Security 101: Business Process Compromise
Every enterprise has unique operational processes in place, and most are specifically designed for the distinct needs of each business. Even commonplace tasks like product shipping or managing suppliers are handled differently within each enterprise—and the bigger the business is, the more complicated these processes get.
Business Process Compromise (BPC) is a type of attack that has come into focus recently. It particularly targets the unique processes or machines facilitating these processes to quietly manipulate them for the attacker’s benefit. Attackers infiltrate the enterprise and look for vulnerable practices, susceptible systems, or operational loopholes. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in
These attacks are possible because many employees simply go through the motions of business processes, trusting policies that have always worked and are expected to continue working without any problems.
In 2013, we saw a characteristic example of BPC when shipping companies operating in the Belgian port of Antwerp were hacked. Drug traffickers recruited hackers to infiltrate IT systems that controlled the movement and location of containers, making it possible to retrieve illegal substances from the port facility. Reportedly, they used simple software and hardware hacks, from keyloggers to physical devices attached to the computers of the targeted companies.
The 2016 Bangladesh Bank incident is another notable BPC attack, where attackers managed to install multiple layers of malware into the bank’s system and exploit the communications process between the bank and SWIFT. The hackers sent requests from Bangladesh to the Federal Reserve Bank of New York, asking for millions to be transferred to accounts across Asia. They timed it to coincide with the end of the work week, and also tampered with the printing system used by the bank to avoid discovery. A total of US $81 million was lost, and it was only because of a spelling error that the attack was discovered and further loss was prevented.
After the Bangladesh Bank heist, two more banks reported that they were compromised through SWIFT-related processes as well. Vietnam’s Tien Phong Bank identified fraudulent SWIFT messages that requested a transfer of US $1.3 million—
How does Business Process Compromise work?
Attackers infiltrate the target organization and move laterally from the point of compromise. Over time they manage to get a clear view of the structure of the organization from internal reconnaissance and monitoring communications. As they become familiar with the processes used by the enterprise, vulnerabilities are identified. The attackers pinpoint specific processes that can be changed or manipulated and then deploy their specific tools. Their main strategy is to covertly alter the targeted business process, benefit financially from that change, and leave the victim unaware of the situation.
In the case of the Vietnamese bank, the attackers had intimate knowledge of the processes that the bank used to coordinate SWIFT transfer requests through a third-party vendor. According to news reports, the hackers tried to compromise a PDF reader used by customers to summarize transactions over SWIFT.
To get this level of detail about an organization, cybercriminals have to remain in an enterprise system undetected for a lengthy period of time. Unfortunately, detection is a critical issue for most enterprises. Research establishes the average dwell time—time between infection and detection of a breach—is 146 days, which means that it takes most enterprises almost five months to identify a compromise. That is ample time for criminals to discover vulnerabilities and create ways to exploit them.
BPC compared with established attacks
The lengthy time-frame and narrow scope of BPC
Business Email Compromise (BEC) is another popular type of online scheme—one that cost enterprises at least US $3.1billion from 2013-2015. BEC also infiltrates enterprises with the aim of making fraudulent money transfers, except that it targets people, not processes. BECs require in-depth research, as hackers have to determine who initiates and executes money transfers. Once they have the necessary information, the hackers usually compromise or spoof the email of a company executive to initiate a
Currently, BPC attacks are focused on financial transactions, but they have the potential to break into different areas of enterprise operations. Attackers could begin to target purchase order systems to manipulate money transfers from that end, or they could infiltrate the
How do you defend against BPC?
Enterprises across all industries are vulnerable to BPC attacks. Each enterprise has unique business
- Organizations should have a comprehensive view of their network, and be able to identify normal operations from abnormal and possibly malicious actions. They should also perform risk assessments and include
third party vendors in their evaluation. As seen in previous cases, the transactional processes between vendors and suppliers are usually targeted. - Enterprises should also regularly audit long established policies—analyzing baseline and unexpected inputs applied to different processes and monitoring to see if overall results are as expected.
- File Integrity Monitoring and Application Control/System Lock Down should be considered for critical systems.
- It is also important to improve awareness within the organization and educate employees on identifying normal and abnormal behavior. Employees should be trained on how to spot fake communications and also develop a healthy distrust of odd transactional requests. Enterprises should have strong policies and awareness programs regarding social engineering.
- Enterprises should also implement cybersecurity measures that can secure their network against identified malware intrusion tools. Using security technologies like endpoint protection which can detect malicious lateral movement helps enterprises pinpoint and prevent further intrusions. Installing security solutions that can identify the compromise quickly prevents loss or damage to the business.
Trend Micro helps protect medium and large enterprises from this threat. Malware in malicious emails
The InterScan Messaging Security Virtual Appliance with enhanced social engineering attack protection can defend against socially-engineered emails that are common entry avenues for attackers. The Deep Discovery Analyzer found in the Trend Micro Network Defense family of solutions helps detect advanced malware and other threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.