ITCY603 Cyber Security Management Case Study Sample
Objective
You are required to work in groups on a case study that focuses on a comprehensive analysis of a specific incident. Each group will prepare a detailed report of their analysis.
Case Study Background
Samuel is Incident Response Manager responsible for providing Incident Response Services for ABC Bank in Japan. On Tuesday 11th April 2023, Samuel gets a call from IT Help desk regarding emails sent by Mikeala (Customer Success Manager) to several users across the organization. The emails contained links to sharepoint documents and upon clicking the links, the users are prompted to enter credentials to their corporate email ID. Upon investigation, it is confirmed that Mikeala’s email has been hacked and used to send suspicious emails to users. Initial analysis shows the following:
a. Mikaela’s email has been used to send emails to 243 internal employees and 592 customers of ABC Bank
b. Mikaela's appears to have received a suspicious email on 10th March 2023 where she clicked on the links provided in the email and most probably shared her credentials.
c. Multi Factor Authentication has been enabled for 77% of the organization but does not Mikeala.
d. A sample of the suspicious email sent by the attacker is shown below:
e. The suspicious URL used by the attacker to harvest user credentials is no longer active, but the link has been captured successfully by the SOC team: https://adexgroupfr- my.sharepoint.com/:u:/g/personal/e_criblier_alloffice_fr/EZet3QfB3alBl_qA8dwWaY4BqaZVGf6 NWA8SXWK1vwbYsw?e=4%3arVnNzi&fromShare=true&at=9
f. SOC Team also discovers that there were some alerts from the security tools when Mikeala’s account was first compromised by the attacker. By 15th April 2023, ABC Bank receive the following additional information:
• The CEO of the company receives a ransom note stating ‘if the bank does not pay 8 Bitcoins, the attacker will publish the sensitive data exfiltrated from Mikeala’s account’
• Some customers of ABC bank reportedly sent money to fraudulent accounts upon receiving an email notification from Mikeala on 30th March request money to be transferred to the new bank account belonging to the attacker.
Bank ABC has a series of decisions to make and actions to take including notification to the regulators. The bank operates in Japan, South Korea and parts of China. Samuel reaches out to your firm to expert incident response support. Provide an in-depth analysis of the incidents providing the following:
• What are the steps taken to respond to the Incident?
• What are key considerations for ABC Bank in response to this incident from the following perspective:
o Legal and regulatory
o Data Privacy
o Customer security
o Brand and reputation
o Preventative controls
o Detection controls
o Data monitoring?
• What areas would you like to investigate for a comprehensive incident response?
• How will you extract the Indicators of Compromise and Indicators of Attacks?
Prepare a report will all possible findings and recommendations related to this incident.
Students that are able to successfully cite and map the techniques used by the attacker in the incident to MITRE Attack Framework, will be awarded bonus marks
Report Requirements:
• Compile all findings and recommendations into a cohesive report.
• Cite any references used
Solution
1. Incident Overview
1.1. Incident DescriptionOn March 10, 2023, an email phishing attack targeted an employee of Standard Chartered Bank, resulting in a security breach that exposed sensitive customer and employee information. Mikeala, a Customer Success Manager, clicked on a phishing email disguised as a legitimate SharePoint document request. The email prompted her to enter her corporate email credentials, which were then compromised. The attacker used Mikeala's credentials to send fraudulent emails to other employees and customers, requesting them to click on phishing links. Over 243 internal employees and 592 customers were affected by this breach. The bank’s Security Operations Center (SOC) initiated an investigation after the IT helpdesk received reports of suspicious emails. By April 15, 2023, the attacker had left a ransom note demanding 8 Bitcoins, threatening to release sensitive data if the ransom wasn’t paid.
1.2. Incident Timeline
• March 10, 2023: Mikeala clicked on a phishing email and unknowingly compromised her credentials.
• April 11, 2023: The IT helpdesk received reports of phishing emails.
