Commonwealth Bank
Completed a job simulation involving the role of a cybersecurity generalist, specializing in fraud detection and prevention for Commonwealth Bank's Cybersecurity team.
Developed skills in building data visualization dashboards using Splunk to uncover patterns and insights in historical customer data, aiding in fraud detection.
Demonstrated the ability to respond effectively to cybersecurity incidents, including notifying relevant teams, collecting information, containing and stopping attacks, and aiding in recovery efforts.
Enhanced security awareness expertise by designing infographics promoting best practices for secure password management, following Australian Cybersecurity Centre advice.
Acquired practical experience in penetration testing, assessing the security of web applications, identifying vulnerabilities, and providing recommendations for remediation to bolster cybersecurity defenses.
Splunk Basics
Data Analysis
Data Visualisation
Cyber Security
Incident Triage
Detection and Response
Data Protection
Password Security
Compliance Knowledge
Penetration Testing
Creative Thinking
Problem Solving
Background information
As a cyber security generalist at Commonwealth Bank, it is important to be aware of the increasing rate and complexity of financial fraud and the need for effective defence solutions. Financial fraud poses a significant challenge for financial institutions, and it is important for Commonwealth Bank to stay up to date with the latest fraud detection technologies and strategies to minimise risk. Protecting against and responding to fraud is a major responsibility for you and your team. By detecting and stopping fraud, the bank can protect its customers, employees and reputation while also enhancing the resilience of its financial system.
To help with this task, you will be using a tool called Splunk to visually represent the given data. Representing data in a visual format, also known as data visualisation, makes it easier for the data analytics team to understand and gain insights. Visual data is a universal, fast and effective way to communicate information.
You will be building a dashboard to make it easier to identify patterns and trends in the given dataset. The dashboard will provide crucial reporting and metrics information that can aid in identifying and detecting fraud. By using this dashboard, the team will be able to quickly identify any suspicious activity and take the necessary steps to prevent fraud from occurring. Overall, the goal of this task is to use data visualisation and a dashboard to make it easier to detect fraud and protect Commonwealth Bank and its customers from financial loss. Data was collected and structured by the Fraud team. This dataset consists of payments from various customers made in different periods and amounts.
Background information
As a member of the cyber security division, your team must handle this incident and the team lead has assigned the issue to you. Below is the timeline of events:
10:30 a.m. β The IT Service Desk receives a report from one of your colleagues at the bank that they have received an email from HR telling all employees to update their timesheets in the companyβs support portal so the timesheets can be approved on time by their line managers against the next pay day. The colleague clicked the link in the email that opened what looked like the portal. However, following the employee's input of the user credentials, an unfamiliar error page appeared like the one below.
2:00 p.m. β Eight more reports of emails similar to the one reported earlier are received by the IT Service Desk. Upon further investigation, it was found that 62 colleagues across the Risk Department received the same email over the course of two days. The emails directed the users to a fake website to steal their usernames and passwords and download a harmful program.
3:50 p.m. β The IT Service Desk receives calls and emails from more colleagues that the file-shares are not opening and they receive an error when trying to open a Word document they have always been able to open.
As a cybersecurity generalist at CommBank, it's important to have a basic understanding of penetration testing. Penetration testing is a way to check the security of computer systems and networks by simulating an attack. This helps identify weaknesses in the system and evaluate the effectiveness of security measures. By regularly doing this, organisations can find and fix potential security problems before they can be exploited by bad people.
In this task, you will be completing the βBasicβ web challenge from HackThisSite.org, which is an online platform that provides a safe and legal environment for students like you to improve their cyber security skills through a variety of challenges.
The challenge is divided into 11 levels and each level ranges from easy to difficult. The purpose of this challenge is to test your skills and knowledge in identifying vulnerabilities and exploiting them. By completing this challenge, you will gain a better understanding of how to identify and exploit vulnerabilities in web applications. Additionally, you will also learn how to apply this knowledge to real-world scenarios, which will help you improve your penetration testing skills. How exciting! Look at it like a game that helps you learn about web security.
After completing the challenge, you will need to create a pentest report detailing what you found and learnt, and give recommendations for how to better secure the web application. A penetration testing report is like a summary of the results of a security test. It shows any weaknesses or problems that were found during the test and suggests ways to fix them. This report is important because it helps organisations understand where they need to improve their security and how to do it. It also helps them comply with laws and regulations related to security. In simple terms, a pentest report is like a report card for a company's security and helps them pass security inspections. By having a good security posture, organisations can prevent data breaches, protect sensitive information, and maintain compliance with regulations and industry standards.
Task 1 - Data Analysis
Imported βprepared_dataβ file into Splunk.
