Attacks classified as business process compromise (BPC) silently alter parts of specific business processes, or machines facilitating these processes, in order to generate significant monetary profit for the attackers. The high degree of discreetness with which such attacks are carried out often means that enterprises may not easily spot or detect the changes from normal expected behavior, since compromised process functions continue to work as expected but produce a different outcome than originally intended.
BPC is characterized by threat actors’ deep understanding of the target networks’ internal operations and systems as well as the standards used by their target organizations. This enables them to hack into, infiltrate, or hijack business processes such as account management, procurement, manufacturing operations, payment, and delivery.
The Bangladesh Central Bank heist is a recent example of BPC. In this attack, which resulted in losses of up to US$81 million, cybercriminals showed that they had a strong grasp of how the SWIFT financial platform works and had knowledge of weaknesses in partner banks that use it. By compromising the Bangladesh Central Bank’s computer network, cybercriminals were able to trace how transfers were done and seize the bank’s credentials to conduct unauthorized transactions.
BPC also extends beyond financial transactions. In 2013, a container tracking system in the Antwerp Seaport in Belgium was hacked to smuggle a ton each of cocaine and heroin past port authorities.
BPC can use the same tools and techniques as targeted attacks, but instead of aiming for sensitive data, BPC attackers are focused solely on being able to directly benefit from the alteration of business processes. BPC is similar to business email compromise (BEC) in that they both attempt to hijack a normal business transaction, but BEC attackers rely more on social engineering and less on the actual alteration of business processes in order to achieve their goals.
Types of Business Process Compromise
Attacks that fall under this kind of BPC exploit security gaps in the organization’s cash flow system. Threat actors are then able to transfer money to supposedly legitimate channels.
An example of this BPC type is payroll fraud, where attackers or malicious insiders with access to the payroll system can add ghost or fake employees and use those to divert money.
Fraudulent bank transfers also fall under this type of BPC. Cybercriminals find loopholes in a bank’s money transfer system and either alter codes or use malware to divert funds into accounts they own and control.
This kind of BPC takes advantage of key business processes, such as the transportation of illegal goods and the transfer of malicious software, which translate to big financial gains for the attackers.
This kind of BPC includes those that aim to influence financial outcomes and important business decisions such as acquisitions. Attackers do this by introducing malicious variables into a key business system or process.
Stock trading can be manipulated, for example, when a trading software or system is specifically targeted to skew the value of stocks. Malicious traders could amass thousands or even millions from this sudden volatility in the market.
Timeline of Known BPC Cases
Tien Phong Commercial Joint Stock Bank (Vietnam)
Automatic Data Processing, Inc. (ADP)
Bangladesh Central Bank
Russian Trading System
Banco del Austro (Ecuador)
Stanley-Boyd School District
Metropolitan Entertainment & Convention Authority (MECA)
Defense Strategies Against BPC
Analyze information flow from different sensors to spot anomalies
Data analysis of information flow from various sensors or measures in place can be used as a baseline for comparing information flow congruity to detect any anomalies. Periodically auditing all records and transactions, then, is critical to determining gaps and improving the security posture of enterprise environment.
Find statistical deviations on similar industry practices and processes
Security technologies like behavior monitoring and intrusion prevention can detect discrepancies or flag suspicious activities in the network. Aside from these, enterprises should take advantage of similar data from other industry practices and processes or from publicly available sources to serve as additional measures on possible results and expectations.
Harden business process security through operation security (OPSEC) wargaming
Hiring an external red team to simulate possible attack scenarios from all points (technologies and tools used, processes, security measures in place, etc.) can test the security readiness and highlight commonly overlooked aspects or gaps in an organization. This team should be composed of forensic accountants with background in money laundering.
Do regular quality assurance, quality control, and penetration testing
Penetration testing, quality assurance, and/or quality control are steps that show the critical weaknesses within the network, such as vulnerabilities, that can be exploited. However, pen testers should work on the notion that attackers already have the highest level of access and on whether the processes in place can mitigate these in case of an actual attack. It is also advisable that such tests be focused on business logic in order to spot the flaws and weaknesses in the current business process that can be abused.
Restrict scriptable actions
Attackers may find flaws in business logic and abuse scriptable actions within the system to pay out certain actions. Such threats can be addressed by restricting unnecessary processes from being carried out.
Separate employee duties
To prevent insider threats, distributing the tasks to different people in various departments is key. For instance, those handling finance should be different from IT. Likewise, the team handling product testing should not be the same as those in the production line to fend off attempts at introducing malicious factors.
Require two people (from different teams or network setups) to perform critical actions
BPC abuses legitimate processes, making them difficult to defend against. Although requiring two people will not stop the attacks, doing so will make it arduous for the attackers to successfully commit financial theft. In banks, for example, it is a common practice to segregate duties so that when an attack occurs, the attackers have to compromise two particular credentials.
Train employees to identify social engineering attacks
Security awareness trainings empower high-level officials (CEO, CFO, etc.) down to the employees and third-party partners to identify and respond to BPC. Other basic security practices such as installing only trusted apps and inputting information only in legitimate sites can prevent introducing risks at the gateway level.