Business Email Compromise (BEC) Overview
Explore the ins and outs of Business Email Compromise (BEC) - from common attacks and end goals to ways to secure Office 365 with multi-factor authentication and audit logging. Understand who is affected by BEC and discover methods to detect and mitigate this type of scam targeting companies.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
BEC and Office 365 by Scott Nusbaum
Overview Business Email Compromises (BEC) What is it Common Attacks End Goals Examples Securing O365 Multi Factor Authentication Audit Logging Retention ( Size and Date ) License Level How to enable. How to pull Limitations to audit logs Did you know ____?
Introduction Scott Nusbaum Senior Incident Response & Research Consultant
Microsoft "Not all cyber attacks can be thwarted Microsoft (https://docs.microsoft.com/en-us/office365/securitycompliance/office365- security-incident-response-overview)
BEC What is a Business Email Compromise (BEC) any way? Who is effected by it? What can they do with it? How can I detect it? What are some ways to mitigate it?
What is a Business Email Compromise (BEC) any way? Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. TrendMicro
What is a Business Email Compromise (BEC) any way? Business Email Compromise (BEC) is a type of scam targeting companies or individuals, through email, to change the method of payment, of outstanding bill, to a method that is controlled by the attacker. My Definition
Who is effected by it? Potentially anyone!!! Accounts receivable Financial departments Secretaries Anyone who is in a position to collect or issue payments
What can they do with it? Gather sensitive data from email history Gather client lists and contact information Gather personal information about the account compromised Gather password or methods needed to compromise computer systems Change banking information Add forwarding rules to hijack email threads
How can we detect it? Most common way of detecting BEC is when a client calls to verify the change of banking information! Something odd is happening to my email Not receiving emails from xyz Audit Logs Email Forwarding rules Permission changes for users Log in records from abnormal IP addresses
What are some ways to mitigate it? MFA Password complexity Password Reuse is a NO-NO Out of band confirmation Monitoring and Alerting Event Properties of interest Gather known usage patterns Property Name Description Operations Name Description ClientIP | ClientIPAddress IP Address of the device that was used when activity was logged New-InboxRule | Set-InboxRule | Remove-InboxRule To create, modify, or remove Inbox rules in mailboxes UserID User who performed the action UserLoggedIn Used with ClientIP, UserID, and Timestamp can create a pattern UserType Type of user who performed the action Workload Office 365 service where the activity occurred UserAgent Information about the user's browser Operation Actions that are performed on items
Securing Office 365 Auditing License Level Retention Truncation Annoying search tools
O365 Licenses See Sean Metcalfs write up on O365 contains a lot of good information. https://adsecurity.org/wp-content/uploads/2018/11/2018-HIP- SecuringTheMicrosoftCloud-Metcalf.pdf Consists of MANY options. Lets talk about the Tier scheme. E1 E3 E5 Price / user / month $8 $20 $35 Data Retention None * 90 days * 90 days Truncation Yes YES YES!!!!
O365 Licenses Azure Active Directory Integration 5 Editions (Free, Basic, Premium 1 (P1), Premium 2 (P2) and O365 Apps) MFA only available for P1, P2, and O365 Apps. P1, and P2 allow for 3rdparty MFA P2 Identity Protection, Access Reviews Free Basic Premium P1 Premium P2 O365 Apps Price / User / Month Free $1 $6 $9 Security Reports Basic Basic Advanced Advanced Basic
O365 Licenses Enterprise Mobility + Security Only for E3 ($8.74) and E5 ($14.80). Difference is that E5 has access to preview new security products and access to previously stand alone products (Cloud App Security).
O365 Licenses E3 E5 P1 P2 EMS E3 EMS E5 Total $20 $6 $26 $20 $9 $29 $20 $8.74 $28.74 $20 $14.80 $34.80 $35 $6 $41 $35 $9 $44 $35 $8.74 $43.74 $35 $14.80 $49.80 Prices are per User per Month Proctor and Gamble employs roughly 95,000 people at $44 per person is $4,180,000 per month.
Securing Office 365 Multi-Factor Authentication (MFA) https://docs.microsoft.com/en-us/office365/admin/security- and-compliance/secure-your-business-data?view=o365- worldwide https://www.telesign.com/turnon2fa/tutorials/how-to-turn- on-2fa-for-office-365/ https://docs.microsoft.com/en-us/office365/admin/security- and-compliance/set-up-multi-factor- authentication?view=o365-worldwide Out of band non traditional MFAs
Did you know _ You must enable Audit Logging per account!! To manage Audit logs you must be part of the Audit Log Role. Can take several hours after enabling for logs to be available. Different methods to pull Audit logs Web Interface Powershell Microsoft by default has access to all your emails? Customer Lockbox 30 minutes or 24 hours for events to be searchable Accurate Video of BEC