• April 11, 2023: The SOC disabled Mikeala’s account and began investigating the phishing emails.
• April 15, 2023: A ransom note demanding 8 Bitcoins was received by the CEO.
• Ongoing: Investigations into the extent of the breach and coordination with legal teams commenced.
2. Root Cause Analysis & Contributing Factors
2.1. Identification of Immediate Causes
The phishing attack on Mikeala's account was the direct cause of the breach. The email bypassed standard security measures due to insufficient Multi-Factor Authentication (MFA) coverage at the bank (Geetha et al. 2020).
https://adexgroupfr-my.sharepoint.com/:u:/g/personal/e_criblier_alloffice_fr/EZet3QfB3alBl_qA8dwWaY4BqaZVGf6NWA8SXWK1vwbYsw?e=4%3arVnNzi&fromShare=true&at=9
Only 77% of the bank’s employees had MFA enabled, leaving Mikeala’s account exposed to credential theft.
2.2. Underlying Causes Analysis Using Tools Like Fishbone Diagram or 5 Whys
• Why did Mikeala’s credentials get compromised? She clicked on a phishing link.
• Why was the phishing email successful? The email appeared legitimate and bypassed basic email filters.
• Why was there no additional layer of protection? Mikeala’s account lacked MFA.
• Why was MFA not enforced? The bank had not mandated MFA for all employees, leaving gaps in security policies.
• Why did the attacker have time to maintain access? The bank’s SOC was slow to escalate alerts, allowing the attacker to maintain persistence in Mikeala's account for days.
2.3. Factors Contributing to the Incident
• Human: Lack of employee awareness and training on phishing attacks contributed to the breach. Mikeala was unaware of the risk posed by the phishing email (Wong et al. 2022).
• Environmental: The widespread use of cloud-based services such as SharePoint allowed the attacker to craft a convincing phishing email.
• Organizational: Insufficient enforcement of security policies, particularly MFA, created vulnerabilities that allowed the attacker to exploit the system (Mishra et al. 2022).
3. Incident Response Process
3.1. Steps Taken to Respond to the Incident
The IT helpdesk and SOC at Standard Chartered Bank quickly identified the phishing emails and disabled Mikeala’s account to prevent further compromise. The SOC team began analyzing the breach and notified the legal and regulatory teams to ensure compliance with data protection laws across the regions in which the bank operates (Moustafa, Bello & Maurushat, 2021).
3.2. Immediate Actions for Containment and Response
The SOC disabled Mikeala's account, preventing the attacker from continuing to send phishing emails. An internal alert was issued, advising all employees and customers to avoid engaging with suspicious emails. The phishing URL used by the attacker was also deactivated, although it served as vital forensic evidence for the investigation (Nikkel, 2020).
3.3. Actions Taken to Contain and Respond to the Incident
Along with disabling the compromised account and closure of access to a phishing URL, SOC spearheaded one more forensic investigation into how much damage was done. The bank attorneys and compliance teams were made aware so the breach could be reported to all necessary parties.
3.4. Incident Response Team Activation and Responsibilities
The SOC led the technical investigations, with oversight of how they worked through this also provided by legal and regulatory teams to make sure their response was in line with data protection laws including those applicable in Japan, South Korea and China. The PR and customer service teams were also mobilized for university assignment help to help communicate with customers (Shaikh & Siponen, 2023).
4. Key Considerations for Standard Chartered Bank
4.1. Legal and Regulatory Compliance
The bank, a subsidiary of Standard Chartered Bank headquartered in London does business abroad as well including Japan and South Korea where local data protection regulations mandate timely breach notification (sc, 2024). In Japan, The Act on the Protection of Personal Information (APPI) requires companies to notify regulators and impacted individuals following a data breach. Failure to comply may result in high tariffs and fines.
