Incident Response Timeline – Business Email Compromise

Adversary (Attacker)

aw-timeline-platform-icon_w-210706.png

Arctic Wolf's Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Adversary (Attacker)

aw-timeline-platform-icon_w-210706.png

Arctic Wolf Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Business Email Compromise

Incident Response Timeline TIME TO DETECT: 19 MINUTES

Join us for our latest real-world incident timeline launch as we walk you through an email account takeover on a customer in the manufacturing industry, how the Arctic Wolf team detected the attacker in only 19 minutes with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.
SOURCE:

Adversary 12:57pm

Attack begins on [CUSTOMER] with attacker leveraging previously stolen [USER1] credentials acquired via phishing email. Attacker pushes a Duo multifactor authentication request to [User1].
Not aware of the consequences, [User1] accepts the Duo multifactor push from attacker.
The attacker uses the successful login to establish
ActiveSync synchronizes emails, calendar, contacts and tasks between a server, desktop, or mobile device.
ActiveSync with [User1]’s mailbox.

The impact of Email Account Takeover

Organizations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Email account compromise is an unsettlingly common method of attack for attackers and can have a huge impact on your business. 
Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the *Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world. 
*FBI.gov
  • 12:57pm

SOURCE:

DUO 12:57pm

The Arctic Wolf Platform logs MFA successful for [USER1] with
Cisco's Duo provides multi-factor authentication but relies on the end user to only accept legitimate authentication events.
Duo as the source.
  • 12:57pm

Account takeover incidents as a share of fraudulent activity in the financial services industry alone rose by 19 percentage points in 2020 compared with 2019, according to new figures from *Kaspersky. *usa.kaspersky.com
19 minutes since initial activity:

Attacker ACTIVE 1:16pm

Attacker opens existing calendar event for “Best Practices Training” and updates with their own information.
Attacker begins adding forward and delete rules to [User1] inbox. 
  • 1:16pm

The FBI defines 5 major types of BEC scams:

CEO Fraud
Attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
*FBI.gov
Account Compromise
An employee’s email account is hacked and is used to request payments to vendors.
*FBI.gov
False Invoice Scheme:
Attackers acts as if they are the supplier and request fund transfers to fraudulent accounts.
*FBI.gov
Attorney Impersonation:
 Attacker impersonates a lawyer or legal representative. Lower level employees are commonly targeted through these attacks.
*FBI.gov
Data Theft:
Attacks targeting HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.
*FBI.gov
Previous slide
Next slide
SOURCE:

Office 365 Logs 1:16pm

Platform escalates incident after seeing rules being added and deleted on [User1] account​
  • 1:16pm

Triage Team Takes action:

Investigation Begins 1:18pm

The
The Arctic Wolf Triage Team provides 24x7 alert triage and investigation. When an alert is generated by the Arctic Wolf Platform, the Triage Team responds in priority order.
Arctic Wolf Triage Team begins investigation into [User1] activity
  • 1:18pm

Active Attack:

Ongoing Investigation 1:22pm

Attacker uploads phishing PDFs to OneDrive with intent to distribute emails to calendar invite attendees​.

Attacker's Motive

Once attackers gain legitimate access to their target’s email account, the amount of information they have access to can be dangerous: email, calendar, key meetings with suppliers or customers, corporate directories, and shared files.

Attacker's Access

Attackers maintain access by creating email forwarding rules or changing account permissions, so they can closely monitor the target to create convincing attacks that mimic the standard business.
  • 1:22pm

Customer Alerted

Escalation Begins 1:25pm

The Arctic Wolf Triage Team investigates and alerts [customer] that [User1] has been compromised. 
Arctic Wolf recommends [Customer] disables the account and forces a reset of credentials.
  • 1:25pm

In Less Than 30 Minutes:

Remediation 1:25pm

[Customer] confirms that [User1] has been compromised and disables the account.

Next, the security journey continues

  • 1:25pm

  • Arctic Wolf
  • Attack Begins
  • Arctic Wolf Platform
  • Attacker Active
  • Office 365 Logs
  • Investigation Begins
  • Ongoing Investigation
  • Escalation
  • Remediation

Security journey

with our concierge security team

Concierge Security Team works with customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.

With a complete understanding of your unique IT environment, the
With a complete understanding of your unique IT environment, the Arctic Wolf® Concierge Security® Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Arctic Wolf Concierge Team (CST) provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

REAL-WORLD EXAMPLES:

Business Email Compromise (BEC) Attack Methods

In the example above, credentials were stolen via phishing email. Do you think you or your company’s employees could spot the various types of email compromise methods that have been used in different attacks?

Since March, the volume of account takeover exposures has increased by 429 percent.

In the new normal of hybrid work environments account takeover risk is more serious than ever. Businesses should invest in account takeover risk solutions.

We can help.

Trending

Business Email Compromise & Account Takeover In the News

View the most recent news, updates, and videos from the cybersecurity experts at Arctic Wolf.

Recent Headlines