Trend Micro CTO Raimund Genes issues a call to action – make 2017 the year we start taking BPC seriously.
You’ll all be aware by now of APTs and targeted attacks. And many of you will have measures in place to guard against the rising epidemic of Business Email Compromise, or CEO fraud. But Business Process Compromise (BPC) may still not be on the radar of many IT leaders. Yet already there have been some major real world attacks targeting the complex processes that power most organisations – the infamous $81 million heist at Bangladesh Bank, for example.
These are complex, sophisticated attacks which could have a huge financial and reputational impact on their victims. So let’s make 2017 the year we start taking them seriously.
BPCs on the rise
Business Process Compromise attacks require a significant input of time and resources, rendering them the preserve at the moment of nation states and highly organised cybercrime groups. They might start off in a similar way to a classic targeted attack or APT, in that the hacker uses social engineering and/or malware to gain persistence inside a target organisation. There they take their time to build up a detailed picture of the internal workings of that organisation and its processes.
Then, when the time is right, the attackers will add, modify or delete key entries and/or intercept and modify transactions to achieve the desired result. This may be to create fraudulent fund transfers to a third-party account and change printer processes to hide signs of an attack, as was the case with the virtual robbery at the central bank of Bangladesh. It could be to reroute valuable goods to a new address, as happened in 2013 when Antwerp Seaport’s shipping container system was infiltrated to smuggle drugs. It might even be to alter the processes which run nuclear facilities in Iran, as was the case with the notorious state-sponsored Stuxnet attack, which disrupted key centrifuges at the Natanz uranium enrichment plant.
Time to fight back
These attacks are not about stealing sensitive IP or customer data for monetary gain. And they’re not about holding companies to ransom by encrypting their mission critical data. They’re all about using detailed information on a target organisation’s inner workings to change processes – whether that initial intelligence comes from several months’ network sniffing or inside help. BPC takes advantage of the fact too many organisations still prioritise perimeter controls – stopping attackers getting in. That means if, or inevitably when, they do get in, there aren’t enough controls looking for and stopping unusual behaviour.
We need to put this right. Application control can lock down access to mission critical systems to ensure nothing is altered. And file integrity monitoring (FIM) will be able to spot any signs of unusual activity inside your network which could indicate an attempt to compromise key processes. Intrusion prevention is important in preventing lateral movement as attackers look to move around, gathering information as they go. And advanced machine learning capabilities can be a useful aid to detecting malware designed to evade traditional filters. The key here is to spot any incursion or attempt to modify systems before the bad guys have time to do any real damage. With dwell time regularly averaging over 100 days, we need to get better at this.
With organisations struggling to improve data protection ahead of sweeping new European privacy laws set to land in 2018, Business Process Compromise is likely to take a back seat on the CISO’s to-do list. But there’s a real danger that it won’t be given the attention it deserves, simply because if no customer data is involved, organisations will be able to keep quiet any fallout resulting from an attack.
But this is not just about the brand damage that can result from a breach headline – after all, there’s an argument for saying the public is getting desensitised to those by now. What if a competitor sought to tamper with your manufacturing processes to covertly introduce faults into your products? Or create lengthy production delays? The impact on your organisation’s reputation could be even greater.