A credulous investigation into a security breach

Extract from summary results of post-breach investigation

Date: 1 April

This summary report presents preliminary findings of an investigation into the recent security breach at Fate and Luck Enterprises (FALE). We were appointed by the company's board of directors to investigate the incident, with assistance from their Chief Prophecy Officer, B Leaf.

B Leaf explained that the breach was a highly sophisticated cyber-attack, executed by a group of black cat hackers, who used powerful techniques and tools to circumvent the organisation's advanced cyber security measures.

Our brief was to determine the nature of the attack and evaluate the measures taken to prevent a recurrence of similar activity in the future. The findings provided in the full report (withheld for reasons of confidentiality) are based on a detailed root cause analysis, during which we identified a combination of events and circumstances that led to the security breach.

The origins of the incident can be traced back seven years to a major strategic project called Looking Glass, which failed after considerable R&D investment by the company. On reflection, the failure represented the precursor to a sequence of adverse events that were compounded by insufficient protection of business assets over many years.

Factors that are considered to have influenced the security breach:

1.      Members of the Looking Glass project team had been made redundant, including key personnel who had served the organisation for many years

2.      Stakeholders (including joint business partners and tier-1 suppliers) were not kept informed about project risks and weren't fairly compensated after the cancellation of the project

3.      Some of the business activities associated with Looking Glass were in direct violation of both Murphy's Law and Sod's Law

4.      Credentials for privileged users on the project were carelessly overheard by and disclosed to two individuals performing surveillance during a flight taken by senior executives from Copenhagen to Helsinki

5.      Known deficiencies in the security controls required to protect business assets combined with systems exposed to known critical vulnerabilities remained unaddressed for months.

Unbeknown to the organisation, a small group of disgruntled individuals (including ex-employees and business partners) began a multi-year campaign to damage the reputation of the organisation. With insider knowledge of the organisation's business processes, technical infrastructure and weaknesses in risk management, these individuals took steps to sabotage infrastructure components, disrupt business operations and harass staff.

Using a freely available open-source exploit framework called Umbrella, the group were able to craft a targeted piece of malware, customised to affect the integrity of the organisation's production systems, particularly the company's deep wishing well operations.

Despite the complexity of creating malware using the Umbrella framework, the attackers were able to horseshoe a variety of powerful features into the malware payload like magic markers and even throw in anti-salt functionality.

The Umbrella-based malware was deployed via fake emails that were manipulated to look like genuine senior management communications. Consequently, many operational staff opened the 'Umbrella' emails within the operational network. This had a devastating effect with the malware's payload wreaking havoc across operational systems and then the corporate network. We believe this malware infection occurred on the group's first attempt, reflecting what we can only describe as beginner's luck.

The malware propagated FALE's global network quickly, harvesting and exfiltrating more than 666 gigabytes of sensitive information and causing long-term damage to critical systems.

Analysis of the malware code suggests two of its authors are ex-FALE senior engineers who use the hacker pseudonyms Phingrz and Wudz. Comments left in the code (possibly intentionally) included the statements 'Don't Kross the Phingrz' and 'U can't touch the Wudz'.

Phingrz and Wudz are believed to be Phil Moon and Ryan Bow respectively, who were outspoken following their redundancy, claiming they were undermined despite successfully climbing the corporate ladder.

Despite confident public statements and bold claims in annual reports about the investment made in cyber security, our assessment revealed an unacceptable level of risk to FALE's information, technical infrastructure and other business assets.

1. Information and technical infrastructure were inadequately protected, with no formal approach or control framework in place. From our discussions with technical analysts there was clear frustration that they were barely avoiding the cracks and protecting assets with sticking plaster.

2. A range of AI-based psychic threat intelligence and monitoring systems have been in place for more than two years. However, these systems failed to:

• anticipate insider threat activity
• discover the malware present on the network (even though no zero-day vulnerabilities were used)
• prevent the malware from executing on corporate systems
• detect subsequent unauthorised activity on critical systems throughout the global network
• intercept and restrict the transfer of highly confidential information to unauthorised external servers.

3. An enterprise-wide security awareness campaign, called White Rabbit, has been running for two years, which requires all employees to consider security at the beginning of every day. However, there is no evidence this has influenced the reduction in loss events across the organisation.

According to B Leaf (Chief Prophecy Officer), FALE use a structured assessment method based on astrology. At monthly risk management meetings, decisions on risk treatment are aided by plotting zodiac signs on simple horoscope charts. Risk reports are generated and presented to senior management using the award-winning and fortune-telling service Tarot.

Having been advised to apply risk management methods that are based on séance and numerology, the security function have recently implemented a new sophisticated risk forecasting tool called Nostradamus. This uses an AI-based scoring system, together with advanced decision-making techniques (including cleromancy and geomancy) to provide senior management with greater confidence about how key business risks are being managed.

It is understood that an intensive 12-month security improvement programme, code named Mea Culpa, is due to commence on Friday, 13 April. CRO Lou Ki Charma and CISO Di Vine are responsible for delivering the programme. However, industry analysts think it will take a miracle for FALE to make the necessary improvements before the end of the year.

I am sure you have realised this is a fictitious scenario with a superstition theme. If there are any similarities with actual events or individuals this is purely coincidental. Superstitions are a fascinating topic. Despite most being irrational, and there are a lot, some seem to have a hold over us when interpreting information, making decisions and communicating facts.

To what extent do you see irrational belief influence how risk is managed? And what are the consequences? And how many superstitions did you spot above?

Good luck