Occams razor – When an attack is unknown?
This is a true story with a recent Managed Service Providers customer:
Customer was breached, bank account details changed and a significant amount of money was transferred from the business account.
I am not using industry or amounts to keep this anonymous, this tale though illustrates something very serious to me.
The scenario is:
✅No signs of Identity being compromised at the business, access was from approved machines and from known locations.
✅Business has Multi factor authentication enabled and conditional access.
❌ A third party supplier with the businesses bank account details does not use MFA or Single Sign On to their portal.
✅ Supplier has now enabled MFA, coincidently at a similar time to this incident.
❌ Confirmation email was sent from supplier portal once banks details had been changed and these were approved – user error.
The MSP technical team has exhausted the business tenant compromise as being the source of this criminal action.
Occams Razor says the easiest theory is probably the right theory – the MSP has started suspecting that the third party supplier is where the breach has occurred.
I have personally been involved with multiple cases where the third party was the party compromised – either a database with clear text passwords / password hashes stolen and due to simple things like re-using passwords and business email addresses, from here a business was targeted and compromised, MFA mostly prevents this occurring in the first place but its only one step.
Do not trust your suppliers implicitly, not because they are evil or dishonest, but because they very often do not design their platforms with security as a core fundamental pillar.
Developers program, sales want to sell, backers want revenues – secOps if not a core element will not occur at the rate that is necessary.
I KNOW THIS because I worked with product development and have seen the disasters.
Interview your software suppliers, learn their security principles, ask for their incident response plan, ask who their Security advisor is and make sure you feel confident in their responses to you.
None of this is rocket science and any supplier who is designing with mature SecOps in mind will be able to provide you with the above details in very quick fashion.
Also teach your staff to ask questions anytime changes occur or a financial transaction is about to occur that is out of band.