WithPCI Logo
WithPCI.com

Targeted Resume-Based Cyber Attack

Scenario Overview

Exercise Type: Technical Incident Response Simulation Target Audience: SOC Analysts, HR Leadership, Finance Teams, Legal Counsel Scenario: Sophisticated Spear-Phishing Campaign via Fake Job Applicant Duration: 120-150 minutes Objective: Validate cross-departmental response to credential harvesting and financial system compromise

Exercise Script

INJECT 1: Suspicious Resume Alert (Day 1 – 2:05 PM)

Situation:

  • HR receives a resume for a "Senior Financial Strategist" role via LinkedIn InMail:
    • PDF attachment named Portfolio_JohnDoe.pdf
    • Sender profile shows 500+ connections and endorsements from fake accounts
  • Finance Director's laptop triggers CrowdStrike alerts for outbound TLS traffic to 185.153.192.44 (known APT29 infrastructure)
  • Network logs show anomalous DNS queries for update-check[.]maliciousdomain[.]xyz

Discussion Prompt: "What containment steps are immediate priorities? How coordinate between HR and IT without alarming staff?"

INJECT 2: Malware Payload Analysis (Day 1 – 5:40 PM)

Situation:

  • Sandbox analysis reveals:
    • PDF exploits CVE-2023-27350 (Adobe Reader RCE)
    • Drops svchost-mod.dll (keylogger) and ps1_loader.exe (PowerShell backdoor)
    • C2 communication via HTTPS mimicking Microsoft Update
  • Behavior observed:
    • Clipboard data exfiltration every 60 seconds
    • Get-ChildItem commands targeting \\finance-nas\payroll

Discussion Prompt: "What network indicators should be blocked globally? How assess full intrusion scope without tipping off attackers?"

INJECT 3: Credential Harvesting Confirmed (Day 2 – 9:25 AM)

Situation:

  • Keylogger captures:
    • Finance Director's Okta credentials
    • SWIFT transaction signing device PIN
    • SAP Fiori login with MFA bypass via session cookie theft
  • Threat actor activity:
    • Accessed NetSuite from Ukrainian IP 91.207.245.167
    • Generated 14 fake vendor invoices totaling $2.8M
    • Modified ACH batch approval thresholds

Discussion Prompt: "What financial controls prevent fraudulent transactions? How revoke compromised credentials enterprise-wide?"

INJECT 4: Lateral Movement Detected (Day 2 – 11:30 AM)

Situation:

  • BloodHound AD analysis shows:
    • New Golden Ticket forged via krbtgt hash dump
    • DCSync attacks targeting Azure AD Connect service account
  • Attacker accessed:
    • M&A due diligence files on SharePoint
    • Employee healthcare enrollment records
    • AWS IAM roles with billing admin privileges

Discussion Prompt: "What Active Directory hardening steps are critical? How isolate compromised cloud environments?"

INJECT 5: Data Exfiltration Attempt (Day 2 – 2:00 PM)

Situation:

  • Vectra AI detects:
    • 42GB of QuickBooks data compressed as QB_ARCHIVE.7z
    • Exfiltration via ICMP tunneling to mail.backup-service[.]top
  • Dark web monitoring identifies:
    • Auction listing for "[WithPCI.com Company Name] Financials 2023-2024"
    • Sample payroll records posted on BreachForums

Discussion Prompt: "What data loss prevention measures failed? How negotiate with dark web actors to remove leaked data?"

INJECT 6: Media & Regulatory Escalation (Day 3 – 9:00 AM)

Situation:

  • Bloomberg publishes: "[WithPCI.com Company Name] CFO Credentials Sold on Darknet After HR System Hack"
  • SEC subpoenas all incident response documentation under Regulation S-P
  • OCC mandates independent audit of wire transfer controls

Discussion Prompt: "What public statement balances transparency with liability? How align legal/communications strategies?"

INJECT 7: Post-Incident Rebuild (Day 30 – 10:00 AM)

Situation:

  • Implemented changes:
    • HR resume screening via isolated Chromebooks
    • Hardware security keys for all financial system MFA
    • Deception technology with fake "CEO salary data" honeypots
  • Outstanding challenges:
    • $650K in unrecovered fraudulent transfers
    • 12% employee turnover in finance department

Discussion Prompt: "What metrics define recovery success? How rebuild trust with investors and employees?"

Debrief Focus Areas

  1. HR Technology Supply Chain Risks
  2. Financial System Access Governance
  3. Cloud Credential Lifecycle Management
  4. Dark Web Monitoring Efficacy
  5. Cross-Departmental Incident Playbooks

Post-Exercise Deliverables:

  • Spear-Phishing Simulation Program for HR
  • Golden Ticket Detection Framework
  • Financial Fraud Red Team Exercise Plan
  • Executive Protection Task Force Charter

Next Steps:

  • Implement Zero-Trust Segmentation for AD
  • Conduct quarterly financial control stress tests
  • Schedule board-level cyber risk review

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy