Photo Credit: I .. C .. U via Compfight cc
A handsome man walks into his office, lights up his laptop and there’s a message in his inbox. He clicks on it and text (printed in the smallest of fonts) reads: Good morning Jim. Our organization is under attack. Our intelligence tells us that a group of hackers is after our IP. Your mission Jim, should you choose to accept it, is to identify these malicious hackers and stop them before they breach our defenses, extract our secrets and sell them to the highest bidder. To accomplish this you will need to assemble a team of the finest agents at our disposal. As always, should you or any of your IT Force be caught or killed, the Secretary will disavow any knowledge of your actions. This message will self-destruct (if you hit “Shift+Delete”). Goodbye Jim, and, good luck.
Jim closes the laptop and opens his tablet. He opens the personnel file and with swift gestures scrolls/ flips through the people at his disposal. I need people with real experience in the cyber trenches, he thinks to himself. He narrows the list of likely candidates to three: Chang, the SOC manager, Alexander- the cyber intelligence analysts and the beautiful (yet lethal) Joan – the penetration tester. He asks them to convene in his office immediately. Once assembled he briefly explains the gravity of the situation.
“We know our organization is the target of a particularly nasty group of hackers, presumably from Eastern Europe. In the next 48 hours they will try to breach our IT systems and steal whatever they can find. The consequences could be catastrophic. We must act immediately. Each team member nods his head. They understand exactly what they need to do.
The first to speak is Alexander- the cyber intelligence analyst: “Boss, how did we come to learn about this activity, and what more do we know about these hackers”? Jim answers: “Regarding the first question, I’m not in a liberty to share the exact details of how we know this, let’s just say our friends from the Agency were kind enough to notify us. Regarding the second question- The only other piece of information we have is that their leader uses the alias ‘Pleya’. The agency thinks he might be involved in gambling activities. That’s all we have right now. Alex is typing on his laptop as Jim is speaking. ‘I’m on it Boss,” he says. The other two are silent, taking notes on their tablets.
Jim speaks again: “I’m certain each of you knows what he needs to do now. I’m going to brief the CIO about this and we will meet here again in exactly two hours”. As the team leaves the room Jim heads for the elevator. He thinks to himself- this isn’t as bad as I expected. With some luck we might be able to pull through this. The CIO is not as optimistic. “Jim, the top brass are breathing down our necks” he says. “We have been asking for this massive budget for IT security, and used scare tactics to get most of it. I’m afraid if we don’t deliver on this one, you, me and the team are all facing termination”… Don’t worry Boss, says Jim. We are on it.
The next 100 minutes go so slowly that Jim thinkst they might never end. He knows he has to trust his team and that he cannot act in any peculiar way, lest other employees know about this threat and create mass panic. He nervously checks all the indicators he can from his laptop to see if their systems have already been breached, but no system shows any particular sign of irregular activity (the SIEM/ Firewall was showing several hundred alerts, but that was nothing unusual).
When the time he allocated for the team is over they meet again. Alex is the first to talk: “I think I have a lead Boss. I cross-referenced information from several threat intelligence feeds we are subscribe to and I’ve zoomed in on this group of Ukrainian hackers. They specialize in IP theft and then sell it to the highest bidder on the underground market. Their preferred method of operation is by weaponing Excel files and sending over email to procurement managers stating that these files contain new discounted rates for office supplies. Once opened these unleash a nasty type of malware that uses privileged access rights to access the secured procurement database and from there to the more confidential CAD designs. It then sends this information to a server in Togo.”
Good work, says Jim. He then shifts his glaze to Chang, the SOC manager. Chang speaks without raising his eyes from his tablet: “We’ve created new rules in all our perimeter, IPS/ IDS and DLP systems which should be able to alert about this malware. BTW it is a variant of another malware we know very well.”
Joan jumps right in: “I’ve tried to simulate this attack vector. The results were good, from 10 people who’s received my spoofed email only 2 opened the attachment, and our systems quickly identified the malware inside.
Jim speaks: “Good job everyone. With some luck these measures will be enough this time. Alex, keep your eye on this group and try to see if Pleya is offering others to join the attack or sell something. Chang, I want you to double the manpower at the SOC and ping me whenever anything out of the ordinary happens. Also double-check any third party vendor we work with to see nothing comes from there.
“Oh, and let’s please send a cross-company email to refresh people’s memories about the importance of email diligence.
“I want to meet again every six hours until the deadline. You report to me alone, in person. No email or texting, remember: they might already be inside our systems.”
The next 40 plus hours are uneventful. When they meet again Jim thanks the team and tells them they can go back to their routine tasks, and that they should be prepared to be called upon at any minute.
Now Jim knows he is about to face his greatest challenge. He will have to explain to the CEO what happened and what his recommendations are. When Jim enters the room the CIO is there, along with the CEO, the Chief Risk Officer and his arch rival, the CFO. They all want explanations. Jim patiently explains what the threat was and how it was mitigated. Jim sweats throughout this exercise. When he is done the CFO jumps right in: “So you’re telling me all the money we’ve spent last year was wasted because it wasn’t a real threat??”
The CIO calms him: “Dan, let’s not jump into conclusions. The fact nothing happened is thanks to the hard work of Jim, his crew and the controls we have in place. We need to keep inverting to maintain this high level of preparedness. The Risk officer wants to know how such a threat was handled by the known security controls and if it effects the overall risk score. The CEO wants to know if this had anything to do with the latest cyber vulnerability he saw on MSNBC that morning.
Jim answers all these questions to the best of his ability, occasionally glancing at this Boss the CIO who’s’ look was saying- “I know, I know”. Once the meeting is concluded it is decided that Jim should make sure his people are on high alert and report on anything suspicious.
Taking the elevator down to his office he tells the CIO- “I guess we live to fight another day?” The CIO smiles a tired smile and says “until the next budget meeting that is”…
Tired, Jim returns home at around midnight. Before closing his eyes he notices the red light on his mobile is blinking. A new incoming message. Jim thinks about opening and reading it. But then he lays down the device without looking at the message and turns off the lights. Before falling asleep he thinks to himself –“if it’s critical, they’ll find a way to reach me” and closes his eyes.