Can you accurately work out where your critical controls failed?

Can you accurately work out where your critical controls failed?

One of my squaddies shared an article with me this weekend that I feel compelled to share here because its subject – the malicious “insider threat” – tends to make leaders queasy. The article was written by David Roza for the website Task & Purpose on 26th January and titled (seriously!):  ‘Delete all phones’ — How one man killed communications at an Air Force base for weeks. Kudos to the editor because that headline has made me laugh every time I’ve read it.

I’m only going to summarize the story since I want you to both read and share the original. In a nutshell, some years back, the military IT boffins at Whiteman AFB, Missouri hired a corporate contractor to run part of their voice systems network for them. In October 2017, one of the civilian company’s civilian contractors decided – for some reason – to destroy all of the base’s virtual phone records in their VOIP switch. This fellow took it upon himself to wilfully and maliciously scrag thousands of virtual phones, plunging the base into administrative chaos. Then … and this is, to me, the best part of the story … the saboteur just … stayed at his desk, He carried on working for an unknown number of days or weeks until the MPs nicked him.

You’d think that sort of criminal breach of trust would lead to the perpetrator getting fricasseed by a drone-delivered AGM-114R9X “flying ginsu” missile. Apparently, the base’s reaction wasn’t so creatively vindictive (although I daresay I can guess how the local comm squadron commander felt about it). Per the last paragraph in Mr. Roza’s article:

“The [accused’s plea]agreement does not specify why [the accused] triggered the command, but it did explain that his crimes have a maximum punishment of 10 years of imprisonment and a $250,000 fine. Instead, with the guilty plea, [the accused] agreed to a sentence of five years’ probation, no fine, $26,927.08 in restitution to the Air Force and a $200 special assessment. The court has the option of rejecting the plea agreement.”

That seems like an awfully good deal, considering

This fellow is guilty of violating privileged user ethics rules and sabotaging a comms system on a bomber base. Yeah, I can see the military “rejecting the plea agreement.” If nothing else, the next potential “rebel sysadmin” needs to consider what awful fate befell this bloke and reconsider their dastardly plan before pulling a similar stunt on their government employer’s crucial C4I systems.

All that being said, I’m absolutely fascinated by the fact that the saboteur didn’t immediately flee after committing his crime. I want to read the court psychiatrist’s records on this case. Saboteur dude did a sabotage, then stuck around like nothing hand happened! He kept processing work orders (or whatever his job was) for … hours? Days? Weeks? I suspect that a more rational criminal would have legged it just as soon as their caper was complete. What was this guy thinking?! He had to realize that getting caught would bring a world of hurt down on him. Abusing your privileged position and betraying your nation’s trust to disrupt critical comms for a freaking military base? That’s not the sort of “whoopsie!” moment that the military is known for laughing off.

This one, peculiar twist in the narrative stands out to me like one of those third act side comments from an episode of Vera that retroactively re-frames the entire narrative and shifts focus from the assumed suspect onto one of the minor background characters. There’s something about this odd, unexpected, atypical behaviour that I find captivating. If the saboteur’s objective was to inflict a coms outage, then why stick around after the deed was done. If the objective was to make a statement, then why not make one as soon as the attention-grabbing exploit was executed? If, instead, the objective was to keep getting paid as cushy government contractor gig, then why sabotage the bloody phone system in the first place?

Insider threat cases fascinate me. The psychopathology required to gamble away a fantastic opportunity and ruin your life for such small potential gain …

It’s maddening. It really is. We’re probably never going to know the fellow’s real motivations or thought process, so let’s make the best of what we do have: the internal sabotage of Whiteman AFB’s VOIP service can serve as a killer case study or tabletop exercise premise for Cyber Ops teams. It’ll make for great discussion fodder. Consider:

  • How was one sysadmin able to execute the entire delete all phones command sequence on his own? Why were our ‘two-person accountability’ rules violated without anyone knowing?
  • Why did this major system change not trigger any alarms? Or were alerts sent to Splunk, etc., and missed or ignored?
  • Why wasn’t the VOIP phones database backed up such that it could be restored in hours rather than re-built over weeks?
  • Had anyone noticed this fellow acting strangely in the weeks leading up to the crime? If someone did notice peculiar behaviour, why didn’t they report it? If they did report it, why weren’t those concerns acted on?
  • Did this fellow have any history of squirrely behaviour, either on this job or in previous jobs? If there was evidence of potential untrustworthiness, why was this fellow entrusted with superuser authority over this comms system?

So many good questions. I imagine the After-Action Review from Whiteman has already addressed these questions and has meticulously reconstructed the event from square one. I’d adore getting to read it (just please don’t send me classified info, as I don’t have a U.S. security clearance anymore) (thanks).

For the record, I am not the least bit interested in trying to continue this column series from prison. I’m all for a healthy challenge, but … no thanks. I’ll pass.

Nonetheless, with a little adaptation, I encourage security departments everywhere to use variations of these same questions in a local exercise. Pick a system that a malicious insider could take offline with their elevated credentials and play through not just the immediate security incident, but the post-incident investigation as well. Challenge yourselves: can you accurately work out what really happened and where your critical controls failed?

Odds are, a rousing tabletop exercise might highlight a few of your team’s existing suboptimal security controls. Give you a change to apply some process improvement now, before they’re really needed. That might save your organisation a ton of downtime and drama if one of your own – God forbid – tries to pull off a “Whiteman Wipe.”

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]