Changes
PART A
Missing Attack Types:
MITM:
A man-in-the-middle (MITM) attack is also a credible threat, given that Jordan works from home full-time. If Jordan connects to an unsecured or compromised Wi-Fi network, an attacker could intercept traffic between his device and the corporate network, potentially capturing credentials or sensitive data in transit. This is particularly concerning given Linkchain Gaming's recent incident involving compromised credentials.
Phishing:
Phishing is when an attacker tricks people into revealing sensitive information or installing malware by pretending to be a trusted source. The brief confirms that Jordan always opens email attachments sent by colleagues and his line manager without first verifying their legitimacy. This behaviour is precisely what phishing attacks are engineered to exploit. By spoofing a trusted sender, such as a colleague or manager, an attacker could deliver a malicious attachment that Jordan would open without suspicion. His habit of downloading attachments to verify they have downloaded fully further increases the risk of inadvertently executing malicious files.
Brute Force:
A brute force attack is where the attacker attempts to gain unauthorised access to accounts, systems, or encrypted data by systematically trying every possible combination of passwords and credentials until the correct one is found. As a new employee who has recently completed his induction, Jordan may still be using a temporary or default password assigned during the onboarding process. These passwords are frequently simple and predictable, making them highly susceptible to brute force attacks where an attacker systematically attempts common password combinations. If Jordan has not yet been required to set a strong, unique password, his account could be compromised with relatively little effort.
XSS (Cross-Site Scripting):
Cross-site scripting is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Jordan's role as a junior developer makes XSS a particularly relevant threat vector. Developers regularly interact with web-based tools such as code repositories, bug trackers, and development frameworks, many of which involve user-generated content that could be exploited for script injection. If a malicious actor has injected scripts into a development tool used by Linkchain Gaming, Jordan could unknowingly execute malicious code simply by accessing these platforms as part of his normal workflow. Furthermore, as a junior developer who is new to the company, Jordan may not yet have received sufficient security training to recognise the signs of a compromised web application.
Address the disgruntled employee incident.
The recent incident involving a disgruntled employee sharing credentials introduces an additional threat vector that must be considered. The fact that credentials were used to access confidential shared folders suggests that access controls and privilege management were insufficient. It cannot be ruled out that Jordan's system issues are connected to this broader compromise, for example, if malware was introduced to the network during that incident and has since propagated to Jordan's device via the corporate network.
Strengthen the Cyber Attack vs Software Problem Distinction
Network traffic analysis using a tool such as Wireshark would capture packet data across all network segments. In the context of Jordan's intermittent connectivity, a network analyst would look specifically for unusual outbound connections, particularly to unfamiliar IP addresses or at irregular hours, which could indicate command-and-control (C2) communication from malware installed on the device. This would distinguish a cyber attack from a simple misconfiguration of Jordan's home router.
PART B
Connect each email to the organisation
Email 1:
After HTTP/HTTPS
This risk is compounded by Jordan's full-time remote working arrangement. Working from home, Jordan accesses Linkchain Gaming's systems entirely over the internet, meaning any credentials intercepted via an unprotected HTTP connection could immediately be used to access corporate resources remotely. Unlike an office environment where network traffic may be monitored centrally, Jordan's home network is unlikely to have enterprise-grade traffic inspection, making the absence of HTTPS encryption particularly dangerous in his case. The firewall interrupting the link suggests Linkchain Gaming has some protective measures in place. The fact that Jordan was able to proceed past the warning indicates that user awareness training is currently insufficient. Jordan did not recognise the warning as a reason to stop.
After Reschedule
This indicator is particularly significant in Jordan's context. As a new employee who has only recently completed his two-week induction, Jordan is unlikely to be sufficiently familiar with legitimate communications from external companies such as UPS to confidently identify subtle inconsistencies in sender addresses. Attackers deliberately choose to impersonate widely recognised brands like UPS precisely because they are trusted universally, a new employee like Jordan, who may regularly receive delivery notifications for work equipment or company parcels, would have little reason to question such an email.
Recommended Action: (NEW)
Jordan should not interact with any links in this email and should report it immediately to Linkchain Gaming's IT security team as a phishing attempt. Given that Linkchain Gaming has recently suffered a credential-based breach, the IT team should treat this email as part of a potentially targeted campaign against the organisation rather than an isolated opportunistic attack. The sender's IP address should be blocked at the firewall level and the domain flagged for monitoring. This incident should also be escalated to the organisation's security operations team and documented as part of Linkchain Gaming's ongoing incident response process. At an organisational level, this email highlights the urgent need for structured phishing awareness training, particularly for new employees like Jordan, whose onboarding may not have adequately covered the identification of social engineering attempts.