4.2. Data Privacy Protection
The bank has to ensure that customer data is protected and all customers whose information was compromised are informed about it (Wang, Nnaji & Jung, 2020). Customers were urged to update their passwords and monitor accounts for fraud. In addition, the bank is looking at how its customer data are preserved and delivered with encryption processes protecting more securely sensitive information.
4.3. Security measures for Customers
In response, Standard Chartered Bank offered customers whose data was accessed identity protection services like credit monitoring (sc, 2024). The bank also reinforced its communication protocols adding cross-check points to stop such kind of impersonation attacks. They also taught people to recognize phishing and shield themselves from social engineering.
4.4. Brand and Reputation Management
The breach put the bank's reputation at risk (Varga, Brynielsson & Franke, 2021). The breach was announced by the bank through a media campaign and described in official statements released to detail the response of BPCE. There was no public response to any complaints. Relating to this context, it is significant to state that he customer service team had been trained on how to deal with inquiries about Y2K, and media outreach helped ensure accurate reporting and dispelled rumors.
4.5. Preventative Controls Assessment
According to the bank, a lack of MFA enforcement was its weakest security link in this case. As a result, it is essential to immediately start to inflict MFA for all the employees especially ones who deal with sensitive data. The bank also performed phishing simulations and trained all staff on enhancing awareness to handle potential future threats (Desolda et al. 2021).
4.6. Detection Controls Evaluation
The phishing campaign was discovered and the response time is delayed. The SOC reviewed its Security Information and Event Management (SIEM) tools to enhance real-time response detection times (Javaheri et al. 2023). It had also recommended using User Behavior Analytics (UBA) to detect abnormal patterns such as large numbers of emails from a single account.
4.7. Data Monitoring Strategies
To trigger on data loss and stop the unauthorized access, they enhanced DLP (Data Loss Prevention) capabilities across sensitive flows for desired control plane (Asmar & Tuqan, 2024). In an answer, the concerned officials said they were going to increase monitoring of email traffic as well as keep a closer watch on cloud services and network activity. This initiative will help in preventing this type of incident from happening in the future.
5. Areas for Comprehensive Incident Response Investigation
5.1. Potential Vulnerabilities in Standard Chartered Bank's Systems
The breach exposed serious weaknesses in the bank's security controls, notably inconsistent use of multi-factor authentication (MFA). To figure out how the phishing campaign was able to be successful, analysis of the URLs and phishing emails used by this attacker is essential.
5.2. Examination of Network Logs and System Activity
It is significant to carefully examine the network logs to find any strange login attempts across the bank's systems. The SOC investigated to determine any other account was compromised in the same way.
5.3. Review of Access Controls and User Privileges
This mainly consisted of the SOC reviewing access controls to check if they had escalated or moved laterally elsewhere within the bank’s network. The review was important to see what data and systems were accessed (Cremer et al. 2022).
5.4. Analysis of Security Policies and Procedures
The breach has also led the bank to examine its security measures, and particularly those associated with third-party platforms such as SharePoint. It then used a program to evaluate its vendors for compliance with the marketplace standards.
6. Extracting Indicators of Compromise (IoC) and Indicators of Attack (IoA)
6.1 Techniques for Identifying IoCs and IoAs
These logs highlighted the phishing URL, attacker IP addresses and fingerprinting failed login attempts. The email headers and log data were analyzed to follow the attack back.
6.2. Tools and Methods for Extracting These Indicators
IOAs and IOCs were extracted using a combination of SIEM systems, forensic analysis tools, as well as log review processes (Salim, Singh & Keikhosrokiani, 2023). These are tools which helped the SOC to understand where in the system, attacker is moving.
6.3. Importance of IoCs and IoAs in Incident Response
It is essential to have indicators of “compromise” and “attack” in order to know what type of an attack occurred. The same will enable to prevent these types occur again. Once those signs were in place, the bank had been able to put into practice preventive steps and becomes robustness regarding their security.
