Business process compromise – Insider and outsider threat
Last year I was at a security symposium in Sydney where I bumped into a friend working for a large security vendor. We discussed the latest industry rumours, trends and shared a few interesting stories on breaches – this is when I asked if his firm performs risks assessments for Business Process Compromise (BPC) to which he replied – “No”. I was now thinking how on earth do they perform security assessments when they only look at one half of the big picture? Surely the other big half is equally as important? Don’t believe me? – what about the big cyber-heist of Bangladesh’s Central Bank which I will use as a case study a little later.
Interestingly I was told by my friend that often business process compromise results in fraud which is the responsibility of Human Resources, Finance, and Risk Officers. For those of you that have not heard of business process compromise – simply explained means that someone with deep knowledge (subject matter expert) as to how a process works typically in finance, sales, procurement and payroll, can bypass security controls, checks and balances, to commit financial theft, sabotage or intellectual property theft.
What makes business process compromise difficult to detect and counter is that it’s usually performed by employees in sensitive or senior roles. These people are trusted to do the right thing and this makes it extremely difficult to identify who of them is biased to this type of behaviour – worst still, these employees know processes extremely well, including how security is configured on their specific systems such as finance, payroll and accounts payable – so monitoring for malicious actions and detection is that much more difficult.
For those of you new to the concept of business process compromise it is important to note that there are two classes of malicious actors – the insider which is typically an employee or contractor employed by your firm, and the outsider which typically is someone outside of the organisation such as a terminated or ex-employee, consultant, technology vendors, supplier, etc. Both of these classes of the malicious actor have intimate knowledge of how your sensitive corporate functions work, for example, the financial platform consultant knows how your accounts payable process works front-to-back because they configured and installed the system based on your processes which they helped you capture and articulate.
Now, should the financial platform consultant switch to the dark side (criminal intentions) and decide to commit fraud by issuing you a fake invoice using clever means such as Business Email Compromise (BEC) and social engineering – more than likely they will succeed, and more than likely detection will take many months if not longer.
The case involving the cyberheist at the Bangladesh Central Bank (BCB) was a combination of both insider and outsiders threat actors staging a sophisticated attack which involved hacking, social engineering, corruption of employees, intimate knowledge of the central bank operations, and deep knowledge of international financial banking platform – SWIFT.
In a nutshell, what happened, malicious actors hacked into the SWIFT platform owned by the Bangladesh Central Bank and sent fraudulent instructions to their major bank account held at the Federal Reserve Bank of New York. The instructions were to transfer $1 Billion US dollars to offshore bank accounts in low compliance jurisdictions such as Philippines, Sri Lanka, Macau, etc. The majority of the payments were stopped, but $81 Million dollars made it through and ended up in fake bank accounts in a Philippine bank which was then transferred to a local casino and never to be found – the trail ended at the bank! Very sophisticated operation.
In summary, the following key points were identified as weaknesses which led to the cyber heist, I have summarised a few:
• Insider threats were involved in some capacity – somehow malware got onto a “supposedly” secure machine, the only mechanisms available were email or USB memory stick. There are suggestions that someone most probably inserted an infected USB memory stick into the SWIFT server which allowed cybercriminals to create an undetected backdoor. The cybercriminals were probably accessing the infected server from anywhere from a few weeks to a year.
• Insider threats most probably disabled the CCTV camera which was not working on the weekend the criminal activity took place. There are tell-tale signs of sabotage which investigators believed strongly pointed to the central bank employees or building maintenance contractors.
• Outsider threats had intimate knowledge of global banking and settlements processes as they specifically targeted the central bank on a Friday which in Bangladesh is a bank holiday, this meant nobody was available to detect and stop the fraudulent fund’s transfer.
• Outsider threats built and deployed malware which specifically targeted the SWIFT payment platform – suggestions were that nation-states might have been involved as the malware was extremely sophisticated in that it covered the criminal’s trail.
• Outsider threats knew that the Federal Reserve of New York has limited manpower to manually check for fraudulent payments, and also had knowledge that there was no 24 x 7 hotline to alert their employees to halt fraudulent payments.
• Outsider threats created fake bank accounts 1 year before the heist of the Philippine bank – they corrupted the branch manager to create the fake accounts, and immediately settle the transfer and convert it to cash. (She was arrested – but was probably a minor player in the grand heist)
Now the interesting bit – how do you assess your vulnerability to business process compromise? The approach I advise is to identify your key business process, whatever they are – payroll, HR, accounts payable, finance, etc. Bring together diverse groups from within your firm, and even your trusty security consultants and ask them to let their minds run free – ask the question: if they were to commit the ultimate white-collar crime within your firm what would it be? how would they do it? Take note as the scenarios might sound far-fetched and impossible, but with time and resources, they are more than likely achievable.
• Some methods to reduce exposure to business process compromise includes:
• Listen to employee concerns in regard to insecure processes and systems.
• Performing criminal and employment history background checks on new employment candidates, this includes contractors.
• Monitoring employee movements – in some industries employees are asked to detail their travel plans.
• Monitoring of employee wealth – financial theft is sometimes identified by employees living beyond their means.
• Regular physical and cyber security assessments. (Yes, physical security too!)
• Auditing of employee access to facilities – both CCTV footage and electronic keycard access logs.
• Using simple Machine Learning (ML) based in a wider context such as incorporating physical security and IT system logs. (Out of hours access to sensitive platforms might give away signs of possible fraud)
• Cyber security awareness – teach employees tell-tale signs of phishing and social engineering. Build a culture where employees are encouraged to challenge suspect instructions.
• Human resources should be vigilant with employee behaviour in particular with repeat offenders that don’t respect company policies