Cybersecurity incidents are seldom independent; there is normally a series of misconfigurations, as well as missed alerts and, in more than a few cases, human interference that lead to each breach. The recent example of the PBSD victim suffering from a $3.2 million incident illustrates how today’s attacks combine both technical exploitation and psychology to achieve their objectives.
This incident is more than a financial loss; it represents the failure of processes, identity theft, and systemic weakness. Therefore, there is an opportunity for cybersecurity professionals to analyze why this occurred and how to prevent similar attacks.
What does “PBSD” Mean in this Context?
PBSD often refers to the concept of a “Post-Breach Security Deficiency” in cybersecurity journalism, indicating an organization becomes a victim due to the discovery of gaps created by the initial breach after it has occurred.
Unlike a traditional breach, PBSD scenarios have:
- Delayed detection
- Lengthy dwell time for attackers
- Continued escalation of damage following initial access
In this specific case, the victim organization had experienced what can only be described as progressive failure of its defensive controls, resulting in the multimillion-dollar loss.
Summary of the $3.2 Million Incident
Over a period of weeks, the attack resulted in:
- Three million two hundred thousand dollars in unauthorized transfers
- Compromised internal communication systems
- Compromised sensitive operational data
Analysis of the attack shows it was conducted using methods of:
- Phishing impersonation to steal credentials
- Privilege escalation to gain additional access levels
- Performing Business Email Compromise (BEC) tactics
The MO, or methods of operation, of the attack follows a common pattern that has been documented by the Cybersecurity & Infrastructure Security Agency (CISA) and the FBI.
Attack Timeline: A Breakdown of Each Step in the Sequence of Events
Understanding the timeline of the attack is crucial in determining where the company’s security controls failed during these four phases.
Phase 1: Initial Access
An employee in the finance department was specifically targeted with a phishing email:
- The name of the domain was spoofed to appear to come from a legitimate vendor.
- An immediate payment request, with payment expected to happen right away.
- The victim; credentials are obtained from a fake sign-in page, similar to how credential harvesting is done in BEC scams.
Phase 2: Credential Compromise
After acquiring the credentials, the attacker:
- Used the victim’s corporate e-mail account to log in.
- Setup a forwarding rule so the attacker can continue to have access to the victim’s e-mail account.
Monitored the victim’s e-mail account for activities after logging in, without the victim or the victim’s company knowing anything about it.
Phase 3: Lateral Movement
The victim’s company lacked adequate means to detect anomalies to identify this attacker activity, so the attacker could carry out this step without triggering security alerts.
With access to the victim’s corporate e-mail, the attacker was able to:
- Identify their target/high-value target (the finance executive).
- Access documents sent to the targeted individual and determine how to make payments.
- Escalate their expected privileges by exploiting the existing, internal trusting relationship and gaining access to additional systems.
- In this phase of the attack, the attacker engaged in actions that were consistent with the MITRE Attack framework.
Phase 4: Financial Exploitation
The attacker executed the fraudulent transactions using the following methods:
- Disguised themselves as a senior executive of the organization.
- Changed vendor payment records.
- Creating a sense of urgency to bypass the verification process.
- The total amount stolen from the company by the attackers was $3.2 million, sent during several transactions.
Phase 5: Detection Took Too Long
The compromise went undetected until,
- A real vendor notified the company about uncollected bills
- During the internal reconciliation process, discrepancies were found in the balance sheets.
- The funds had already been sent through several accounts before they were caught.
Why Did this Become a PBSD Event?
The incident turned into a PBSD incident due to failure points that occurred following the initial compromise.
- No multi-factor authentication (MFA)
Even though MFA is a standard control, it was either:
- Not implemented
or
- Not required for all users.
This allowed hackers to log into the system with just their stolen credentials.
- Ineffective email security monitoring.
There were no alerts fired when:
- Someone logged in from an unusual location
- A new forwarding rule was created
- An email account showed an unusual amount of activity
- All email platforms (e.g., Microsoft, Google) have this capability, but it must be configured correctly.
