Business Email Compromise (BEC) has become a security buzzword. It simply means using email to attack and gain access to your network. *Phishing* or *Spearphishing* are other terms you will hear. It has been estimated that 70% of the attacks against most sites come from email.
Having a strong spam filter is the first step in protecting against these attacks. The Barracuda Email Protection platform evaluates the contents of all emails for both spam and malicious links and attachments. It checks all links provided for malicious content. It does the same for all attachments.
Having DNS filtering such as Cisco Umbrella also helps by checking and blocking malicious links and sites that can cause you harm.
However, there is a new twist on an old threat that is equally dangerous - credential theft.
Traditionally someone's email credentials got compromised and suddenly the spammers were spewing out random ads to the world using this open mail relay. These compromises were pretty obvious and easy to shut down.
However, the new reality, which area districts have confirmed with me has been happening, is that the attacker has obtained a district employee's credentials. Instead of spewing spam, they sign in and they read and look and wait. The goal is to see what they can see about your network. They want to learn who are the people who have access to personally identifiable information and who handle the financial affairs of the district.
Then they refine their attacks to target those people in the district specifically.
If they breach the new targeted account, they again sit back and read and listen.
If they get to the money people, they try to insert themselves into the accounting process. A most recent example was the Rhode Island incident where an attacker inserted themselves into the district's accounting process and included themselves into the accounting system to extract millions of dollars.
Again, this is no longer theoretical. It is happening and I have been told by districts they have seen indications of district administrators being consciously targeted.
If the attackers don't make themselves known, how can you even know that this is happening?
The number one thing you can do to defend against this attack is implement multi-factor authentication. If there is an MFA challenge on top of a credential request, the FBI estimates that 99% of these attacks end right there.
There is a new term called "Impossible Logons". If you are in Poughkeepsie, NY, and sign into your network, you cannot be signed in 3 minutes later from Kazakhstan or more likely Yonkers or Virginia via a compromised home cable modem.
If you look at your logs and see impossible logons, something bad is going on.
The other thing that is going on with these stealth attacks is that the attackers are setting up forwarding rules to either forward their target's emails out to the attacker for review without excessive logons or to other users or obtuse folders to hide the fact that they are actively monitoring and manipulating their target's emails. These rules could also delete emails from select vendors or people who will be part of the financial theft. An example might be that CSI emails are automatically deleted and instead, the attacker starts substituting fake CSI emails announcing a change of address and submitting a bill for a legitimate project the attackers have learned is going on!
This brings up another basic principle - When someone asks for major changes that affect money or personal information, the person receiving that information should verify that information is "out of band" (i.e. pick up the phone and call the number you have on file and confirm the request or send your change form to the address you have on file).
As part of your end-user security training, it is important that you teach your users how to look at what email filtering rules are in place and periodically audit those rules. If your techs are helping your end users with software-related issues, you should add spot-checking for out-of-place email rules to their basic checklist. This is especially true with your core administrators handling money and personal information.
The attackers know this is a very hard area of your network to protect. If you are an Office 365 shop, our friends at Huntress have a new Office 365 agent that can help keep you safe. Contact Lisa for more information on any of the solutions I have discussed. We are here to help. Give us a call.
-Scott Quimby, CISSP
P.S. The next CSI Cybersecurity Event is Wednesday, December 6th. Contact Lisa for details.