Business E-mail Compromise (BEC) Workshop, Theater Edition

The Public Theater Building Front, NY

The Public Theater, NY

Earlier this week I had to opportunity to attend the Business E-mail Compromise (BEC) workshop, which is being made available in various cities around the country. Law enforcement, Symantec and various ISACs teamed up to bring awareness to this very expensive attack. For theater buffs, there was an added bonus to the NY workshop because it was held in The Public Theater, which is where Hamilton and many other famous shows first broke ground.

The Public Theater Lobby

The Public Theater Lobby

What is a business e-mail compromise attack? Put simply, it’s a fake e-mail sent to someone in the business, usually accounting or finance, with the goal of initiating a wire transfer or some other transfer of funds. It is often spoofed so that the e-mail appears to come from the victim’s boss or another executive in the company, and commonly starts with a simple, less suspicious request. If the victim engages in a conversation and replies to the initial e-mail, the conversation escalates quickly and usually ends with a large wire transfer to an external account. The most recent attacks even include a “Sent From My iPhone” signature in the bottom of the message in an apparent attempt to excuse sloppy grammar and typos.

The first part of the workshop consisted of a discussion led by an FBI and Secret Service agent. Admittedly, watching them stand on the blue tinted stage with cafe tables in the audience first made me wonder if they were going to sing the blues of cyber security, but the tone of their session was positive and informative. They are often involved in responding to these crimes, and the dollar amounts vary greatly from thousands to millions of dollars. The insight they provided was valuable, and they stressed the need to involve law enforcement quickly. After 72 hours, it becomes highly unlikely that the funds can be frozen or will ever be recovered. The goal should be to involve law enforcement as early as possible. Interestingly, they have not seen the sophistication of these attacks increase much, which means we have a window of opportunity to bring awareness to common attack methods. But it can also mean that the bad guys have not needed to adapt because they are continuing to have success. Both agents stressed that if we are not sure which agency to teach out to, contact them both (FBI & SS) and they will coordinate the response between themselves. The Internet Crime Complaint Center at www.ic3.gov is a good place to start.

Symantec highlighted an e-mail threat report they published which also provided some valuable insight. For example, they estimate that 8,000 business are a BEC target each year, and as a target you can expect to receive about 5 e-mails. I can confirm that when we received notice of one of these attacks from a single user and investigated further, we found that the same sender targeted a second user in the exact same manner, and then sent a blast phish attempt to a double digit population in our community. So it’s important that phishing incident response procedures include a step that identifies the scope of a particular attack. Predictably, the Symantec talk and report included a highlight of the many solutions they offer commercially to help detect and prevent BEC attacks.

The final session was led by local ISACs, or Information Sharing and Analysis Centers. I am a strong advocate for participation in these groups. They are basically sector-specific groups that focus on cyber security and information sharing to enable better response and intelligence. In other words, they help competing organizations in the same sector work together. Think about that for a minute. Cyber security is such a challenging problem, that competing companies are working together to help each other be successful in dealing with it! We need to do more of that across the industry, and the session really helped highlight some of the services that these ISACs offer. I’ll make a special mention of REN-ISAC and MS-ISAC, both of which I have great things to say about. If you qualify, sign up today. If you’re not sure which ISAC to join, check the National Council of ISACs Registry.

If you have an opportunity to attend one of these workshops I would recommend it. The attendees were a mixture of private and public entity business and technical professionals. The social networking aspect was valuable as well. Those conversations can prove to be more informative than some of the sessions, so take time to linger.

Thanks for reading and don’t forget to subscribe.