7. Lessons Learned
The incident highlighted the need for MFA being enforced to all employees and improved real-time monitoring (Ahmad et al. 2023). It will be significant to provide phishing awareness training. The same can surely be considered as a next step if the threat is confirmed. They also reinforced the importance of quicker incident response and escalation processes to reduce future incidents as well.
8. Corrective Actions
Following the incident, Standard Chartered Bank began rolling out MFA for all employees and introduced tighter controls within its SIEM to minimize detection lag times as well as regular phishing simulations. The bank is also undergoing third-party security audits and revisiting its incident response playbooks.
9. Findings and Recommendations
The investigation concluded that a lack of MFA enrollment, slow incident detection and underdeveloped employee training had contributed to the success of phishing attacks against Standard Chartered Bank. The bank must take several steps in order to strengthen its information security as recommended below.
• Enforce 100% Multi-Factor Authentication (MFA)
All employees must be required to attain multi-factor authentication.
• Improve Phishing Awareness Training
Routine employee training regarding the identification of phishing emails and social engineering practices (Khando et al. 2021).
• Enhance Incident Detection Systems
The bank needs to improve its SIEM and UBA systems (Arora, Arora & McIntyre, 2023). The same will enable them to detect anomalous activities instantly, thereby reducing the attack surface.
• Conduct Regular Security Audits
Regular third party security audit and penetration test should be performed to make sure that all systems are secure and follow the industry standards.
• Strengthen Data Encryption
Secure key management and encryption of all sensitive customer & employee data both in transit and at rest, which will be an additional layer (Perwej et al. 2021).
10. Conclusion
The phishing attack recorded on Standard Chartered Bank demonstrated major vulnerabilities in the security setup, especially aligned with a wider need for employee awareness and MFA implementation. Failing to detect or respond quickly enough delays stopping the breach and lets them access sensitive information from customer data including employee details. The bank needs to implement an all-encompassing security approach in order to improve its cybersecurity standing. This requires mandatory MFA for all employees, 24/7 threat detection, security awareness training around how to recognize phishing emails combined with frequent testing of their responses and the incident response playbooks. These steps will also allow Standard Chartered Bank to defend itself potentially against further cyber attacks, safeguard its clients and the bank's image in financial services.
Reference list
Ahmad, M. O., Tripathi, G., Siddiqui, F., Alam, M. A., Ahad, M. A., Akhtar, M. M., & Casalino, G. (2023). BAuth-ZKP—A blockchain-based multi-factor authentication mechanism for securing smart cities. Sensors, 23(5), 2757. Retrieved from: https://doi.org/10.3390/s23052757 [Retrieved on 13 October 2024]
Arora, A., Arora, A., & McIntyre, J. (2023). Developing chatbots for cyber security: Assessing threats through sentiment analysis on social media. Sustainability, 15(17), 13178. Retrieved from: https://doi.org/10.3390/su151713178 [Retrieved on 13 October 2024]
Asmar, M., & Tuqan, A. (2024). Integrating machine learning for sustaining cybersecurity in digital banks. Heliyon, 10(17). Retrieved from: https://doi.org/10.1016/j.heliyon.2024.e37571 [Retrieved on 13 October 2024]
Cremer, F., Sheehan, B., Fortmann, M., Kia, A. N., Mullins, M., Murphy, F., & Materne, S. (2022). Cyber risk and cybersecurity: a systematic review of data availability. The Geneva papers on risk and insurance. Issues and practice, 47(3), 698. Retrieved from: doi: 10.1057/s41288-022-00266-6 [Retrieved on 12 October 2024]
