We have all heard about data breaches and compromises that target specific data within an organization. However there are other types of cyber attacks. Today let’s talk about business process compromise.
Business Process Compromise (BPC) is when an attacker targets specific business processes and attempts to compromise them for some financial gain. An attacker may try to silently watch internal communications and map out the normal process for a funds transfer. Once they gain enough information, they can transfer money to an account, retrieve the money and close the account. Another example of BPC would be a payroll attack, where the attacker gains access (after learning) the process to add payroll with direct deposit.
How did they do it? Usually they gain access through the same vulnerabilities that expose data, and then they sit there and watch. For example they compromise the email system and read all emails relating to the process a company uses to move money and once they know the process, they look for weak links and strike.
One thing that stands out compared to a data breach attack is that the attacker has to gather a lot of information so that means they are usually in the network for a long period of time as opposed to a ‘smash and grab’ approach. Another thing that stands out is that they usually compromise numerous systems in order to get the amount of information required.
How can we stop these kinds of attacks? First of all we want to be able to detect anomalous behavior. In order to do that we need to know what normal behavior looks like. Using a SIEM that has capabilities to ‘learn’ what normal network activity looks like and can alert to strange anomalies is a good idea.
Also we want to know and understand our processes and the risks they pose. This way we can protect at a higher level the more valuable or risky process. Once these are identified we can add things like multi-factor authentication and split-roles to these processes and functions.
Another area to help defend against BPC is to treat the inside of your network like it was as unsafe as the internet. Many times we have the approach of hardening the outer layer but allowing the inside to be soft. We should always think of our networks as ‘hackable’ and try to prevent unauthorized movement from various systems. If someone were to compromise a manufacturing system, should they be able to move from that network to the accounting system?
Many times we will point out ‘information leakage’ during assessments and get the ‘so what’ attitude. Realizing that the BPC attacker’s goal is to learn as much as possible about business processes will help us defend against these attacks. The business should be aware of what information is being leaked and is available and how that information could be used against them.