Page 102 - Cyber Defense eMagazine March 2024
P. 102
Detecting Business Email Compromise Is Too Little, Too Late
In January 2023, Huntress detected over 3,300 Microsoft 365 events that indicated a compromise of a
partner identity in some capacity. Any one of these incidents could result in a BEC attack that could wipe
a small business out for good. But the critical thing to point out here is that very few of these detections
identified the BEC attack itself. In fact, if the actual BEC attack itself is the only thing identified, this is
considered to be a detection failure.
BEC is more of the “ransomware” of the cloud security world. Like ransomware, these attacks are one of
the tangible, visible outcomes of a cloud cyberattack chain. The operating phrase here is “attack chain.”
These attacks don’t magically appear out of nowhere. A threat actor who’s pulled off a BEC, much like a
ransomware attack, had to develop their campaign enough to execute the final phase of the attack. This
means that they had to gain access to an account, install some method of persistence, enumerate the
target environment, evade defenders and finally execute the steps of the BEC attack itself.
This equates to a process of an enemy spy sneaking into a maximum security base. The spy has to ballet
dance through a hallway of lasers to make sure they remain undetected. Every step, every dip and every
jump is another opportunity for them to mess up and trigger one of the lasers. As defenders, it's the
security company's job to put as many lasers in the hallway, at various heights and angles, so that the
spy’s mistakes are detected and punished.
This is why companies are getting BEC all wrong; since they tend to watch business email compromise
attacks unfold as if there’s no way to prevent them from happening. It’s not a good practice to watch the
train careening down the tracks towards the cliff side with their jaw on the floor, saying, “Someone should
really do something about this!” Defenders should realize it’s their place to take action and pull the lever
to reroute the train.
Any threat activity that takes place before the BEC attack itself is a good place to look to forestall these
attacks. A great place to look for indicators is right when the threat actor gets their foot in the door—initial
access. “Account takeover” is the most common method of initial access, where a threat actor has passed
or stolen the authentication requirements and simply logs in as the given identity. There are more ways
to gain initial access to an identity than just account takeover, but it is the most common method by a
wide margin.
Hunting Account Takeovers at the SMB Scale
Focusing on BEC is like focusing on the train after it gets wrecked. Maybe you want to join me in the hunt
for account takeovers so we can cut off the BEC attack closer to the start. But where do we start? How
can we effectively deter these attacks if we don’t understand them first?
String up your bow and sharpen your arrowheads. Here are three of the major adversary tactics that
result in account takeovers.
Cyber Defense eMagazine – March 2024 Edition 102
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
