Introduction to Business Email Compromise and the best ways to defend against it.
Business Email Compromise, or BEC, is a term that’s become more prevalent over the last few years. Why? you might ask. In October of 2020, it was reported BEC attacks rose in approximately 75% of industries. While there was speculation this was the result of the pandemic, we haven’t seen these threats decrease at all over the last year and a half, so they’re certainly not going away.
In this article, we’ll be discussing what BEC is, the objectives of BEC attacks, and the steps involved in carrying one out. Then we’ll cover some of the ways we can defend against these types of attacks.
What is BEC & How is it Used in Cyberattacks?
Simply put, BEC refers to email account compromises from legitimate and trusted sources. This type of attack is especially dangerous because it relies on the trust built previously between businesses and consumers, business partners, and other previously established relationships.
BEC is the result of one of two things: 1. An employee’s email account is compromised, usually from a previous phishing or malware attack where the individual’s credentials were compromised. 2. The use of spoofing to pose as a trusted sender, like an executive of an organization or a customer service representative.
In the first scenario, an attacker uses previously obtained credentials to gain access to the person’s email box and send out malicious email on their behalf. This technique has become more prevalent to carry out BEC attacks because access to the user’s mailbox provides insight into business contacts and historical correspondence.
Consider this scenario: You receive an email from a trusted vendor discussing an upcoming contact or business engagement. You email back and forth with this person via the same thread, discussing details about the engagement.
A few days later, a malicious individual gains access to the vendor contact’s email account and parses through their recent correspondence. Seeing your lengthy email thread, they decide to send their phishing or malware campaign as a response to the latest email. You receive the email and while it may initially look suspicious, you decide it’s a legit email since it’s coming from your trusted contact and it’s a reply to the ongoing thread.
The above situation happens every day unfortunately and it’s become so common because it’s so successful. Threat actors are increasingly taking advantage of our innate curiosity and the trust we put in our service providers, vendors, and partners to carry out their attacks in order to steal money, passwords, sensitive information, and more.
This doesn’t only happen with business-to-business communication though. Consumers with personal email accounts can become a victim of a BEC attack too.
What if you received an email that came from a legitimate Amazon email account? You checked all the things in an email you should, like the sender address, not just the display name, and even went so far as to Google the person to see if they have a LinkedIn account that shows they work at Amazon.
After confirming these things, you felt comfortable with your conclusion that the email claiming your payment information needed to be updated is legit. As a result, you respond with the requested information, not knowing your payment information is falling into a malicious individual’s hands and not the Amazon employee you trusted.
How Can We Defend Against BEC?
As with all cyberattacks, the best way to defend against them is to have defense in depth above all else. There is no single way to prevent BEC or an attack that’s a result of an email compromise. And as we know as security professionals, even if we do everything “right” there’s still a chance someone in our organization will fall victim to a BEC attack or be the target user whose account is sending out malicious emails.
So what can we do to defend against BEC and its repercussions on finances, stolen credentials, and organizational reputations?
Multifactor Authentication Multifactor Authentication, or MFA, is a must in today’s world. There are very few scenarios, if any, where MFA isn’t required. MFA is the practice of safeguarding our accounts with more than just a password.
In cybersecurity, there are four types of authentication:
Something you know (a password)
Something you have (a one-time password)
Something you are (biometrics like a facial or fingerprint scan)
Somewhere you are (geo-fencing, or context-based authentication)
MFA requires combining at least two of these authentication methods to successfully authenticate someone. This is similar to using various security mechanisms other than a lock to protect your home. Many homeowners now install security alarm systems and cameras to further protect their homes.
Similar to only having a lock and key, a password offers minimal protection when someone is able to guess or gain access to your password. MFA adds a layer of security that’s more difficult to be guessed or bypassed, making it harder to breach an account, in our case leading to a BEC.
Security Awareness As I mentioned earlier, more and more threat actors are leveraging social engineering techniques to steal money, credentials, and other sensitive information for one primary reason: it’s the easiest way to get the information they’re after.
It’s much easier to exploit the innate curiosity of humans than it is to bypass the technical defenses organizations have worked to implement. This is why it’s so crucial that organizations don’t discount the importance of security awareness programs.
Training employees and constantly reminding them of security policy and best practices, along with providing helpful guidance and tips, is a company’s last line of defense in social engineering attacks like BEC. While we do need technical defenses to detect and prevent internal email compromises, our users are the ones that will determine the success or failure of a BEC attack that makes it through those defenses.
In both scenarios, where a user’s account is compromised, or they receive an email from a compromised email account, the user’s actions determine the ultimate outcome. Providing effective security training to employees is crucial to ensuring they are made aware of the various threats that exist and can ultimately be the recipient of.
