Hacking the Process - Business Process Compromise by Sherwyn Moodley and James Hasewinkle

hello everyone we're back with james and sherwin and we're having the talk hacking the process business process compromise and it's going to be both of them talking so that would be fun our first double speaker of the day and james and shawn would both be available afterwards in discord and rodolfo is also available in discord if we have any further questions regarding his talk all right i'm just going to hand it over to you guys thank you best of luck thanks thank you

okay so hacking the process business process compromise this is finding and exploiting weaknesses in the business process who we are we're the penetration testing team existing system's a cyber security consulting firm based in dallas james and i provide for penetration testing services to clients mostly web applications mobile applications and external penetration tests so we'll go ahead and start saw so what are we protecting as cyber security professionals it's important to really kind of define our role our mission is typically to protect systems from compromise software systems hardware systems data systems that's usually our domain and the cis top 18 that you can see below there kind of delineates the different realms of our job a little more precisely

and way over there at the end at the very bottom you can see where sherwin and i lie in penetration testing however something you may notice is missing from this top 18 is the topic of this presentation being the protection of business processes so in an organization there's a multitude of business processes meaning these processes we've all been a part of employee onboarding going through the process of becoming an official employee of an organization getting your name tag your company laptop signing a million ndas but there's of course other processes they may not have been a part of things like procurement being the process of obtaining items services or budgetary processes controlling where money goes

in and out of an organization some processes may be a little more fleshed out than others but regardless there is a process okay so the majority of business processes today sit on technology services services such as software as a service solutions like quickbooks kiss flow and for sales and project management sello or crm solutions this brings what was previously financial crimes such as fraud and investment into the realm of cyber security if the business process sits on technology then exploiting business process becomes a cyber security issue although the business process still lies in the financial hr vertical the operation of the business process would certainly technology but the eu agency for cyber security advises that cyber criminals are more likely to

improve their tactics to compromise business processes so penetration testing and security engagements tend to focus on very specific applications subnets and groups of facets because companies are too big to do an all-encompassing pen test to read team exercise we focus on smaller sections to help make compliance or sdlc reports we don't examine the entire business process for vulnerabilities we examine the technology that they like this means that business processes need to be tested because they're not built with principles such as zero trust depth and defense or the principle of least privilege so we can protect the technology that these business processes sit on and we can protect access to these technologies we ensure that we report on

vulnerabilities that the infrastructure has such as cvs default passwords or servers configurations and we can find authentication vulnerabilities such as password reuse or multi-factor authentication lack of complex passwords but the remediation of all of this is server patching cyber security awareness training or server hall these things only work to a point though because there are always zero days that we don't know about and users will always be susceptible to phishing and password reviews because cyber security awareness training is only so effective that means we have to assess the business process because there's always a risk of compromise the compromise of these systems that integrate with the business process is also effective since processors sometimes rely on

external services which although can validate the process these external services could be a single point of failure that compromises the entire process so for a real-world incident that happened in the not so distant past regarding business process compromise we have the bangladesh bank cyber heist all the way back in 2016 a group of hackers used stolen swift credentials with swift being the society for worldwide interbank financial to telecommunication they just handle communications and transactions between big global banks and they've been doing it since like the 70s anyway these hackers stole these credentials from employees of the bangladesh bank and using these credits they sent more than three dozen fraudulent money transfer requests to the fed in new york

these money transfer requests were in the millions of dollars and were instructed to transfer it to bank accounts in the philippines in sri lanka and out of all 30 requests that they sent only five were actually granted totaling in 81 million dollars which successfully ended up making it to accounts in the philippines uh normally uh oh sorry normally the process in place is that there's a 24 7 printer that will print a record of whatever swift transactions occur and then in the morning the bank employees will walk in with their coffee and confirm any transactions that happened overnight however the morning after the attack the printer tray was empty and when the workers were trying to print them out manually an

error prevented them from doing so eventually after tinkering with it they found that there was a system file that was corrupt or missing and they couldn't get it to work and later it was found that this was the result of an attack by the hackers to avoid getting caught so after about one more day of tinkering on it the printer was eventually repaired brought back online and then started spewing out all the fraudulent transaction records the bank employees looking at this spewing out started panicking attempted to contact the fed in new york but this heist was purposely planned on a weekend and no responses were able to be given until monday when everyone got back to work and by this

point it was already too late okay so that's a thing of a theoretical exercise where we can explore the full impact of weakness in a business process let's assume we have a payroll as a service company or an hr as a service company that does payroll and this company has multiple clients across multiple provinces and countries the initial attack vector here is inconsequential but we can imagine it to be password spraying or an injection that creates a user account if the attacker can exploit the onboarding process or the payroll process and create multiple fake employees across multiple companies then the attacker could draw a salary every month for these fake employees the question then becomes how much

damage can the attacker do before being detected if each fake employee is less than two thousand dollars a month would the companies notice it so these are typical payroll flow diagrams in a typical payroll process since none of these processes adhere to cyber security principles such as zero trust if one account is compromised the entire process is compromised if the ability to write to the server is compromised then the entire process is once again compromised and the at the moment the only thing that's really monitored is the output not each step within the payload process so while the consequences of a compromised business process might be bad you could say the consequences could be much more dire depending on what the

process is and so for the sake of theoretical exercise number two we'll say the process is missile system procurement and like the previous one initial attack vector is still inconsequential because the real danger isn't necessarily the susceptibility to spear phishing or to weak passwords in a logistical system although these are important the real danger is that business processes regarding a logistical system that handles the delivery of missile systems can be compromised and alter if an attacker finds their way in something as mundane as the delivery date could be changed by a day the location to somewhere else or the driver and freight information to something controlled by the attacker and while the kind of people ordering

missiles will likely notice that their missiles weren't delivered by that point it's too late and now the missiles are already in the hands of a threat actor you know the next slide

next one sorry so moving back to the real world though uh back in 2011 there was a spearfishing campaign targeted at the port authority of dock workers at one of the largest ports in europe being the antwerp port in belgium that port specifically has over four million shipping containers passing through that port every year so anyway in this incident the hackers responsible for that spearfishing campaign were able to gain access to the logistics database which is used to identify and locate the shipping containers and using this they were able to identify and locate their shipping containers which contained drugs smuggled on board once the criminals knew the delivery and location details of the containers containing the drugs

they were able to send in their own truck to go pick up the container before the legitimate owner would even notice and for two years bricks of cocaine were smuggled underneath crates of bananas the compromise was really only discovered after entire containers disappeared from the port and nobody knew why [Music] okay so what's the allure of process hacking for the hacker the majority are hacks that make the news of ransomware attacks that's because the point of a ransomware is for the victim to be aware of it so they can pay the ransom but in hacking the process the point is to become part of the process we should make it more difficult to detect if the

attacker is undetected then the m payout could be bigger because it retrieves money over a longer period of time since business process happens to be part of the process the more successful a hacker is the less chance that will be detected so in the case of the payroll as a service company if a company has a payroll expense every month of five hundred thousand dollars they wouldn't notice a delta of less than twenty thousand because payroll figures change depending on tax overtime working hours and expenses so to protect these business processes we need to apply cyber security concepts to the development of the process principles such as zero trust would mean that the process would need validation

from an outside process having multiple accounts being responsible for different parts could mean that the protest process of the whole is still secure even if one account is confidence and we have security uh standards and controls for things like linux servers and windows servers but we should have them for business processes too so turning this back towards what sherwin and i do how far should we take penetration tests most pen tests are focused on the tech and not necessarily the process most focus on a web application or an internal network or a group of external ips and most are going to stop once the operator gets remote code execution or a prives to domain admin

and testing is usually about getting these prizes and that typically overshadows other other findings such as compromising data integrity not to mention in most pentas altering data is often out of scope another issue is that even if we were allowed to alter data we test on the dev branch and the processes may only be active in production environments and thus the security posture of the process is rarely ever addressed and if it is it offers a very limited perspective okay so there's always an inherent risk of business and there's also budgetary consent so if the compromised business process or finding the compromised business process costs more than the compromise itself the company won't pay to find it

so in the payroll as a service example if the hacker could only steal two thousand dollars a month before being noticed the company isn't going to spend fifty thousand dollars a year to find it this means that the mitigation has to be bringing the business process into the realms of how we day-to-day do cyber security because companies are forced to act in cyber security threats where there's a reputational regulatory penalty if a business process is compromised well enough it won't be detected this means that there is no regulatory or reputational damage that being the case in some circumstances there is an incentive for companies to find this so ultimately there are consequences to a business process compromise that a lot

of organizations fail to consider while losing two grand a month due to process compromise is acceptable to a lot of large corporations losing several million may not be or if your process is missile systems that may not be as well okay so in conclusion our business we should consider business process an asset and be treated as such within the cisat the company should be searched for processes like research for assets in the first two controls of the cis 18 we should apply things like secure configuration account management access control management and awareness training and of course finally penetration testing much like a web application when we're doing penetration testing we should be given access in the user account

and try and see how many weaknesses we can exploit in the process and that's us done thanks guys