The Anatomy of an Email Compromise
Business Email Compromise (BEC) is one of the more frequent forms of cybercrime today, with the potential to cost companies millions of pounds in fines, lost revenues, fraud losses and the loss of goodwill. This form of cyberattack is designed to infiltrate email systems and gain access to critical business information and data, extracting money from the business through email-based fraud. With schemes growing increasingly more sophisticated, cybercriminals can send phishing emails as though they are coming from another member of your network. These are often trusted, and the recipient is deceived into revealing their account credentials, leading to subsequent email account hijacking.
One in every 3,722 emails in the UK is a phishing attempt and nearly 55% of UK email is spam, according to an article in CSO. BEC incidents accounted for 23% of cyber insurance claims in EMEA during 2018, and although figures are not yet clear in the UK for following years, the US saw a 67% increase in BEC insurance claims from 2019 to 2020; a clear indicator of the increasing prevalence of such crimes.
STORM Guidance are co-founders of the ReSecure cyber incident response service, available to businesses through their cyber insurance. Providing a complete technical, legal and crisis PR service, ReSecure has helped hundreds of organisations of all sizes to investigate and recover from a multitude of damaging and criminal cyber incidents.
One of the specialists responsible for helping insured clients to minimise the impact on their business and reputation is Mark Saunders, one of STORM’s Senior Cyber Advisors. Mark began his career in IT over 25 years ago and eventually moved into information security. Performing a variety of technical and consultative roles, Mark gained his EC-Certified Ethical Hacker (CEH) status and further experience as a PCI-DSS QSA (Payment Card Industry Data Security Standard Qualified Security Assessor). As a Blackthorn Certified Professional, Mark’s information security experience in ISO 27001, and end-to-end security enables him to use that knowledge in aiding victims of cybercrime to re-secure their networks and improve their security posture and processes to prevent a recurrence.
Mark has been working with STORM and the ReSecure service for 4 years, focussing mainly on incident response where he is driven to develop and improve STORM’s capabilities to respond to various cyber-attacks. Mark specialises in BEC (Business Email Compromise) incidents and has been instrumental in developing STORM's Mailbox Content Analysis service and some custom investigative tools.
With his valuable knowledge in BEC and years of experience with ReSecure, we asked Mark to outline for us the lifecycle of a ReSecure BEC incident. These steps can be summarised as:
Initial call reporting compromise to the ReSecure hotline
Follow up call from ReSecure lawyer within an hour to take any details needed and establish legal privilege (helpful in pursuing legal action against 3rd parties)
STORM performs email network reconnaissance
ReSecure team triage the incident and organise the specialists call from STORM experts who then investigate all risk aspects
Assessment of incident extent (e.g. has PII been breached, what systems or information are at risk)
Tasklist generated and best practice advice document provided
Incident response and remediation
Mark went into further detail on each of these stages and explained the anatomy of an email compromise to give an inside perspective of what the ReSecure service provides.
Organisations who have access to the ReSecure service as part of their cyber cover, are given a 24-hour hotline number to call in the event of an incident. In the initial call, brief details are taken, and an on-call lawyer will follow up within the hour to take further incident details. The legal team is the first point of call as it helps establish legal privilege, which could be useful if liability issues come to involve other parties.
Typically, within the first 60 minutes; the ‘Golden Hour’, the ReSecure team is brought in to triage the incident and organise the first call with the client and incident response specialists who provide expertise and investigation around the technical and risk aspects of the incident.
The First Call – ‘Responders Assemble’
Before ReSecure’s first call, STORM performs some basic reconnaissance on the insured’s email and online estate to familiarise themselves with the setup and prepare for those initial questions in the upcoming call.
During this first communication, the ReSecure team establishes what is known about the incident so far - for example, how it was discovered, what they think has occurred and what actions they have taken to this point. They will then ask several targeted questions to establish if any other issues need to be addressed and to explore the extent of the compromise, enabling them to provide immediate advice on containment. If mailboxes have been compromised, the data that has been accessed within them will indicate the level of risk. Identifying any pending transactions being discussed in email messages is key to averting fraud and so these are identified as a priority, and necessary warnings are made and actioned.
ReSecure often provides further analysis as part of the life cycle and will perform e-discovery upon the mailbox, looking for PII (Personally Identifiable Information) and other sensitive information which may render data subjects at high risk of identity theft, fraud or other criminality.
