Security 101: Business Process Compromise

Every enterprise has unique operational processes in place, and most are specifically designed for the distinct needs of each business. Even commonplace tasks like product shipping or managing suppliers are handled differently within each enterprise—and the bigger the business is, the more complicated these processes get.

Business Process Compromise (BPC) is a type of attack that has come into focus recently. It particularly targets the unique processes or machines facilitating these processes to quietly manipulate them for the attacker’s benefit. Attackers infiltrate the enterprise and look for vulnerable practices, susceptible systems, or operational loopholes. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in reality the attackers are already gaining either funds or goods from the enterprise.

These attacks are possible because many employees simply go through the motions of business processes, trusting policies that have always worked and are expected to continue working without any problems.

In 2013, we saw a characteristic example of BPC when shipping companies operating in the Belgian port of Antwerp were hacked. Drug traffickers recruited hackers to infiltrate IT systems that controlled the movement and location of containers, making it possible to retrieve illegal substances from the port facility. Reportedly, they used simple software and hardware hacks, from keyloggers to physical devices attached to the computers of the targeted companies.

The 2016 Bangladesh Bank incident is another notable BPC attack, where attackers managed to install multiple layers of malware into the bank’s system and exploit the communications process between the bank and SWIFT. The hackers sent requests from Bangladesh to the Federal Reserve Bank of New York, asking for millions to be transferred to accounts across Asia. They timed it to coincide with the end of the work week, and also tampered with the printing system used by the bank to avoid discovery.  A total of US $81 million was lost, and it was only because of a spelling error that the attack was discovered and further loss was prevented.

After the Bangladesh Bank heist, two more banks reported that they were compromised through SWIFT-related processes as well. Vietnam’s Tien Phong Bank identified fraudulent SWIFT messages that requested a transfer of US $1.3 million—fortunately it was blocked. Banco del Austro in Ecuador was not so lucky; they reportedly lost $12 million in 2015 from compromised transfer requests.

How does Business Process Compromise work?

Attackers infiltrate the target organization and move laterally from the point of compromise. Over time they manage to get a clear view of the structure of the organization from internal reconnaissance and monitoring communications. As they become familiar with the processes used by the enterprise, vulnerabilities are identified. The attackers pinpoint specific processes that can be changed or manipulated and then deploy their specific tools. Their main strategy is to covertly alter the targeted business process, benefit financially from that change, and leave the victim unaware of the situation.

In the case of the Vietnamese bank, the attackers had intimate knowledge of the processes that the bank used to coordinate SWIFT transfer requests through a third-party vendor. According to news reports, the hackers tried to compromise a PDF reader used by customers to summarize transactions over SWIFT.

To get this level of detail about an organization, cybercriminals have to remain in an enterprise system undetected for a lengthy period of time. Unfortunately, detection is a critical issue for most enterprises. Research establishes the average dwell time—time between infection and detection of a breach—is 146 days, which means that it takes most enterprises almost five months to identify a compromise. That is ample time for criminals to discover vulnerabilities and create ways to exploit them.

BPC compared with established attacks

The lengthy time-frame and narrow scope of BPC makes it similar to persistent and targeted attacks. The attacker picks a specific target and dedicates substantial time and resources, with the expectation of a bigger payoff. But there are also marked differences between the two. Targeted attacks are used for information gathering and espionage, mainly against governments or militaries. In contrast, BPC attackers are financially motivated and typically target businesses. Also, targeted attacks don’t necessarily alter processes; they just sit quietly in a victim’s network and exfiltrate data.

Business Email Compromise (BEC) is another popular type of online scheme—one that cost enterprises at least US $3.1billion from 2013-2015. BEC also infiltrates enterprises with the aim of making fraudulent money transfers, except that it targets people, not processes. BECs require in-depth research, as hackers have to determine who initiates and executes money transfers. Once they have the necessary information, the hackers usually compromise or spoof the email of a company executive to initiate a wire-transfer. Exploiting people—as opposed to hacking processes—makes for a simpler scam compared to BPC, but both share the same end goal.

Currently, BPC attacks are focused on financial transactions, but they have the potential to break into different areas of enterprise operations. Attackers could begin to target purchase order systems to manipulate money transfers from that end, or they could infiltrate the suppliers side and reroute payments into their accounts.

How do you defend against BPC?

Enterprises across all industries are vulnerable to BPC attacks. Each enterprise has unique business processes, and therefore needs unique and tailored security measures to address them. Here are a few tips and guidelines:

• Organizations should have a comprehensive view of their network, and be able to identify normal operations from abnormal and possibly malicious actions. They should also perform risk assessments and include third party vendors in their evaluation. As seen in previous cases, the transactional processes between vendors and suppliers are usually targeted.
• Enterprises should also regularly audit long established policies—analyzing baseline and unexpected inputs applied to different processes and monitoring to see if overall results are as expected.
• File Integrity Monitoring and Application Control/System Lock Down should be considered for critical systems.
• It is also important to improve awareness within the organization and educate employees on identifying normal and abnormal behavior. Employees should be trained on how to spot fake communications and also develop a healthy distrust of odd transactional requests. Enterprises should have strong policies and awareness programs regarding social engineering.
• Enterprises should also implement cybersecurity measures that can secure their network against identified malware intrusion tools. Using security technologies like endpoint protection which can detect malicious lateral movement helps enterprises pinpoint and prevent further intrusions. Installing security solutions that can identify the compromise quickly prevents loss or damage to the business.