ShadoSec Cyber Security Podcast

ShadoSec podcast Episode 5

Listen Later

Neema and Jorge do what they love!

Stories:

https://securityaffairs.co/wordpress/113446/security/cisco-rv-routers-eol.html?utm_source=rss&utm_medium=rss&utm_campaign=cisco-rv-routers-eol

https://securityaffairs.co/wordpress/113332/deep-web/dark-web-darkmarket-seized.html


Defenders perspective: BEC (Business Email compromise)

https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)

Defense Milestones

Containment

  • Determining the type of compromise and targets
  • Acquiring exports of affected local inboxes
  • Establishing the messaging timeline and techniques
  • Compromised local accounts?

    • Reset email password

    Reset SaaS solution passwords using the compromised inboxes

    Pull account AAA log (30 days before and after reported window)
  • Suspicion of a compromised foreign account?

    • Notify any other local stakeholders interacting with the account

    Disclose to third party through relationship manager
  • Pull email flow log (30 days before and after reported window)
  • Pull original headers from email security gateway if header modification is done
  • Review the technical markers of the attack

    • (if typosquatting) Obtain the historic information about the domain

    Domain whois (if possible)

    Domain DNS history

    Spam lists

    (if attachments)

    Review attachment metadata

    Derive technique employed to impersonate legitimate documentation (good indicator of attack sophistication)

    Email headers are very helpful, leaking

    Technology stack employed for email

    Journey of the email

    Insight into the spam scoring

    Look for skews in language correlating the email to a certain nationality

    Some nationalities are more common than others. Most nationalities make the same mistakes.
  • Gather maximum intel from ongoing conversations with actor under approval and supervision
  • Put in place side-channel verification (verification phone call, or otherwise double-confirmation on a channel unlikely to be compromised) for all transactions over xyz value
  • Incorporate your DPO team, follow any triage & regulatory notification process applicable as counselled by them
  • Establishing loss and recovery potential, factor in Insurance!

    • Eradication

    • Incorporate your legal and third party management teams, ensure the provisions present in the contract in case of data breaches are honored
    • Suspicion of a compromised foreign account?

      • Re-establish trusted inboxes on their side. Receive attestations as determined in contract

      Recovery & Lessons Learnt

      • Is email being used as a duck-taping mechanism out of technical debt?

        • FIX. IT. It will not get any cheaper
      • Prescribe standard awareness materials to the business analysts of the relevant type, ensure coverage across your colleague-base
      • Ensure the first-line business analysts/operators are able to easily report future attempts
      • Gather the technical fingerprint of the attack in standard format (STIX, YARA, etc..) along with the fraud-use case. Share a redacted version with your intel partners and providers.



        • ...more
        View all episodesView all episodes
        Download on the App Store
        ShadoSec Cyber Security PodcastBy Neema and Jorge