A list is then generated with targeted actions for the insured to carry out (checks on certain account settings, containment actions, providing evidentiary items for the investigation), and this is sent to the insured’s so they can assign it to the appropriate personnel or teams for progress tracking. A document is also provided to the insured, detailing some best practices and advice for improving the security of an email estate. Where necessary, remote access is authorised, and STORM specialists gather evidential artefacts as required.
When the extent of the compromise is unknown or there is suspicion the attacker has unrestricted administrative access, STORM provides a highly secure and encrypted alternate email system for all those involved in the incident response. This is effectively a closed-circuit email domain that can only send and receive from other accounts within the domain and assures that the attacker is not reading about the incident response actions and communications.
Following the first call
Incident response varies from case to case, driven by the exact details of each circumstance. Generally, there will be investigations into evidentiary items such as logs, messages, configurations and so on, so that the extent of the compromise can be established. These investigations also seek to ascertain what the attackers did, how they gained entry to the systems, their possible motivations, and what remediation actions should be taken. We follow the ‘5 W’s and 1 H approach’ - who, what, when, where, why, and how, which is fed into the closing incident report.
Mailbox Content Analysis is performed to satisfy regulatory obligations and in the search for phishing emails to identify possible compromise vectors. STORM performs targeted e-discovery exercises on compromised mailboxes, to identify compromised PII, and to help formulate notification strategies and execute them. A common misperception is that a mailbox won’t contain any PII, however, we often find that mailbox owners are unaware of some of the information they have received, often included by way of CC in an email. In these cases, we offer a “first sweep” fixed-time exercise to confirm there is no appreciable quantity of PII in the mailbox.
Questions and Answers
We asked Mark - from his experience, what is the most common cause of email compromise? “Phishing is the dominating cause of email compromise right now and typically, phishes are received by victims from perceived trusted internal or external parties who themselves have fallen victim in a ‘daisy chain’ of cybercriminal activity. However, credential stuffing attacks are on the rise and are probably now a close second.”
What we all really want to know is if an email compromise is preventable? Mark explained, “the most effective control is using Multi-Factor Authentication (MFA) which requires two or more different elements of the following: something you know (e.g. password, PIN), something you have (e.g. physical token, key generator app on a phone), and something you are (biometrics - fingerprint, facial recognition, retina scan etc). This requires a second factor (and maybe more) for a user to authenticate, not just a username and password so is highly effective at keeping out most - but not all – attackers”.
Another security challenge faced by businesses is ensuring the use of best-practice password policies. “Too many organisations enforce out-of-date password policies that emphasise complexity over the length and frequent unnecessary changes. They do not address the issue of password reuse where the same credentials are used over multiple sites/services. If one of these gets compromised, attackers will use the same credentials over a host of well-known systems and services. This is known as credential stuffing and is alarmingly effective.”
What is the first step in securing your client's systems? “We quite simply change all passwords on every system where they are common and then enforce Multi-factor Authentication.”
Mark explained the impact an email compromise has on SMEs. “It largely depends on the nature of the compromise, but common impacts are financial loss from fraud, loss of trust from their customers and potential loss of custom, regulatory issues if data is breached, and potential fines or class actions. Luckily, our ReSecure clients have cyber insurance and so this covers the costs of the incident response activities.”
We asked Mark to detail how ReSecure helps a business in minimising this impact. He explained: “We prepare our clients for incidents through resilience plans and training as part of our “Plan” suite of services. ReSecure incident response - part of our “Respond” service - will help contain and minimise the effects of a breach, aid in clarifying the extent of the breach and advise how to improve protection against recurrence. Clients also receive legal advice around regulatory and legal issues, PR advice on communications, and assistance with credit monitoring for data subjects adversely effected by the breached data. Our “Assess” capability delivers a rapid risk review both pre and post-incident to help clients understand and manage their key cyber risks”.
We concluded the interview in asking Mark what the average turnaround is in resolving an email compromise, from initial contact to business-as-usual? As each case is different from the next, a precise answer was difficult. “It depends on the severity of the incident and how many mailboxes have been breached. It also depends on the amount of sensitive information in each compromised mailbox. In short, I’d say the shortest was 2 weeks and the longest 3 months, although it should be noted that whilst the client may be back to “Business as Usual”, certain elements in the investigation may continue in the background, such as mailbox analysis, dealing with law enforcement, or assisting with notifications.”
For further information about ReSecure, or any of STORM’s services, please get in touch at – firstname.lastname@example.org.