3B Data Security
Case Study
| Sector: | Banking |
3B Data Security
PCI Forensic
Investigation
Situation: A commercial bank had been instructed to conduct a PCI Forensic Investigation as there was evidence that their cardholder data environment had been compromised and data
was being stolen which facilitated card payment fraud on a large scale. The National Police had already conducted an investigation and concluded that they had identified the nature of
the breach and apprehended the culprits.
Task: 3B Data Security were initially engaged simply to conduct a PCI Forensic Investigation in line with the requirements of the PCI Forensic Investigation Programme (a PCI Security Standards Council programme). After the scale of the breach had been identified, we were further engaged to conduct additional investigation work and to provide a Remediation Plan for the Bank to implement themselves.
Task: 3B Data Security were initially engaged simply to conduct a PCI Forensic Investigation in line with the requirements of the PCI Forensic Investigation Programme (a PCI Security Standards Council programme). After the scale of the breach had been identified, we were further engaged to conduct additional investigation work and to provide a Remediation Plan for the Bank to implement themselves.
Actions:
During the initial phase of a PFI investigation, 3B Data Security routinely deploys and scans the entire environment using an advanced threat hunting and forensic state analysis tool.
This was deployed throughout the Bank’s environment, after the SCCM had been repaired and put into a working state.
The initial scans revealed that, although the Bank had believed the network to be secure after the Police investigation and remediation actions they had undertaken, there were still many Indicators of Compromise evident across the network and several servers and machines being controlled and used as jump points for additional data and credential harvesting.
We detected that the main administrative accounts had also been compromised and were insecure, along with access to all other controls and safeguards being accessible to the attackers.
Upon investigation, we detected that the compromises, which the Bank and Police had thought was instigated in November, had actually started the previous May. This broadened the scope of the investigation and enabled us to provide additional information on the entry Tactics, Techniques and Procedures used in the attack. These included both systems and administrative attack vectors and an insider human threat.
Results: We provided the Bank with a comprehensive analysis and regular updates on the progress and findings of the investigation. This included briefings to the Board of Directors and senior managers across the IT, Security and Risk functional teams. The briefings included a clear Remediation and Recovery Plan, along with support offered on how to address the identified loss of the ‘keys to the kingdom’ that the attack represented.
The initial scans revealed that, although the Bank had believed the network to be secure after the Police investigation and remediation actions they had undertaken, there were still many Indicators of Compromise evident across the network and several servers and machines being controlled and used as jump points for additional data and credential harvesting.
We detected that the main administrative accounts had also been compromised and were insecure, along with access to all other controls and safeguards being accessible to the attackers.
Upon investigation, we detected that the compromises, which the Bank and Police had thought was instigated in November, had actually started the previous May. This broadened the scope of the investigation and enabled us to provide additional information on the entry Tactics, Techniques and Procedures used in the attack. These included both systems and administrative attack vectors and an insider human threat.
Results: We provided the Bank with a comprehensive analysis and regular updates on the progress and findings of the investigation. This included briefings to the Board of Directors and senior managers across the IT, Security and Risk functional teams. The briefings included a clear Remediation and Recovery Plan, along with support offered on how to address the identified loss of the ‘keys to the kingdom’ that the attack represented.