Business Process Compromise : What You Should Know

By now you should be aware of advanced persistent threat (APT) and targeted security threats such as Phishing, Pharming, Trojan Horse, DDoS/DoS, Equifax, Panera Bread Data Breach, and SQL injection. You may have the measures to protect your network against such attacks. However, there is one attack that has remained out of the radar for many IT department members: Business Process Compromise (BPC). According to recent research by Trend Micro Incorporated, 43% of organizations across 12 countries have been affected by BPC attacks. The result also found out that 50% of management teams did not even know what these attacks are and how they would be affected if their organizations were victimized. The ignorance of the IT leaders remains high yet already there have been some major real-world attacks which have targeted complex processes powering most organizations. For example, the infamous attack at the Bangladesh Bank process in which $81 million was stolen.

What is Business Process Compromise (BPC)?

Before we define Business Process Compromise (BPC), let us try to understand what a business process is. A business process is a collection of related tasks which ends in the delivery of a service or a product to a client. An example of a business process is bank ATMs. From this definition, we can see that if the process is compromised, the result will automatically be affected. The result may not come out at all, or a different result from the expected will be realized. For example, if the ATM system is altered, it may not accept the credit card, or it may fail to process the command by the user such as a withdrawal command, or it may even respond by giving an incorrect amount of money.

A Business Process Compromise attack aims at altering some parts of a specific business process, or machines facilitating these processes so as to generate significant profit to the attacker. This process must be carried out with discreet ‘silent’ so that the victimized enterprise may not detect any fishy activity. The compromised process should continue to work as expected but producing a different outcome compared to the originally intended outcome.

One of the main characteristics of the BPC attack is that it requires the attacker to have a deep understanding of the target networks’ internal operations and systems as well as the target organizations’ standards. Therefore, the attackers usually take a lot of time to familiarize with the system before launching an attack.

Another characteristic of this type of attack is that the attackers mostly aim BPC attack to stay undetected in the system for a long time. Therefore, after understanding the system entire supporting structure, they tend to penetrate and infiltrate the process in a very careful manner that they cannot be detected.

This type of BPC attacks targets financial institutions such as banks because they provide an instant reward in terms of money. When these attacks happen in the banks, they lead to a withdrawal of money, transferring the money, or even clearing of the account records. The most recent BPC attack is the Bangladesh Central Bank Heist. In this attack, the cybercriminal demonstrated that they had an understanding of how the SWIFT financial platform works as well as the weaknesses within the processes in the partnered banks’ systems. Therefore, the criminals were able to have a strong grasp of the procedure followed in the money transfer. They used this knowledge to seize the bank’s credentials and proceeded to conduct an unauthorized transaction. Up to $81 million was stolen in this attack.

This attack, though mostly target financial institutions, can extend beyond financial transactions. In `2013, attackers hacked container tracking system in Antwerp Seaport in Belgium and smuggled tonnes of drugs (heroin and cocaine) beyond the port authorities.

Attackers can use similar tools used in targeted attacks. However, while targeted attacks may aim at accessing sensitive data, BPC primarily aims at a direct benefit from the compromised system. This is why it is common in banks. BPC may be similar to business email compromise (BEC) since both hijack a normal business transaction. However, they differ in that BEC attackers mostly depends on social engineering techniques, such as phishing and Trojan horse, and less on the actual alteration of business process to achieve their target attack.

BPC can take different execution approaches but the end result is basically the same in all the attacks. The following are some of the common BPC types.

Financial Manipulation

In this BPC, the attacker aims at influencing the financial outcomes as well as critical business decisions including acquisitions. To accomplish this, the attacker usually introduces a variable in a key business process or system. This variable will alter the outcome of the targeted business process to the benefit of the attacker. An example of financial manipulation is targeting a trading system or software to alter the value of stocks in stock trading. In such an attack, malicious traders could get away with millions of money due to sudden market volatility.

Diversion of Funds

This kind of BPC attack targets and leverage security gaps in the financial organizations’ cash flow. The aim of the attackers is to illegally transfer money in the attacked cash flow system to the destination of the attackers’ desire. This destination is supposedly legitimate. For instance, a payroll fraud may be conducted whereby the attacker, after getting access to the payroll system, may add ghost or fake employees and use such accounts to divert money. This can also be done by the insiders who have access to the payroll process. Typically, this happens in institutions with many employees. In such a case, it may take time to detect this fraudulent act.

Diversion of funds can also be in the form of bank transfers. When cyber attackers find a weak point in a bank money transfer system, they either alter or use malware to compromise the system and divert money passing through the system into their own accounts or even pseudo-accounts.

Defending Against BPC Attack

1. Understanding the Network

Organizations should have a comprehensive understanding of their network. They should be able to know when the system is operating normally and detect any abnormal operations. With such understanding, the organization is capable of identifying any malicious activity within the system early enough before it causes serious harm to the organization.

2. Performing Risk Assessment

The organization should also perform risk assessments. Preferably, a third-party vendor should be included in the system evaluation because most of this attacks target the transactional process between vendors and suppliers since this is where they usually expect a weak link to penetrate the system. In the system evaluation, the organization should analyze data of the information flow from various sensors and try to identify any flaw within the system. Alternatively, a measure in place can be used as a baseline for comparing information flow effectiveness to detect any problem. Organizations should also conduct periodic auditing of all records and transactions to help in determining gaps and improving the security system of the entire organizational environment.

3. Improve Awareness and Educate the Employees about BPC attack.

We have seen at the beginning of this article that 50% of organizational managers do not know about Business Process Compromised attack. This is a worrying statistics since it is not possible to prevent what you don’t even know about. It is important for the organizations to create awareness about BPC attack among the employees. This should be the basis of preventing this attack. The employees should be educated on how to detect normal and abnormal behaviors within the system and in the processes. The employees should be taught on how to develop a healthy distrust of odd transactional requests.

4. Network Security Policy and Cyber Security Measures

The organization should have a strong network security policy that defines the interaction of every organizational member with the network system. All employees should be aware of such policies. Long established policies should be audited after analyzing the performance of different processes with reference to the baseline data.

5. Install Network Insecurity Infrastructure

The organization should have antimalware tools (firewall) installed in the computer networks to identify and fight malware intrusions. The organization can also use security technologies such as endpoint protection which is capable of detecting malicious lateral movement to help in pinpointing and preventing further intrusions.

6. Perform Penetration Test

Organizations should hire an external red team to simulate all the possible attack scenarios from all points – technologies and tools used, security measures, processes, etc. This will help in testing security readiness. This exercise will highlight the commonly overlooked gaps in organization processes.

Business Process Compromise (BPC) continues to remain out of the radar of many managers. However, it is a dangerous attack that can cause great harm to the targeted victim. It is important to be aware of this cybersecurity concern and develop appropriate preventive measures. Contact us to find out how we can help you to protect your network by identifying the vulnerabilities and offering solutions.