Defending Against Business Email Compromise (BEC) with CMMC and FedRAMP

Recent reports, like the FBI’s 2023 IC³ Internet Crime Report highlight the staggering impact of cybercrimes, particularly Business Email Compromise (BEC), accounted for adjusted losses of over $2.9 billion. It’s crucial to recognize that BEC incidents can lead to substantial financial losses, with companies closing due to the magnitude of the damage inflicted, such as what occurred with the Tillage Commodities Fund’s $6 million loss in 2016.

Considering these challenges, it is imperative to address the vulnerabilities that contribute to such losses. 

So, what can be done about these losses? Let’s focus on a few important areas:

Communication
Controls
Testing

Communication

We often hear that as security professionals we must communicate better with leadership and the to help them understand the underlying problems we face, “Tell me what you are trying to accomplish, how far you have progressed, and what limitations or additional resources you need to get the job done.”

To enhance understanding of BEC threats to the organization, we should put data in front of the decision makers so they can understand how prevalent this threat is, how it impacts the organization, and what they can do to help. Metrics are a great way to start the dialog with business leaders. Take the data from those in key tactical and operational roles and turn it into a meaningful artifact that board members or executives can quickly digest to better prioritize security strategy and spending.

Ask those in technical or operational roles for report data for a specific period such as the number of messages received by mail filtering systems broken down by acceptance or rejection and analyze it for insights and indicators of suspicious activity. 

From an incident response perspective, determine the number of incidents involving potential BEC. How much time or money was spent in handling these attempts? What kind of trends do you see in the data? Are certain people or roles being targeted more than others?

What these metrics may show is that there is still more that can be done technically or administratively to combat BEC, that the security department needs additional resources, or the organization must give their messaging systems some extra attention.

Let us dive into some specific controls examples to show their value in combating BEC.

Controls

Administrative

Employee Security Awareness Training

Employees should understand that they are a target.
Employees should be able to recognize and understand the common elements of a BEC scheme.
Employees should also learn what incidents to report, and how to report them.

Governance

Policies should tell employees what leadership expects and outline consequences for failing to adhere to policies. Consider uncertainties surrounding escalation and law enforcement involvement.
Employees should understand what information they work with daily, how to treat it, and its value to the organization.
Employees should understand the proper methods for transmitting financial information. E-mail may not be an acceptable medium.
Organizations should strongly consider requiring secondary verification of monetary transfers.

Departmental Procedures

Employees in the Finance department should have procedures telling them how to verify the validity of a transfer request, and requests to update account information. These procedures should also address acceptable methods for transferring financial data.
Procedures should give employees the level of detail sufficient to address policy concerns.

Role-based Training

Members of Finance and IT should understand how to account for financial information.
Members of IT should understand how systems should be configured to support secure transmission and storage of sensitive data.
Members of the organization’s incident response team should be prepared to respond to BEC and have procedures for reporting suspected compromise or misuse of systems.
Responders should know when to seek assistance from law enforcement.
Organizations should have a plan to revert transactions. 

Technical

In my experience the most effective technical control that can help minimize BEC is the use of multi-factor authentication. To provide authentication for your messages adopt the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) standards.

In my experience the most effective technical control that can help minimize BEC is the use of multifactor authentication. This mitigates the risk from credential theft, and access to emails used to add legitimacy and perpetuate the scheme.

To provide authentication for your messages adopt the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) standards. Organizations should be familiar with those entities that send mail on their behalf and deny others the ability to send messages on their behalf by implementing these standards fully. Initially, messages that fail SPF validation should be quarantined and later rejected outright. This can be accomplished using a DMARC quarantine policy initially and reject policy later. A rebuttal to the adoption of these standards is that criminals are among the adopters. Even if criminals are among the trend, I would still strongly consider implementing these controls for a layered defense. 

Further, review the configuration and features of your mail filter appliances and gateways. Here are some specific configuration items and features to inspect closely and to consider adopting.

SPF, DMARC, and Domain Keys Identified Mail (DKIM) Policies (Receiver Verification)

This feature determines how messages that pass or fail authentication checks are treated. In the case of DKIM, the sending organization signs its messages so they can be verified for authenticity by the recipient. 

URL filtering

This feature inspects URLs in messages and may block or otherwise alter messages if the email message contains malicious links.

Delivery Allowlists and blocklists

This feature validates senders against an approved senders list. This list could be made of a list of approved vendor domains and contacts.

Blocklists are created for those senders which have violated company email policies.

Logging of Outbound Domain Name System (DNS) requests

DNS requests made from systems can indicate attempted abuse of infrastructure.

Threat intelligence feeds

Threat intelligence feeds provide indicators of malicious activity to systems that support them and are used to analyze message data such as headers, attachments, and message body.

Sandbox

This feature allows for testing attachments for malware and malicious links in a controlled environment.

End User Testing

Performing social engineering testing with the help of a reputable vendor is a great way to determine if administrative and technical controls are working appropriately. 

Alternatively, there are paid solutions an organization can purchase such as those offered by Huntress, KnowBe4, Proofpoint and others that can be used to test employee security awareness. 

In the open-source community, Gophish is a popular choice for testing security awareness. 

Consider objectives, desired complexity of scenarios, time, resources, platform limitations, licensing, and maintenance costs when evaluating testing approaches.

BEC in CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to enhance the cybersecurity posture of organizations within the defense industrial base (DIB). BEC poses a significant threat to defense information, making it essential for organizations seeking CMMC compliance to address BEC risks adequately.

CMMC requires organizations to implement controls across three proposed levels to advance security practices. BEC prevention measures, such as use of multi-factor authentication, employee security awareness training, secure communication protocols, and incident response procedures, align with CMMC’s emphasis on risk management and continuous improvement. By incorporating BEC-specific controls into their cybersecurity programs, organizations can better protect sensitive defense data and achieve compliance with CMMC requirements.

BEC in FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes the security assessment, authorization, and continuous monitoring of cloud products and services. As federal agencies increasingly rely on cloud-based solutions for their operations, the risk of BEC attacks against CSPs becomes more pronounced. 

FedRAMP emphasizes the importance of implementing robust security controls to safeguard federal data and systems from cyber threats, including BEC. Cloud service providers (CSPs) seeking FedRAMP authorization must demonstrate adherence to stringent security requirements, including measures to mitigate email-based threats. This includes implementing multi-factor authentication and email authentication protocols like SPF and DMARC, as well as conducting regular security assessments and audits to detect and prevent BEC-related vulnerabilities (Reference SC-7, IA-2, and for benchmarks CIS Control 9.5 – version 8). Other agencies do mandate its use for example in CISA’s BOD 18-01. 

Conclusion

Business Email Compromise (BEC) poses a significant threat to organizations across various sectors, including regulated industries subject to cybersecurity frameworks like CMMC and FedRAMP. By integrating BEC prevention measures into their cybersecurity programs, organizations can enhance their resilience against this pervasive threat and ensure compliance with regulatory requirements. As cyber threats continue to evolve, it’s essential for organizations to remain vigilant and proactive in mitigating BEC risks to protect critical assets and maintain the trust of their stakeholders.

Business Email Compromise (BEC) attacks are a serious threat, not just to your data, but to your compliance with regulations like CMMC and FedRAMP. Contact Coalfire Federal to learn more about how we can help you strengthen your BEC defenses and tailor your cybersecurity program to meet CMMC and FedRAMP requirements.