According to the FBI and other law enforcement agencies, Business Email Compromise or BEC, is still a major point of entry for hackers into IT systems.

Multi Factor Authentication (MFA) usage has increased in response to BEC, among other things, and so has the response of hackers.  They have learned to short circuit MFA, as we will show in this example. 

A Real Life BEC, With an MFA Compromise

MFA systems are an important part of IT security, however, we have seen several ways that MFA systems can be and have been compromised.  

End point protection is also important, as you will see, the hacker had valid user credentials.  With valid credentials and during regular business hours, indicators in this case, seem to show a valid user.

How Hackers Got In

At 12:57 PM local time, hackers use previously stolen user credentials and the user accepts a push from the MFA system to allow hackers to establish ActiveSync with the user’s mailbox.

Also at 12:57, the Arctic Wolf platform logs MFA successful for the ‘user’.  Valid credentials (although stolen) and a pass through the MFA, the system has no indication of a problem yet.

This is a good time to think about a culture of security.  The user involved let the hacker through the MFA system, frequent security awareness training helps reduce this from happening.

What Triggered the Alert?

For almost 19 minutes, the hacker had a chance to browse the victim’s system, and in this case, went to Outlook having found a calendar event with several attendees.  At 1:16 the hacker updates the invite with their own information and starts adding and deleting Outlook rules.  Office365 logs the rules changes and within 2 minutes, the Arctic Wolf platform identifies an “indicator of compromise”.  

Found, on the way to Fixed

At 1:18, 21 minutes into the event, Arctic Wolf triage team starts an investigation.  Remember, the credentials were good, so something else had to give the hacker away.  In less than 2 minutes the Arctic Wolf platform correctly identified the attack.

Speed is absolutely critical, because as Arctic Wolf was doing their investigation, 4 minutes later, the hacker uploaded phishing PDFs to OneDrive. 

At 1:25, Arctic Wolf contacts ASMGi and within seconds, ASMGi confirms the event and disables the user’s account.  Total time the hacker had in the client’s system, 27 minutes.  Time from initial indicator of compromise to resolution, 7 minutes.  

At a recent event in Cleveland, ASMGi hosted FBI Special Agents, that confirmed, the typical time a hacker has within a system is over 100 days.

What Else Could Have Happened?

ASMGi also spent the next 6 minutes evaluating logs to determine if other users had been hit or were affected by the phishing PDFs.

Because we had very good data on how the hacker accessed the system, we did not have to fix other vulnerabilities in code.  We did review the event and why the user allowed for a pass through the MFA system.

End Point Protection is Not Good Enough

In this case, end point protection would not have offered any assistance in finding or resolving this scenario.  SOC operations, that include user and entity behavior modeling and oversight is ultimately what identified this hacker.

Conclusions

There is no substitute for speed in finding and having a remedy for when a hacker has entered an IT system.  End point protection is not enough, SOC monitoring of user and entity behavior is key.  Finally, users are still the greatest risk to an IT system, frequent security awareness training develops and keeps a culture of security top of mind for users.