Neema and Jorge do what they love!
https://securityaffairs.co/wordpress/113446/security/cisco-rv-routers-eol.html?utm_source=rss&utm_medium=rss&utm_campaign=cisco-rv-routers-eol
https://securityaffairs.co/wordpress/113332/deep-web/dark-web-darkmarket-seized.html
Defenders perspective: BEC (Business Email compromise)
https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
Determining the type of compromise and targets
Acquiring exports of affected local inboxes
Establishing the messaging timeline and techniques
Compromised local accounts?
Reset email password
Reset SaaS solution passwords using the compromised inboxes
Pull account AAA log (30 days before and after reported window)
Suspicion of a compromised foreign account?
Notify any other local stakeholders interacting with the account
Disclose to third party through relationship manager
Pull email flow log (30 days before and after reported window)
Pull original headers from email security gateway if header modification is done
Review the technical markers of the attack
(if typosquatting) Obtain the historic information about the domain
Domain whois (if possible)
Domain DNS history
Spam lists
(if attachments)
Review attachment metadata
Derive technique employed to impersonate legitimate documentation (good indicator of attack sophistication)
Email headers are very helpful, leaking
Technology stack employed for email
Journey of the email
Insight into the spam scoring
Look for skews in language correlating the email to a certain nationality
Some nationalities are more common than others. Most nationalities make the same mistakes.
Gather maximum intel from ongoing conversations with actor under approval and supervision
Put in place side-channel verification (verification phone call, or otherwise double-confirmation on a channel unlikely to be compromised) for all transactions over xyz value
Incorporate your DPO team, follow any triage & regulatory notification process applicable as counselled by them
Establishing loss and recovery potential, factor in Insurance!
Incorporate your legal and third party management teams, ensure the provisions present in the contract in case of data breaches are honored
Suspicion of a compromised foreign account?
Re-establish trusted inboxes on their side. Receive attestations as determined in contract
Recovery & Lessons Learnt
Is email being used as a duck-taping mechanism out of technical debt?
FIX. IT. It will not get any cheaper
Prescribe standard awareness materials to the business analysts of the relevant type, ensure coverage across your colleague-base
Ensure the first-line business analysts/operators are able to easily report future attempts
Gather the technical fingerprint of the attack in standard format (STIX, YARA, etc..) along with the fraud-use case. Share a redacted version with your intel partners and providers.
