Over the past decade, the threat landscape has evolved extensively from the beginnings of worms in 2001 to botnets and spyware in 2005. Now, targeted attacks, mobile threats and destructive crypto-ransomware are a daily reality. The damage caused by these threats has escalated, as well, to potentially crippling levels for an impacted organization.
To mitigate the risks of growing threats, the cybersecurity industry has developed a slew of buzzwords to sell solutions. The individual buzzwords, like next-gen, breach detection and cloud security, are essential pieces to the puzzle. However, in the big picture of enterprise security, a holistic, layered approach is indispensable. Beyond the pervasive ransomware issue, two types of attacks in 2017 will make this approach to security more paramount than ever: Business Email Compromise (BEC) and Business Process Compromise (BPC).
BEC: The scam that preys on the main artery of corporate communication
BEC scams are not new – Trend Micro and the FBI have issued warnings and research on this attack type for a few years. It is a sophisticated scam targeting businesses that work with third party suppliers and issue wire transfers. In fact, in our 2016 Security Roundup Report, researchers stated that these attacks were carried out in 92 different countries around the world. Due to the ROI, the growth trajectory will continue in 2017.
To highlight how these fraudsters are successful, let’s look at a case study for AFGlobal from 2014. The director of accounting received an email supposedly from the CEO in which he is given a high priority, highly confidential task. To further validate the ploy, someone posing as an attorney called and emailed the director of accounting discussing wire transfer instructions to ensure quick delivery of funds. After wiring the money, the impersonators were quiet for a few days, but then added a secondary request for $18 million. This large sum raised suspicions for the accounting director, at which point the scam was uncovered. While the criminals didn’t received the $18 million, they were able to steal $480,000 in a matter of hours.
This is the beauty of BEC for hackers – large payouts in a short amount of time.
BPC: Hijacking internal processes for huge gains
The payout and appeal of BEC scams pales in comparison to that of BPC attacks. The most notable example was the Bangladesh Bank Heist in early 2016. Other potential scenarios include hacking into a purchase order system to reroute payments, infiltrating a payment delivery system to authorize fund transfers, or attacking a delivery center to redirect valuable goods to the criminal’s address.
Instead of relying on erroneous human behavior and compromising email accounts, BPC infiltrates an enterprise similarly to a targeted attack. However, they are solely after money, not motivated politically or for intelligence gathering as in targeted attacks. They get into a business process, add, modify or delete data, then reroute money or goods to their accounts. A typical BPC attack takes about 5 months from researching a target to modifying processes and receiving payment.
BPC attacks have happened for years, though we just recently coined the name. In 2013, drug traffickers hired cybercriminals to hack into a port’s database, allowing the drug runners to smuggle illegal substances and money.
As we revealed in the recent U.S. Cities Exposed reports, BPC attacks are also possible without relying on human interactions. Through the plethora of exposed devices open to the internet, any number of vulnerabilities or entry methods can allow a malicious threat actor into the network. From there, they probe the internal network, learn the processes and modify them for their own gains.
How to protect your enterprise from these schemes
Effective layered protection is key. Email and web gateways, endpoints, networks and servers all need individual security attention, working in harmony to be efficient and successful. Piecemeal solutions may protect individual layers, but the lack of communication and duplicate processes cause performance degradation, are difficult to use, and result in headaches for the system administrator managing security. Alternatively, integrated and compatible solutions, like Trend Micro Deep Security and Deep Discovery provide thorough protection across an IT environment without compromising performance or usability.
Approximately 97 percent of ransomware and phishing can be stopped at web and email gateways. Beyond that, behavior monitoring, application control and vulnerability shielding help protect endpoints. Network security relies on traffic scanning, lateral movement prevention and malware sandboxing. Webserver protection is added to the network layer solutions to protect servers.
Servers are the Holy Grail for cybercriminals. They get in through misconfigurations, vulnerabilities, stolen user credentials, man-in-the-middle attacks and lateral movement. Once they’re inside, they can access, edit or steal any corporate data related to a company. This includes sales, financials and customer information.
Beyond the need for security solutions, BEC and ransomware rely on human behavior – trust and respect for authority motivate employees to click malicious links, open infected attachments, and transfer hundreds of thousands of dollars without question. Employee education is a key factor that is often overlooked as part of a security approach. Implement security education as part of the standard onboarding process, allow pen testers to phish employees, and create a culture of security so employees are aware of the integral role they could play in a criminal’s ploy.
When considering enterprise security, it’s easy to fall victim to the hype. Just remember, priorities security basics and be careful of “one trick ponies.” There are no silver bullet security solutions. It takes a holistic, layered approach to ease the risk of BEC, BPC and other sophisticated, harmful attacks that wreak havoc on ill-prepared enterprises today.
I will be addressing EmTech India 2017—an emerging technology conference organized by Mint and MIT Technology Review, on March 10 in New Delhi on BEC and BPC.