Business Email Compromise Response Playbook

Preparation

Note: Preparation steps should primarily be completed prior to an event or incident.

1. Determine the members of the Cybersecurity Incident Response Team (CSIRT).
   
   1. The core CSIRT members should be comprised of individuals responsible for cybersecurity only.
      
      1. This may include some members of Information Technology roles, depending on the organization size.
      2. The limited size of the core CSIRT is to assist with confidentiality and efficiency.
      3. The core CSIRT may be activated often to investigate security events that may or may not result in an incident.
   2. Assign roles and responsibilities to each member.
2. Determine extended CSIRT members.
   
   1. This will often be Legal, Compliance, Public Relations, and Executive Leadership.
3. Define escalation paths.
   
   1. Business email compromise incidents may start as events, or as a lower impact/severity and then increase as more information is gathered. Establishing an escalation path is critical to success.
4. Ensure logging levels for email system components are set to appropriate levels.
   
   1. 90 days should be the minimum.
5. Ensure logging for email system components are stored in secure locations, preferably on a secondary system such as a SIEM.

Identification

1. Use the evidence that resulted in notification of business email compromise to determine next steps based on method of compromise. (Some steps may be irrelevant based on the method of compromise.)
   
   1. Example of evidence: an email from an external client saying they received a phishing email or malware, email rules that were not created by the user, a fraudulent funds transfer, etc.
   2. Method of compromise examples: credential harvesting phish, attached malware, brute forced password, etc.
2. Determine initial method of account compromise.
   
   1. Interview impacted user to gather details on potential points of compromise.
      
      1. Example questions:
         1. Did you receive a suspicious email?
         2. Did you enter your email credentials after clicking a link, or on a website that seemed to not accept them?
         3. Have you downloaded any new software?
         4. Have you received any documents via email that you weren’t expecting?
   2. Search for phishing emails.
   3. Search for emails with links to credential harvesting sites.
   4. Search for potential malware on the user’s workstation.
      
      1. Credential harvesters such as Mimikatz.
      2. Keystroke recording software.
      3. Clipboard scraping malware.
3. Once method of initial compromise is determined, use the Indicators of Compromise (IoCs) gathered to search the environment for other victims.
   
   1. Potential query inputs: Email subject name, document name, document hash, URL from email, etc.
4. Review logs in email system searching for anomalies.
   
   1. Login activity from unusual locations, systems, or browser fingerprints.
   2. Compare any login anomalies to other logins with similar characteristics, such as:
      
      1. Originating IP address
      2. Concurrent login
      3. Browser fingerprint
      4. Etc.
5. Assess victim email accounts to determine if sensitive information may be contained in them.
   
   1. This may need to be extended to other sources these users and/or accounts have access to such as OneDrive, Google Drive, SharePoint, shared mailboxes, fileservers, etc.
   2. If sensitive information is a possibility, consult legal counsel for next steps.
6. Search impacted systems for newly created users.
   
   1. Ensure that all recently created users are accounted for.

Containment

1. Reset all passwords associated with all identified victims.
   
   1. Begin with email account passwords, but all accounts associated with the user should have their passwords reset or disabled.
2. Revoke authentication tokens for all identified victim accounts.
   
   1. This should cover the email system and any other accounts that are associated with the impacted users.
3. If an external organization is identified during the investigation, notify the organization of any business email compromises or concerns.
   
   1. Work with legal counsel to determine this process.
   2. This will help prevent the organization’s users from being targeted again from the same compromised source.
4. If an external organization is identified during the investigation, block their related domains from sending email to your organization.
5. If malware is discovered during the investigation:
   
   1. Preserve a sample of the malware.
   2. Analyze the malware with any tools available.
      
      1. Gather file hash using PowerShell “Get-Filehash” cmdlet.
      2. Submit hash to community sources VirusTotal, Hybrid-Analysis, etc.
         1. If community sources have seen the hash, note the malware characteristics.
         2. Depending on results – initiation of the malware outbreak playbook may be required.
   3. Isolate infected systems, do not power them off unless absolutely necessary.
      
      1. Preserve the system(s) for further forensic investigation including log review, MFT analysis, deep malware scans, etc.
6. Block all associated IoCs in email system components.
   
   1. URLs, domains, message-ID, etc. in spam filters, email based antimalware, etc.
7. Block all associated IoCs in endpoint protection systems.
   
   1. File hashes, malware identified, etc.

Eradication

1. Preserve artifacts, systems, and relevant backups according to the sensitivity and scale of the incident. These may be important for future forensics.
   
   1. Retain copies of malicious emails and malware.
      
      1. Store in a safe location, password protected.
   2. If rebuilding or replacing physical systems, preserve physical hard disks, solid-state drives, or forensically sound images of those storage drives.
   3. If rebuilding or replacing virtual machines, preserve a copy, full (independent) snapshot, or a backup of the system.
2. Preserve any volatile data that may have been collected during the identification and containment phases.
   
   1. This may include log files, backups, malware samples, memory images, etc.
3. Once all relevant data, equipment, and/or systems have been preserved, replace, or rebuild systems accordingly.

Recovery

1. Remediate any vulnerabilities and gaps identified during the investigation.
2. Reset passwords for all impacted accounts and/or create replacement accounts and leave the impacted accounts disabled permanently.
   
   1. This may have been completed in a previous step but should be reviewed to ensure that all impacted accounts have been handled correctly.
3. Continue to monitor for malicious activity related to this incident for an extended period.
   
   1. Alerts should be configured to aid in quick detection and response.
      
      1. Examples: Anomalous behavior such as login activity from unusual locations.
4. If financial loss was incurred, consult cybersecurity insurance.

Lessons Learned

1. Conduct a meeting after the business email compromise incident to discuss the following:
   
   1. What things went well during the investigation?
   2. What things did not go well during the investigation?
   3. What vulnerabilities or gaps in the organization’s security status were identified?
      
      1. How will these be remediated?
2. What further steps or actions would have been helpful in preventing the incident?
3. Do modifications need to be made to any of the following:
   
   1. Application security
   2. Operating System and/or Application patching procedures
   3. Employee, IT, or CSIRT training
   4. Email filtering policies
   5. Multifactor Authentication
   6. Email retention policies
   7. Sensitive information policies and procedures related to email
4. Create and distribute an incident report to relevant parties.
   
   1. A primary, and more technical, report should be completed for the CSIRT.
   2. An executive summary should be completed and presented to the management team.