(Email Compromise)

Panelists Luke Emrich, EnCE, CEH, GCFA Director - Security, Privacy, and Risk Services Michael Waters, Esq., CIPP/US Shareholder Lauren Winchester, Esq., CIPP/US Breach Response Services

Overview How and why email compromises occur Best practices for responding to email compromises Response Costs How to prevent email compromises

Email compromises on the rise across industries Data from BBR Services

How and why email compromises occur jdoe@companyx.com From: jsmith@ABC.com To: jdoe@companyx.com Sent: September 10, 9:30 a.m. Subject: Secure Message This is a secured message for you and its confidential with password protection you have access to it with your working email. Jane Smith Director of Finance ABC Company 123 Washington St., Chicago, Illinois 60601 (312) 555-1234

Motivation for Threat Actors - $$ Four common ways to leverage an inbox: Reconnaissance/Targeted spam Wire transfers Payroll redirect Sensitive information in the inbox

Best practices for responding to email compromises Do we know the nature/type of the incident? Do we know the incident timeline? Identify the population of affected accounts Were Phishing/Spam messages sent internally? – purge them! Pull message trace logs for affected accounts Change passwords for affected accounts Check affected accounts for unauthorized rules - forwarding/move

Best practices for responding to email compromises Do compromised creds provide access to additional systems? Change passwords to potentially affected systems Review logs for unauthorized access Review Unified Audit logs for evidence of unauthorized access to affected accounts, including cloud apps like OneDrive and SharePoint. Review Admin Audit logs for evidence of privilege escalation Block any malicious email addresses or domains

Potential Legal Implications Unauthorized Access of Information Statutory data breach notification obligations to individuals, regulators and business partners This may include notification to investors, key customers, unfriendly parties (e.g., litigation adversaries) Contractual obligations to third parties Wire fraud Recent lawsuits in which companies are sued due to wire and other fraud perpetrated from compromised account If someone suffers a monetary loss because your account was compromised, you may be sued

Response Costs Legal Fees Potential for regulatory fines and penalties Forensics Programmatic and manual review of inboxes Third party demands and/or lawsuits Lost funds from fraudulent wire transfers Notification and call center Credit monitoring Lost payroll funds

How to prevent email compromises Harden your Email Environment (some suggestions below are specific to O365) Require multi-factor authentication for all users Limit or disable remote access (OWA) Review Microsoft’s Secure Score and make suggested changes Disable/Manage message forwarding Turn on Unified Audit logging and Mailbox Auditing Enable Advanced Threat Protection Enabling Safe Links and Safe attachments Security and Awareness Training / Social Engineering Testing

Questions?