Email 2:
After ZIP attachment:
This risk is directly amplified by Jordan's established behaviour of always opening email attachments sent by colleagues and his line manager without first verifying their legitimacy. The brief confirms this explicitly, and it is precisely this behaviour that makes a disguised attachment such as this one so dangerous in Jordan's case. An attacker with knowledge of Linkchain Gaming's internal structure, potentially acquired during the previous insider incident, could craft an email appearing to come from Jordan's line manager or a trusted colleague, knowing with reasonable confidence that Jordan would open the attachment without question. As a new employee still familiarising himself with colleagues and internal processes, Jordan is particularly unlikely to question communications that appear to come from within the organisation.
Recommended Action:
Jordan should not click, open, or download any attachments from this email under any circumstances. The 58/68 VirusTotal detection rate makes this one of the clearest malware threats identified during this investigation. The email and attachment should be reported immediately to Linkchain Gaming's IT security team, who should isolate the file in a sandboxed environment for further forensic analysis to determine whether the Trojan has already been executed on Jordan's device. If there is any possibility that Jordan previously interacted with this attachment, a full forensic examination of his device should be conducted immediately, and a device re-image should be considered as a precautionary measure. Given Linkchain Gaming's recent credential breach and the Trojan's capability to provide persistent remote access, the IT security team should also conduct a network-wide sweep to determine whether any lateral movement has occurred from Jordan's device. This incident should be escalated to the security operations team and documented within the organisation's incident response framework. Regardless of whether this email represents a genuine attack or an internal phishing simulation, it highlights a critical gap in Jordan's security awareness training that must be addressed as a priority.
Email 3:
Unprotected Website:
This risk is particularly acute for Jordan, given his full-time remote working arrangement. Working from home, Jordan accesses Linkchain Gaming's corporate systems entirely over the internet without the protection of enterprise-grade network monitoring that would be present in an office environment. If the link in this email were to become active and Jordan were to visit the unprotected page, any credentials entered would be transmitted without encryption and could be intercepted in transit. For an organisation that has already suffered a credential-based breach, the interception of Jordan's login details via an unprotected connection would represent a direct and immediate repeat of the circumstances that led to the previous incident.
After Grammatic Errors:
However, Jordan's position as a new employee who has only recently completed his two-week induction means he may not yet have developed the baseline familiarity with professional corporate communications needed to reliably identify these red flags. New employees are often conditioned during induction to be responsive and cooperative, particularly when emails appear to come from authority figures or IT departments requesting urgent action. An email framed as an urgent security request, as this one appears to be, is specifically designed to override careful scrutiny by creating a sense of pressure, making it especially effective against newer employees like Jordan, who may feel compelled to act quickly to demonstrate competence and compliance.
As there is no attachment, VirusTotal is only able to assess the links themselves, and malicious websites are frequently rotated or newly registered to avoid detection by signature-based tools. The absence of a detection, therefore, reflects a limitation of the tool in this context rather than confirmation of legitimacy.
Conclusion
The investigation strongly suggests that Jordan’s system issues stem from a deliberate, multi‑vector cyber attack rather than routine software faults. While corrupted files or outdated drivers can’t be fully ruled out, the presence of confirmed malware, active phishing attempts, and credential‑harvesting emails aligns far more closely with a targeted intrusion. The malicious ZIP file in Email 2, flagged by 58/68 VirusTotal engines, provides a credible delivery mechanism for a Trojan capable of persistent remote access, while Emails 1 and 3 attempt to harvest credentials in a way that mirrors Linkchain Gaming’s previous breach.
This situation is made more serious by the organisation’s weakened security posture following the insider incident, combined with Jordan’s high‑risk profile as a new, remote employee who routinely opens attachments without verification. A coordinated campaign against him is therefore plausible. Immediate remediation should include forensic imaging and re‑imaging of Jordan’s device, enforcing MFA, and strengthening email gateway filtering. Medium‑term improvements such as PAM, tighter access controls, and mandatory phishing awareness training are essential, and pursuing Cyber Essentials certification would give Linkchain Gaming a structured path to rebuilding its security. Implementing these measures promptly would significantly reduce the likelihood of further compromise and demonstrate a clear commitment to regulatory and security obligations.
PART C
| Change | Why It Matters |
|---|---|
| MFA justified with specific reference to the credential breach | Connects the recommendation directly to Linkchain Gaming's known vulnerability |
| PAM is linked to the least privilege, and the previous incident | Explains the why rather than just the what |
| The email gateway is linked to Jordan's behaviour | Justifies the recommendation as essential precisely because training alone is insufficient |
| Forensic imaging before re-imaging | Shows professional incident response awareness beyond basic remediation |
| GDPR 72-hour reporting obligation named | Demonstrates compliance awareness specific to UK organisations |
| Cyber Essentials is framed around specific weaknesses found | Connects future recommendations to the actual investigation findings |
| Training urgency justified through Jordan's demonstrated behaviours | Uses scenario evidence to prioritise recommendations rather than listing them equally |
Comments
Post a Comment