- Weak financial controls.
The accounting process did not have:
- Dual signature approval for large dollar value transactions
- An out-of-band verification for large dollar value transactions
- A vendor change validation process
- These weaknesses enhanced the success of BEC schemes.
- Lack of an Incident Response plan.
After some of these early warning signs:
- No containment measures were put in place.
- There was no prompt resetting of user accounts.
- No logs were reviewed on a real-time basis.
- This allowed the hacker(s) to retain access and do greater damage.
The Human Element – Social Engineering on a Large Scale
The human element makes this case unique. The attackers used both technical and non-technical means to access the finance employee’s email account: by studying the finance employee’s email patterns, mimicking the finance employee’s writing style, and timing emails to align with previous email exchanges. The investigation and reporting of cybercrime by global enforcement agencies have shaped the trend and pattern of all actions.The attack on an employee of a financial services firm was sophisticated in terms of the infected software used and the planning involved.
Financial Consequences:
-$3,200,000 loss is not a large amount in terms of total loss
Direct Consequences
- Short-term financial loss
- Legal/compliance costs
Indirect Consequences
- Reputation loss
- Loss of customer confidence
- Retraining costs due to employee turnover or reemployment
Long-term Consequences
- Increased costs for insurance
- Increased regulatory scrutiny
- Costs associated with reconfiguring IT security systems
Cybersecurity Teams Can Learn Important Lessons From This Incident
Cybersecurity teams can learn several important lessons from this incident.
Implement “Zero Trust”
Establish a “Trust no one” model by continuously verifying user identity and device through authentication (i.e., multifactor authentication, lowest privilege access, and device verification).
Improve Email Security
-Utilization of advanced phishing prevention and monitoring tools; creation of employee digital awareness; require adherence to company phishing policy when using email; and closely monitor all digital domains to identify potential phishing attacks.
Protect Financial Functions
Requires multi-step verification of outgoing payment requests, vendor verification and automated anomaly detection for payments made by a company.
Increase Detection/Response Ability
Utilizing a Security Information and Event Management (SIEM), endpoint detection and response (EDR) tool and setup for real-time alerting to improve detection/response efficiencies.
Conduct Regular Security Reviews
Periodic security reviews help identify:
- Configuration problems
- Policy gaps
- Emerging Risks
How AI Tools Are Assisting In Preventing PBSD Scenarios?
The need for AI-based solutions to help detect and prevent PBSD incidents is growing due to:
- Anomalous Behaviors
- Suspicious Logins
- Phishing Attempts
Many organizations are utilizing AI from vendors such as CrowdStrike and Palo Alto Networks; however, these tools must be:
- Properly configured
- Monitored continuously
- Integrated within the overall workflows
Could The Incident Be Prevented?
Yes—there were multiple locations throughout the attack chain that provided the ability to prevent this type of attack, including:
MFA Could Have Prevented Initial Access
- Email Alerts Could Have Identified Anomalous Activity
- Financial Controls Could Have Blocked Transfers
- Faster Response Time Could Have Minimized The Damage
- That is what characterizes a PBSD incident: cumulative failures create the circumstances to fail.
Implications For The Entire Industry
PBSD incidents have been occurring for quite some time now; they continue to follow the trend of:
- cyberattacks are becoming multi-faceted
- social engineering is more effective now than ever
- traditional measures are no longer applicable on their own to protect organizations
Organizations Can no longer afford to respond To threats reactive ways; they must provide proactive resilience.
Things To Remember
The story of the PBSD victim of a $3.2 million cyber incident shows that breaches seldom occur due to one point of failure. Instead, breaches typically are caused by a combination of:
- Weak Technology
- Weak Processes
- Human Error
The message for cyber professionals is: It’s not just about preventing breaches—it’s about preventing escalation after breach. Because in today’s threat landscape, the real damage often happens after the attacker is already inside.