File analysis using the βInteresting Fieldsβ section in Splunk.
Dashboard creation to include the following charts/tables:
Count by Category, Fraudulent transactions, Age and Merchant.
sourcetype="fraud_detection.csv" | top categorysourcetype="fraud_detection.csv" | top fraudsourcetype="fraud_detection.csv" | top agesourcetype="fraud_detection.csv" | top merchant
Fraud detected by Age, Category, Step (month) and Gender.
sourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by agesourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by categorysourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by stepsourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by gender
Provide responses to
Which gender performed the most fraudulent activities and in what category?
sourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by category, genderTrellis > Use Trellis Layout > Split By gender
Which age group performed the most fraudulent activities and to what merchant?
sourcetype="fraud_detection.csv" fraud="1" | stats count values(fraud) by merchant, ageTrellis > Use Trellis Layout > Split By age
Exported dashboard as a PDF.
Task 2 - Incident Response
Resources
Study the links in the Resources to learn how to provide solutions to the following questions.
1. What kind of attack has happened and why do you think so?
This is a phishing attack that has potentially escalated into a ransomware attack:
Phishing: The email from "HR" was designed to trick employees into entering their credentials into a fake portal, which likely allowed the attacker to capture their login information.
Ransomware: The report of colleagues unable to open Word documents and file-shares suggests a malware infection. Phishing emails often serve as the entry point for ransomware to infiltrate systems, encrypt files, and block access.
2. As a cyber security analyst, what are the next steps to take? List all that apply.
Isolate affected systems: Immediately isolate any compromised machines from the network to prevent the spread of ransomware or other malware.
Identify the scope: Determine the extent of the attack by identifying who received the phishing email and whether any systems were successfully compromised.
Reset compromised credentials: Instruct all affected employees to reset their login credentials, especially if they entered information on the fake website.
Check for malware presence: Conduct a thorough scan of affected systems to check for any malicious software or ransomware.
Activate incident response: Notify upper management and activate the organization's incident response team.
3. How would you contain, resolve and recover from this incident? List all answers that apply.
Containment:
Quarantine infected systems and networks.
Block access to external communication for potentially compromised systems.
Shut down unnecessary services and ensure that malicious emails are blocked at the server level.
Resolution:
Analyze the phishing emails and attachments for further clues on the malware.
Restore systems from backups, ensuring that backups themselves are free of malware.
Apply patches to known vulnerabilities in the systems.
Recovery:
Remove malware by cleaning infected systems using malware removal tools.
Restore files from backups, ensuring backups are recent and verified safe.
Monitor systems for abnormal activity to prevent further exploitation.
4. What activities should be performed post-incident?
Incident report: Document the entire incident, including timeline, actions taken, and the outcome.
Review and improve security measures: Conduct a review of current security practices and implement improvements such as:
Enhanced email filtering and anti-phishing tools.
Multi-factor authentication (MFA) for sensitive systems.
Employee security training on phishing and other cyber threats.
Conduct a post-incident review: Analyze the attack's impact, the effectiveness of the response, and where improvements can be made.
Monitor systems: Keep monitoring for any additional suspicious activity to ensure no further threats remain.
Update disaster recovery plans: Adjust plans based on lessons learned to ensure faster, more effective responses in the future.
Task 3 - Penetration testing
Go to HackThisSite and create an account.
On the left-hand side, Click on the βChallengesβ section and select βBasicβ (or click here).
Complete all levels from Basic Level 1 to 11.
After completing all levels, document a Penetration Testing Report that includes an executive summary, scope of web application tested, vulnerability description and key findings for each level, as well as recommendations on how to better secure the web application.
Additional resources are provided in the Resources for help, which will be especially useful if you have no prior experience with pentesting.
Resources:
How to View the HTML Source Code of a Web Page (computerhope.com) - Hint for Level 1, 2 & 3
How to view source code β ViewSourcePage.com - Hint for Level 1, 2 & 3
How to Edit Any Web Page in Chrome (or Any Browser) (howtogeek.com) - Hint for Level 4 & 5
ASCII Table - ASCII Character Codes, HTML, Octal, Hex, Decimal - Hint for Level 6.
cal command in Linux with Examples - GeeksforGeeks - Hint for Level 7
Linux Commands Cheat Sheet | Red Hat Developer - Hint for Level 7
Server-Side Includes (SSI) Injection | OWASP Foundation - Hint for Level 8 & 9
View, edit, and delete cookies - Chrome Developers - Hint for Level 10
Apache HTTP Server Tutorial: .htaccess files - Apache HTTP Server Version 2.4 - Hint for Level 11
File link:
Last updated