Attackers look for vulnerable practices or operational loopholes to find a entry into business. Once they have found a vulnerability, the attacker will alter part of the process to their benefit and often without detection from the business. Processes appear to be proceeding as normal, but the attackers are already gaining either funds or goods from the business.
Once the attacker has infiltrated a business, they move laterally from the point of compromise to gain a clear view of the structure of the business from internal reconnaissance and monitoring communications.
This intelligence allows them to grow familiar with the business’s processes and helps them pinpoint vulnerabilities that can be targeted. Armed with this knowledge, attackers can deploy tactics to change and manipulate processes that help them benefit financially and without detection from the business.
These types of attacks have become more frequent and are possible because many employees simply go through the motions of business’ processes. They trust policies that have always worked and expect them to continue working without any problems.
BPC Attack variants
BPC classified as shown below
Attacks that fall under this kind of BPC exploit security gaps in the organization’s cash flow system. Threat actors are then able to transfer money to supposedly legitimate channels.
This attack takes advantage of key business processes, such as the transportation of illegal goods and the transfer of malicious software, which translate to big financial gains for the attackers.
This includes those that aim to influence financial outcomes and important business decisions such as acquisitions. Attackers do this by introducing malicious variables into a key business system or process.
- Analyze information flow from different sensors to spot anomalies
- Find statistical deviations on similar industry practices and processes
- Harden business process security through operation security (OPSEC) wargaming
- Do regular quality assurance, quality control, and penetration testing
- Restrict scriptable actions
- Separate employee duties
- Require two people (from different teams or network setups) to perform critical actions
- Train employees to identify social engineering attacks