop these rules to align with your organization’s risk appetite and security strategy. Also, make sure logging is enabled wherever possible/feasible – NEVER assume this is in place by default.
It only takes one unwitting employee to click on a phishing email and provide credentials for an attacker to gain access and wreak havoc. So, to wrap up, here are some of my recommendations to help thwart a BEC attack and considerations for when the inevitable happens (sigh):
- Enable multi-factor authentication (MFA) wherever possible (not 100% effective, but it helps decrease the likelihood of an attack significantly).
- Utilize a password manager to store credentials and encourage the use of strong and unique passwords.
- Enable and create rules for SPF, DKIM, and DMARC.
- Train your users on how to spot and react to phishing emails and other types of attacks. Avalon Cyber offers phishing simulation and training to help organizations manage the ongoing problem of social engineering.
- Enable logging within your email environment and know which logs are available and for how long.
- Don’t rely on email authentication only when it comes to transactions containing financial or other sensitive information. Have a process in place for additional verification, such as via phone or even in person (and enforce it!).
- Practice the principle of least privileged (hackers who gain access to a low-privileged account usually can’t do as much damage as they could with an admin account).
- Know your organization’s footprint on the web by investing in Open Source intelligence (OSINT) technology solutions.
- Consider using a SIEM to continuously monitor log data to flag events as they occur. Avalon Cyber’s KnightVision CAM offering includes a SIEM, which collects and retains log data and sends autonomous alerts to your security team. If you don’t have an in-house security team, KnightVision CAM also includes options for round-the-clock monitoring and incident response by our security experts.
- Create or review your IR plan to ensure there is guidance on how to handle BECs.
- Monitor all your endpoints with Avalon Cyber’s Managed Detection and Response (MDR) in the event a user clicks a link or downloads something that spawns a malicious process.
- Identify risks in your organization’s IT environment with Avalon Cyber’s vulnerability assessments and penetration tests. These assessments will help you identify and remediate vulnerabilities that an attacker could leverage if they are successful in their attack and attempt to cause damage within your network.
- Always consult with your legal counsel and security team on next steps when a BEC has been identified. If you decide not to, know the risks involved and consider preserving the data that exists.
If you have been compromised, Avalon Cyber offers full incident response support, which includes threat hunting, actionable threat intelligence, digital forensics, and a comprehensive report detailing the results of our breach investigation.
Contact Avalon Cyber today if you have any questions or need assistance.
Brandy Griffin is the Director of Cyber Operations, overseeing our team of penetration testers and security analysts. She continues to support our clients' needs on a daily basis and ensures we always deliver high-quality customer service. Brandy’s experience in cybersecurity is further complimented by her skills in eDiscovery and digital forensics from previous positions she’s held at Avalon and her past employer, a fortune 1000 Company.