NZ Incident Response Bulletin May – 2019

Our Views:

A selection of issues relevant to Forensic and Cyber Security matters during the last month. This month’s theme is “Managing Business Email Compromise Risk”.

Configure

Many New Zealand organisations are either anticipating, or have recently migrated, to a cloud-based email system. On deployment, the email system should be configured to protect against security risks. This guidance is targeted at small to medium sized organisations, who are on a Microsoft business plan. Further references will be published in future for other email vendors such as Google. Microsoft recommends that you complete the tasks listed below that apply to your service plan.

  • Set up multi-factor authentication
  • Train your users
  • Use dedicated admin accounts
  • Raise the level of protection against malware in mail
  • Protect against ransomware
  • Stop auto-forwarding for email
  • Use Office Message Encryption
  • Protect your email from phishing attacks
  • Protect against malicious attachments and files with ATP Safe Attachments

Review

Once you have completed configuring the security in your email environment, review how secure you are by checking your Office 365 Secure Score. This tool assigns a score based on your regular activities and security settings. While you may not necessarily obtain the maximum score, Secure Score continually helps you to keep abreast of the changing threat landscape by protecting your environment. See “Introducing the Office 365 Secure Score”.

Another important area to review is Audit Log settings. If you suffer a business email compromise, audit logs are a critical source of evidence during a forensic examination. For  Microsoft environments, mailbox audit logging must be turned on for each user before activity will be recorded, see Enable mailbox auditing.

Respond

If you suspect that an email account has been compromised, act quickly as a live cyber-attack may be underway.  Common attack examples include email accounts being used to send Phishing attacks or SPAM. “Man in the Middle” is another common type of email attack, where a fraudster attempts to divert a payment into their own account.

Microsoft recommends the following response procedure.

  • Step 1 Reset the user’s password
  • Step 2 Remove suspicious email forwarding addresses
  • Step 3 Disable any suspicious inbox rules
  • Step 4 Unblock the user from sending mail
  • Step 5 Optional: Block the user account from signing-in
  • Step 6 Optional: Remove the suspected compromised account from all administrative role groups

A forensic examination will heavily rely on mailbox audit data to determine the extent of any compromise.  This data records which emails were accessed by the attacker, which enables you to inform affected parties that their information may have been breached.

For readers wishing to receive additional Forensic and Cyber Security information, the Premium Edition of the NZ Incident Response Bulletin is now available to clients who are subscribed to our Incident Response Retainer. The Premium Edition contains recent publications on Threat Alerts, Security Frameworks, Information Security Surveys, Forensic News and Research. Please contact us at support@incidentresponse.co.nz for further information or to request a one-off complimentary copy.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.