Anatomy of a local cyber incident. Conrad Simpson Co-Founder/Director @ Cyphra
Anatomy of a local
cyber incident.
Conrad Simpson
Co-Founder/Director @ Cyphra
• Specialist cyber security company• Expert advice, technical services & solutions • Offices in Belfast & Glasgow• CyberFirst Supporter• Reputation for quality and expertise
Key threat sources!
33
UK Trend - Cyber Incidents
44
• Office365
• Ransomware
• Phishing
• Vulnerability scanning
• Supply chain attacks
+ Denial of Service attacks
Email compromise
55
Why?
• Launch pad for spear phishing
• Impersonation/fraud
• Steal commercial or sensitive information
• To compromise other personal accounts
How?
• Poor user security
• Spear phishing
• Credential stuffing/spraying
Sopra Group Corporate Presentation
Business Email Compromise (BEC)
NI Company XYZ
The XYZ salesman(Jim)
Company XYZ Office 365 email([email protected])
‘Jim’ sends in his orders to HQ via emailCompany XYZ sends invoice to customer
Customer pays invoice to Company
XYZ’s bank
Attacker hacks Jim’s email account & sets up email forwarding
Company XYZ’s Bank
A N Other Bank
Attacker compromises Company XYZ
Accounts email
Sales/customer interactions (phone/email)
Unsuspecting customer
Attacker
Attacker monitors Jim’s email activity collecting
information.
Jim emails an order to HQ.
Company sends an invoice to the customer
for £16,000
Hacker sends email to the customer from
[email protected] to AN Other
bank
Customer pays invoice to for £16,000 to AN Other
Bank
Attacker transfers moneyJim lands a major order which the attacker views.
Attacker sees invoice being issued .
Attacker sends invoice email from
[email protected] for £500,000+ redirecting payment to AN Other Bank and deletes sent
items.
Customer queries via phone call and payment
stopped.
Lessons
77
• Technical controls
• Understand the security controls available in Office 365.
• Security score
• Control auto-forwarding
• Protect privileged accounts
• Multi-factor authentication
• Turn on Audit log recording and mailbox auditing
• Passwords hygiene
• Monitoring of key events (internally or via external service)
• Don’t rely on sending letters to customers re: bank account changes
• Develop and test a plan for a compromise.
• Don’t use email to communicate a breach.
• Staff training – phishing awareness /'good' passwords
• People like to be helpful!
Use existing tools and information
• NCSC website information
• Exercise in a box
• Small Charity Guide
• Cyber Essentials
• Board Toolkit
• Microsoft O365 Secure Configuration Guide
• CiSP
• haveibeenpwned.com