Every day we see new approaches from threat actors around the globe – whether it’s ransomware or MFA splashed across the headlines. Business process attacks are just one of many methods attackers are using to target things like payroll or invoice generation.
With business email compromise (BEC) attacks on the rise amongst other operations-focused attacks, we spoke with Candid Wuest, VP of Cyber Protection Research at cybersecurity firm Acronis. Candid discusses what makes these attacks enticing for threat actors – and how companies can best defend themselves from BEC and operations hacks.
What are business process attacks?
Business process attacks or business process compromises are attacks where the threat actor is targeting weaknesses, loopholes or shortcuts in organization’s processes. The focus is on business processes as opposed to IT processes. The aim of the manipulation is to gain an advantage or even direct profit for the attacker. Often it involves diversion of goods or resources. Of course, they can as well be combined with other attacks such as data leaks or living of the land attacks.
What are some concrete examples of business process attacks?
A classic example that we unfortunately have seen multiple times is when an attacker gains access to the internal billing system and changes the receiving bank account details in the invoice template. Once saved, this will lead to all new invoices having the attackers bank details, but since the rest of the invoice contains the real details it can be very convincing. A similar variant is when the payment system allows the attacker to upload their own invoices and mark them for immediate payment. Of course, refunding existing contracts, generating new contracts for services that can be resold, generating vouchers and free licenses or changing shipping addresses for physical deliveries can be of interest to the attacker as well.
Another example involved a hijacked employee user account which allowed the attacker to change the bank details for the salary payments in the HR database.
As mentioned they can also cross over to IT processes. For example, an attacker with the right access rights can change the contact details of important systems, like for registered domains and name servers. Adding their own email as a BCC to the password reset portal or adding their own cloud bucket as a destination of all the backup processes, are other favorite backdoor opportunities. Such changes can then be used to conduct further attacks.
What techniques make business process attacks so special?
In contrast to phishing and business email compromise, the process alteration in business process attacks do usually not require social engineering or human interactions. Many of these attacks can be carried out entirely through a hijacked user account, without the need for any software vulnerability or malware to be deployed by the attacker. This makes such attacks harder to detect or prevent through classic awareness trainings.
These attacks require a good understanding of the internal business processes. This familiarity can sometimes be achieved by the attacker through monitoring the normal user operations over several weeks and learning from their daily operations.
How can organizations protect against such attacks?
As business process attacks often don’t rely on malware they are not detectable by traditional anti-virus solutions. Modern security solutions can detect anomalous behavior of the users and flag any potential hijacked account. As a preventive measure all business processes should be verified and tightened to ensure that no individual account can issue damaging requests. Deploying multi-factor authentication (MFA) can limit the impact of hijacked accounts as well. Using configuration verification and penetration tests can help discover misconfigured systems are loose access controls outside of the employees duty scope that need to be adapted.