Our Views:
Over recent months, we have seen a marked change in the most usual form of successful cyber-attacks on New Zealand organisations. After fading away during 2021, Business Email Compromise is now back as the number one threat, surpassing Ransomware for the first time in over a year.
While you may have a number of effective cyber controls in place to protect your cloud-based email accounts, it is well accepted that accounts can still be compromised, e.g., by gaining access to a computer system that is accessing a cloud account.
Poor or non-existent log processes allow attackers to control victim accounts for days or weeks without anyone in the target enterprise knowing.
Assuming a breach is therefore possible, you should consider what auditing is in place to assist in any post incident investigation to mitigate risk. Do not underestimate the importance of appropriate log collection, management and analysis. When logs are can be effectively analysed, then the tactics, techniques and procedures that an attacker has used, can be discovered and responded to in a timely manner.
An effective log management system can provide insights into a suspected attack such as when and how it may have occurred, how long an attacker may have had access to your systems, what data was accessed, and if any data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for an extended period of time.
The Centre for Internet Security (CIS) defines control number #8 as Audit Log Management:
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Relevant Safeguards
We consider the following safeguards to be critical in your management of business email compromise risk. Refer to your email vendors guidance for detailed instructions on how to implement these safeguards.
Establish and Maintain an Audit Log Management Process
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Collect Audit Logs
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
Ensure Adequate Audit Log Storage
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Collect Detailed Audit Logs
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Centralize Audit Log
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain Audit Logs
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct Audit Log Reviews
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Click here if you wish to subscribe to our Premium Edition of the Bulletin.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 