Enhancing Business Email Compromise Incident Response: New Email & Cloud Security Configuration Snapshot

KEY TAKEAWAYS

• Email & Cloud Security Configuration Snapshot can be delivered free as part of BEC investigations, in automated fashion  
• Snapshot condenses frontline threat intelligence from 1000s of BEC investigations to identify configuration weakness allowing most common BEC attack patterns
• Requires no additional client involvement to run
• Available for M365 and Google Workspace

Business Email Compromise (BEC) remains one of the most financially devastating forms of cybercrime, with the FBI reporting over $55 billion in BEC losses worldwide over the past 10 years. Requiring little technical expertise, BECs are relatively simple to execute and attackers have found clever ways to bypass most defenses, contributing to the high rate of incidents. Though attackers leverage various intrusion vectors to compromise email accounts, most BEC incidents are worsened by poor email and cloud security configurations, making it easier for attackers to move laterally, exfiltrate data, and increase the overall impact of the attack.

Most email solutions are no longer simple or much less standalone applications. Cloud systems that connect email, storage, file sharing, and identity management under a single authentication protocol have exponentially increased the attack surface for threat actors. Securely configuring cloud systems remains a challenge for organizations of all sizes.

Recognizing this critical need, Cybereason introduces the Security Configuration Snapshot, an innovative enhancement to traditional BEC investigations. The snapshot merges guidance from CISA’s Secure Cloud Business Applications (SCuBA) Project with threat intelligence gathered from thousands of real-world BEC incidents into an automated evaluation of email and cloud security configurations most commonly used by attackers. It identifies weaknesses allowing most common BEC attack patterns, providing immediate configuration recommendations post-engagement.

BEC Response Has Evolved

The Security Configuration Snapshot seamlessly integrates with BEC investigation flow to help minimize impact of incidents:

How The Security Configuration Snapshot Works

The Snapshot relies on the same admin access granted in the beginning of the BEC incident response, requiring no further resources from IT or Infosec to run. Once started, the Snapshot runs over 250 individual checks on M365 and Google Workspace, reviewing:

Security Configuration Snapshot for M365:

• Azure Active Directory / Entra ID
• Microsoft 365 Defender
• Exchange Online
• Microsoft Power Platform
• Microsoft Power BI
• SharePoint & OneDrive for Business
• Microsoft Teams

Security Configuration Snapshot for Google Workspace:

• Google Calendar
• Google Chat
• Google Classroom
• Common Controls
• Google Drive and Docs
• Gmail
• Gmail for Business
• Google Meet
• Rules
• Google Sites

Key Security Controls Evaluated

The Snapshot checks configuration elements related to key controls such as:

• Authentication: SPF, DKIM, DMARC, etc.
• Access controls: MFA enforcement, user permissions, etc.
• Cloud storage: lateral movement between email and file storage
• Email settings: spam filters, mail relay settings, etc.
  
  

The Security Configuration Snapshot can:

• Minimize lateral movement by identifying configuration weaknesses that can block an attacker with access to email from reaching file storage, for example
• Establish security baseline by providing a thorough evaluation of security configuration at that particular moment
• Deliver findings mapped against MITRE ATT&CK TTPs

Seamless Integration Within BEC Investigations

The Security Configuration Snapshot is delivered as part of the standard BEC response timeline, with no additional client effort required or delays to the investigation. It ensures that security gaps are identified while resources are already committed to the investigation, rather than waiting until a time in the future when resources become available. Additionally, insights generated by the Snapshot can be protected under legal privilege when investigations are conducted in collaboration with legal counsel.

Why The Security Configuration Snapshot Matters

• BECs happen at such a high-rate, and often multiple times within the same organization, so improving security configurations is crucial
• Immediate, actionable intelligence that can identify and remediate security gaps during an investigation, rather than after the fact, enhancing overall resilience and reducing exposure to repeat incidents.
• During an Incident Response engagement, at the direction of Counsel, findings may be protected under legal privilege versus most traditional assessments.
• Leveraging a standardized methodology for identifying email and cloud security configuration weaknesses, the Snapshot can aid in quantifying risk exposure and enable more informed underwriting decisions and post-incident recovery efforts.
• For teams that want additional support, our experts are available to help implement findings and/or conduct a deeper assessment of security controls, under a separate engagement.

A Game-Changer for BEC Incident Response

The Security Configuration Snapshot represents a transformative step forward, helping minimize the impact of BEC incidents at no additional cost.

By seamlessly integrating into existing BEC investigations, this innovative tool helps organizations minimize lateral movement, establish a robust security baseline, and align their defenses with MITRE ATT&CK techniques. With BEC threats showing no signs of slowing down, the time to enhance incident response is now.

For more information on how Cybereason can enhance your BEC response and improve your overall cyber resilience, contact our experts 24x7 at response@cybereason.com.