Keys to the Kingdom
“Business Email Compromise, one of the top three online security risks facing business today that has the potential to be every bit as devastating as a ransomware attack or a production outage.”
We’re not keen on headlines like this – knowing that $50 Billion is the attributable loss to BEC-related fraud over the last decade won’t make your business more secure, but the fact that the vast majority of all attacks start with an email should be one you’re alert to. Taking control of your mail system means that an adversary effectively has control of your business; using it as a delivery mechanism for a malicious payload steps into the realms of ransomware, systems denial and exfiltration.
Now that’s out of the way, what can we do to prevent it? One important context to keep in mind is that just like in the physical world, a large amount of online crime is opportunistic – an attacker may send out many thousands of phishing emails in the hope that a few are successful in the same way a burglar may try many doors and windows before entering through an unlocked one. Therefore, we can achieve a great deal with some ‘easy wins’ and improve our security posture even further by implementing effective policies and user awareness training. This won’t make you impenetrable, but it will ensure you present a much smaller attack surface and therefore a less inviting target to an attacker.
Right at the ‘zero’-end of the sliding scale of difficulty, enforce two-factor authentication (2FA) on all mail accounts. In environments where this may not be practical, consider biometrics or hardware tokens such as USB keys or magnetic card. Another layer of authentication incorporating a physical, real-time element can stop an attack at the outset.
Set up SPF, DKIM and DMARC records for you domain to help prevent spoofing. If you’re on Microsoft’s 365 platform then the first two are done for you, DMARC can be implemented in a matter of clicks.
Know your admins! Limit the number of email exchange administrators in your organisation to those that are really necessary, using the principle of least privilege as a guide. A rogue admin can exert maximum damage with minimal effort, so it’s critical to keep the number small and the list current. If nowhere else, 2FA here is an absolute must.
Make best use of the tools available to you. Modern mail platforms such as M365 come with a host of built-in functionality such as automatic quarantine based on file type (do you expect users to be receiving VB scripts by email?), malware & spam filtering and user-level reporting functions. Take the time to understand these and set policies that are appropriate and effective for your organisation.
Train the human – no amount of policy or technology can defend against the click of a link or the opening of an attachment. Help your users to understand the risks, show them how to avoid becoming a victim, give them the tools to reports suspicious activity and they will become another layer in your defence strategy. Simulated phishing campaigns and regular, delivered training will have a positive impact and a good return on the investment.
Patch, patch, patch. New vulnerabilities are weaponised and for sale in dark web markets daily, it is critical to stay abreast of these and ensure you are applying vendor patches as soon as they become available. In larger enterprises this can be a challenge, ensure that you have a structured and achievable patching regime and be prepared to respond out-of-band to critical-release patches.
Monitor. Detect. Respond. This is our domain. At e2e we’ve protected critical infrastructures for over a decade and during that time our defenders have witnessed some of the most advanced adversaries launch attacks on a global scale. We protect you by deploying monitoring and giving you visibility of your networks, we use our advanced detection algorithms to find discover threat actor activity and mitigate against it before it achieves penetration.
Prepare. Plan. Practice. We will always plan for the worst and strive to achieve the best, helping you develop and practice your Backup and Incident Response plans and tune your recovery strategies. Our all-source intelligence feeds curated over the last ten years give us the upper hand on the criminals, keeping tracks on their capabilities, infrastructures and campaigns. We can be your outsourced SOC, integrate with your in-house team or develop a solution that works for you.
We understand that when an incident occurs, you’re not always going to be immediately at your workstation, because life happens! With this in mind, e2e’s in-house development team have produced a powerful solution to sit alongside Cumulo, our developed SIEM solution.
Approved by Microsoft and available right now from their app store our app allows you to maintain a full vantage point of tickets, incidents and with the right licencing model, full coverage of your organisation’s security operations. You have the ability to instantly review and approve or escalate actions from our SOC team, with your responses fed straight back to the heart of our Operations Centre.
Featuring Live Incident Management, an intuitive dashboard, summaries and notifications, the app also gives you the ability to communicate in real-time with our SOC Analysts via its MS Teams integration using direct messaging or multi-user bridge calling. If you just need to pull back information, the built-in smart bot is capable of actioning these requests for you, leaving team members free to focus on situational developments.
Don’t just take our word for it, grab a copy now and speak with your Account Manager about integrating the functionality into your plan. The e2e app at Microsoft's store
We’re incredibly proud of our team and our tech and are equally happy presenting to your board or giving a technical deep-dive to your network team, drop us an email or click the link (it’s safe) to find out more.
Duncan Wright, Threat Intelligence Consultant, GSEC, GCIH, GCFE, GAWN, GOSI, GCIA, GCTI.