Business Email Compromise (BEC) attacks continue to be an issue throughout the industry.? An adversary will take over or spoof an employee’s email account and use it to scam other employees, vendors, customers, partners, and even complete strangers.? These attacks are used to steal data, redirect existing payments, distribute fake invoices, collect gift cards, deliver malware, or to simply compromise more email accounts.? The sheer volume of these attacks has been rampant.
Strategies to reduce BEC should include layers of controls that map directly to user success, as well as avoiding spoofing, credential harvesting, and token theft.? Here are just a few of my favorite control areas that most organizations should consider including in their program.
Administrative Controls:?
- Security Awareness - This should be an on-going conversation far beyond annual compliance training and phishing simulations.? Awareness should be continuous, but varied in style, content, and approach.? Be creative and pull out all the stops when it comes to helping your most attacked assets become more resilient to threats.?
- Virtual Team - Collaboration and networking is critical in improving your security posture.? Extend your team to everyone that is willing to collaborate on tips, techniques, and trade threat intelligence.?
- Vendor Agreements, Customer Relationships - Fences make good neighbors, and contracts can make productive relationships.? Include language that sets expectations where appropriate and lays the foundation for working together.?
- DKIM, DMARC, and SPF - Your domain is part of your intellectual property and corporate brand.? Protect your good name and prevent spoofing.?
- Strong Authentication – Normally I call for Multi-Factor Authentication and still do, as a minimum standard. However, at the time of this writing we appear to finally be on the verge of passkeys as being widely available. Embrace advanced and modern authentication whenever possible.?
- Email Security and Internet Filters - There are plenty of products out there to help block known malicious messages, and bad internet links based on collections of shared repositories of threats.?
- Geo-fencing – If Joe lives and works in St. Louis, does he need to be able to login to your mail tenant from China?? Restrict logins by location whenever possible to add layers of difficulty for adversaries outside of your normal borders.? However, your implementation strategy should allow for occasional travel.?
- Script Execution Restrictions – It’s time to retire the batch file scripts.? PowerShell scripts can be digitally signed and limited.? Script execution restrictions can reduce risks related to malware droppers and token theft.?
- Endpoint Hygiene – Use an existing industry standard secure configuration baseline and manage configuration drift.? Master vulnerability management and patching processes to keep your software up to date.?
- EDR/XDR – Behavior based endpoint protection and response software has come a long way in the last several years to detect and prevent malicious activity.? Make sure you are taking advantage of all the features that fit within your business needs.?
- SEIM – There are simply too many endpoints and appliances, too many event log sources, and too many events to correlate activities across an enterprise without help.? Centralize your logs and automate alerting.?
- Test and Measure Effectiveness – As you deploy new tools and techniques, test and address gaps in coverage before the adversaries do.? Think purple team for SOC and incident response.?
- Incident Response Plans and Run Books – Document and regularly update roles, responsibilities, escalation paths, processes and procedures to create a shared pool of understanding on how to respond to issues.? Agree on the plan and resources available before you need them.? Bonus points for security operations orchestration and automation.?
- Feedback Loop – Something that exercises and incidents have in common are opportunities to learn something new to improve your response plans and/or implemented controls.? Embrace those opportunities every chance you get to address gaps.?
Business Email Compromise is a blight on email systems everywhere.? As with other attack vectors, controls should be prioritized and applied in response to threat intelligence and threat models.? Layers of controls can make it more difficult for an adversary to gain access to enterprise email accounts.? Remember that protecting assets should always be less disruptive than a security incident and align to business objectives and goals.?
