Defense

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

Suggested Tactical Actions

General guidance from Microsoft:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide

Short/Medium/Long Term

There are a range of activities that will help reduce the likelihood and impact of an email compromise, some of which could be:

  • Ensure staff are trained in how to report phishing incidents
  • Deploy NCSC report a phish plugin to Outlook
  • Deploy EDR to client devices
  • WHere possible disable macros
  • Audit high privilege access
  • Ensure logs are shipped to a SIEM
  • Ensure alerts are monitored in 365 Defender
  • Improve mail threat defence configurations
  • Implement SPF/DMARK/DKIM
  • Deploy protective DNS
  • Plan for incident repsonse
    • Conduct tabletop excercises
    • Conduct simulations (don’t skip this step, this is where you prepare for a technical response and validate controls and processes)

Further Reading

https://www.ncsc.gov.uk/files/Business-email-compromise-infographic.pdf

https://www.ncsc.gov.uk/guidance/phishing

Invest in Security

A breach is never a good thing, however it’s important to find value in incidents and to use them to enable the business to gain greater insight into risks and take steps in the future. Leave no event with a positive outcome!