Business Process Compromise (BPC) is a type of attack that has come into focus recently. It particularly targets the unique processes or machines facilitating these processes to quietly manipulate them for the attacker’s benefit.
Attackers infiltrate the enterprise and look for vulnerable practices, susceptible systems, or operational loopholes. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in reality the attackers are already gaining either funds or goods from the enterprise. These attacks are possible because many employees simply go through the motions of business processes, trusting policies that have always worked and are expected to continue working without any problems.
How does Business Process Compromise work?
Once attackers have successfully infiltrated their target organisation, they move around from the point of compromise and over time they learn the ins and outs of the organisations structure and all of their internal monitoring communications as well as security. The attackers move like a thief in the night, with stealth and avoid detection at all times – more often than not, victim organisations do not know that they have been compromised until the attackers have benefited financially from their efforts.
Their main aim is to find out how the business operates and what the processes are, find ways to manipulate processes and then deploy their tools to extract whatever it is they are looking to get from the orgnisation – the overall goal is for financial purposes – whether or not they extract monetary funds themselves or whether they extract ways to extract funds later down the line, or both.
How do BPC attacks compare to just targeted attacks?
BPC attacks take time, are stealthier and can be comparible with targeted attacks. BPC attacks are like a counter-attack boxer waiting to pounce on their opponents weakness, and a target attack has a specific target in mind and has been shown to have spent considerable time, resources and effort in setting up or carrying out the targeted attack. Targeted attacks are often discovered years after the fact, after thousands—and even millions of customer records or units of information already stolen. BPC attacks tend to lay low and look for holes in the way the business operates. An example could be when sending money to a holding account, there maybe no encryption going to the holding account leaving the attackers an easy solution to infiltrate and possibly plan an attack of a larger scale somewhere down the line.
How do you defend against BPC?
- Organizations should have a comprehensive view of their network, and be able to identify normal operations from abnormal and possibly malicious actions. They should also perform risk assessments and include third party vendors in their evaluation. As seen in previous cases, the transactional processes between vendors and suppliers are usually targeted.
- Enterprises should also regularly audit long established policies—analyzing baseline and unexpected inputs applied to different processes and monitoring to see if overall results are as expected.
- File Integrity Monitoring and Application Control/System Lock Down should be considered for critical systems.
- It is also important to improve awareness within the organization and educate employees on identifying normal and abnormal behavior. Employees should be trained on how to spot fake communications and also develop a healthy distrust of odd transactional requests. Enterprises should have strong policies and awareness programs regarding social engineering.
- Enterprises should also implement cybersecurity measures that can secure their network against identified malware intrusion tools. Using security technologies like endpoint protection which can detect malicious lateral movement helps enterprises pinpoint and prevent further intrusions. Installing security solutions that can identify the compromise quickly prevents loss or damage to the business.