Invest in Advanced Email Protection While MFA and Security Awareness can together create a decent defense against BEC attacks, having an email security tool in place to stop threats before they make it to the end-user is essential in every industry.
Many organizations, especially small to medium-sized ones opt to not invest in a robust email security solution. These organizations are usually the ones whose email accounts are compromised, and in turn, impact their customers and business partners via the malicious emails sent out from their employees’ mailboxes.
Email security solutions continue to advance their capabilities in order to help organizations prevent BEC attacks. Some of these features include:
Domain impersonation detection (both your domain and supplier or partner domains).
External email tags to help users identify impersonation attempts of internal users or departments.
The use of artificial intelligence and machine learning to detect message attributes commonly linked to BEC and assess hostnames, IPs, and headers.
Enforcement of email authentication like SPF, DKIM, and DMARC (Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication respectively). These frameworks are out of the scope of this article, but you can learn more about them here.
Insight into the employees receiving the most BEC email campaigns and the types of BEC threats that are being sent, allowing an organization to tailor their controls and security education program to make them more effective.
While this isn’t a comprehensive list of the mechanisms email security tools offer to help defend against BEC, these are some of the common ones that are most important for an organization to have in place.
Employ Effective Monitoring on Outbound Email This control goes hand in hand with the previous protection mechanism, as you likely won’t be able to implement monitoring on outbound email without an email security tool like Proofpoint, Barracuda, Cisco, etc.
In the event all of the above controls fail to prevent various types of phishing emails from getting delivered, outbound email monitoring can serve as a last line of defense in detecting and blocking outbound malicious emails, or outbound responses to hosts or email addresses with a bad reputation.
Let’s consider the initial scenario we discussed where an individual receives an email that seems odd but is a response from an existing thread. Maybe the email thread was discussing an upcoming business engagement and the latest email asks for a down payment to be submitted to secure the requested services.
If the individual chooses to respond with payment information, outbound monitoring can help block this email from being sent in a few ways depending on the level of protection enabled:
The email is outright blocked due to the fact that it contains payment information (rule-based/policy block).
The email is flagged/alerted on due to the recipient hostname or IP address having an increased risk score or poor reputation.
The email is flagged/alerted on due to email attributes matching BEC tactics like the use of urgency.
In situations where your internal user is the email account that’s been compromised, outbound email monitoring can help detect and block outbound malicious emails, especially if the attacker has scripted it out and is trying to send hundreds of emails at a time.
Having this type of monitoring in place can oftentimes be the control that determines if you’ll know about a BEC attack as it’s occurring or be completely blind to it until it’s too late and the financial or reputational damage is already done.
Leaked Credential Monitoring Threat intelligence tools have become one of the key solutions in a security team’s toolbelt. I could write an entire article on threat intelligence tools and how they can supplement an organization’s defense strategy, but for the purposes of this topic, I’ll just discuss the leaked credential monitoring piece.
In general, threat intelligence tools enable an organization to be notified of intelligence from the Dark Web as it relates to their company, domains, IP spaces, users, tech stack, etc.
Leaked credential monitoring specifically provides insight into credential dumps that mention a company’s user(s). This allows the security team to act promptly to reset the impacted user’s password before it can be used to gain access to the network. This is especially important as more and more organizations move to web-based email solutions like OWA (Outlook Web App), where a user doesn’t have to be connected to the internal network to access a company email account.
While BEC isn’t an overly technical cyberattack, it’s one that’s commonly used in malicious email campaigns every day. Attackers have realized humans continue to be the biggest weakness and therefore will continue to leverage these easy attacks to obtain initial access, commit fraud, and steal sensitive information.
The various controls I’ve outlined here can help immensely in BEC defense efforts, but they are by no means the end-all-be-all. We, security professionals, know there’s no “one size fits all” approach to any aspect of security, so it’s always important to strategize internally and come up with multiple controls that best suit your organization’s policies and security objectives.
With that being said, MFA is one of the key defense mechanisms that significantly reduces the chances of a malicious user accessing an internal email account with just a breached password. So if you can implement any one of the aforementioned controls, implement MFA!
In the world of constantly emerging threats and the continuously evolving threat landscape, one thing remains constant: the use of social engineering and email to gain an initial foothold via stolen credentials.
Activities like vulnerability management, cloud assessments, system hardening, and intrusion detection and response are all very important aspects of a cybersecurity program, but we can’t forget about the vector threat actors are continuously taking advantage of: our people.
Ensuring you have an understanding of the BEC threats impacting your organization and implementing the proper controls to help defend against these threats is a must. Without any of the defenses outlined here, attackers will continue to be successful with BEC attacks and opt for this simpler technique over more difficult paths, like exploiting system vulnerabilities.
Originally published at katlyngallo.medium.com on December 20, 2021.