Desolda, G., Ferro, L. S., Marrella, A., Catarci, T., & Costabile, M. F. (2021). Human factors in phishing attacks: a systematic literature review. ACM Computing Surveys (CSUR), 54(8), 1-35. Retrieved from: https://doi.org/10.1145/3469886 [Retrieved on 13 October 2024]
Geetha, V., Brithvirajan, S., Pavithra, S., Thiyagarajan, S., & Bharath, P. (2020). Password Manager with Multi Factor Authentication based on URL Categorization. IIRJET, 5(3). Retrieved from: http://iirjet.org/index.php/home/article/download/24/65 [Retrieved on 13 October 2024]
Javaheri, D., Fahmideh, M., Chizari, H., Lalbakhsh, P., & Hur, J. (2023). Cybersecurity threats in FinTech: A systematic review. Expert Systems with Applications, 122697. Retrieved from: https://doi.org/10.1016/j.eswa.2023.122697 [Retrieved on 12 October 2024]
Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & security, 106, 102267. Retrieved from: https://doi.org/10.1016/j.cose.2021.102267 [Retrieved on 13 October 2024]
Mishra, A., Alzoubi, Y. I., Anwar, M. J., & Gill, A. Q. (2022). Attributes impacting cybersecurity policy development: An evidence from seven nations. Computers & Security, 120, 102820. Retrieved from: https://doi.org/10.1016/j.cose.2022.102820 [Retrieved on 13 October 2024]
Moustafa, A. A., Bello, A., & Maurushat, A. (2021). The role of user behaviour in improving cyber security management. Frontiers in Psychology, 12, 561011. Retrieved from: https://doi.org/10.3389/fpsyg.2021.561011 [Retrieved on 12 October 2024]
Nikkel, B. (2020). Fintech forensics: Criminal investigation and digital evidence in financial technologies. Forensic Science International: Digital Investigation, 33, 200908. Retrieved from: https://doi.org/10.1016/j.fsidi.2020.200908 [Retrieved on 13 October 2024]
Perwej, Y., Abbas, S. Q., Dixit, J. P., Akhtar, N., & Jaiswal, A. K. (2021). A systematic literature review on the cyber security. International Journal of scientific research and management, 9(12), 669-710. Retrieved from: ?10.18535/ijsrm/v9i12.ec04?. ?hal-03509116? [Retrieved on 13 October 2024]
Salim, D. T., Singh, M. M., & Keikhosrokiani, P. (2023). A systematic literature review for APT detection and Effective Cyber Situational Awareness (ECSA) conceptual model. Heliyon, 9(7). Retrieved from: https://doi.org/10.1016/j.heliyon.2023.e17156 [Retrieved on 13 October 2024]
sc,(2024).From here, possibilities are everywhere.Retrieved from: https://www.sc.com/en/ [Retrieved on 12 October 2024]
Shaikh, F. A., & Siponen, M. (2023). Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity. Computers & Security, 124, 102974. Retrieved from: https://doi.org/10.1016/j.cose.2022.102974 [Retrieved on 12 October 2024]
Varga, S., Brynielsson, J., & Franke, U. (2021). Cyber-threat perception and risk management in the Swedish financial sector. Computers & security, 105, 102239. Retrieved from: https://doi.org/10.1016/j.cose.2021.102239 [Retrieved on 12 October 2024]
Wang, V., Nnaji, H., & Jung, J. (2020). Internet banking in Nigeria: Cyber security breaches, practices and capability. International Journal of Law, Crime and Justice, 62, 100415. Retrieved from: https://doi.org/10.1016/j.ijlcj.2020.100415 [Retrieved on 13 October 2024]
Wong, L. W., Lee, V. H., Tan, G. W. H., Ooi, K. B., & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 102520. Retrieved from: https://doi.org/10.1016/j.ijinfomgt.2022.102520 [Retrieved on 12 October 2024]
Fill the form to continue reading
Would you like to schedule a callback?
Send us a message and we will get back to you
Highlights
Earn While You Learn With Us
Confidentiality Agreement
Money Back Guarantee
Live Expert Sessions
550+ Ph.D Experts
21 Step Quality Check
100% Quality
24*7 Live Help
On Time Delivery
Plagiarism-Free
81 Isla Avenue Glenroy, Mel, VIC, 3046 AU
