Week 2: That Wasn’t Me!

This is Week 2 of Cybersecurity Awareness Month 2022. We’re following ACME Co., a fictitious small business who just suffered their first breach.

Time For A Fresh Cup of Coffee

It was late morning on an unusually busy Monday. It was busy because the employees of ACME Co. had just realized their company lost $50,000 in some sort of hack. The finance guy, Fred, was on the phone. He attempted to navigate the system to reach their bank’s fraud department. With the phone to his ear, he squished his face at ACME’s owner, Joanna, and mouthed the words, “it shouldn’t be this hard...”

Being a small company, Joanna had declared herself the Incident Commander and started a case file to document the hack. After speaking with a neighbor with some security experience, an impromptu plan was put in place – and assigning the commander role was one of the steps. Joanna reached for her coffee cup, attempting to take her first sip since pouring it. It’d been cold for a long time.

Tips From an Incident Commander

More than once, I’ve heard a chuckle at the term “Incident Commander.” Call it what you will, assigning the role in the early stages of an incident is a key step. The more hectic a scenario becomes, the easier it is for miscommunication and confusion to ensue. Having a point person or hub of information is key to consistent action during a crisis. In larger organizations, it’s better to have a security leader take this role so that company leadership can focus on decision making. Smaller organizations, like the one in our story, may not have enough staff to have someone dedicated to this role – so folks may have to wear multiple hats. Similarly, having a designated location is helpful. Many call it a “war room.”

Jack of All Trades

Joanna messaged her IT person, Mark, with a message to call her immediately. She ended the message with “911” with the hope that he better understood the urgency. To her relief, Mark called within a few minutes. He was up to speed in moments. The two agreed to avoid emails about the incident. They decided use text and phone calls, for now, and each keep detailed notes.

Another trusted member of the team, Mark was the classic tech geek. He seemed to be able to operate anything with a power button. Mark was a one-man IT team, keeping ACME’s systems and services running. Joanna recognized he was quite technically competent, but she wasn’t not sure how he’d handle this emergency. Within the hour, Mark was in ACME’s conference room with his laptop and an entire case of Mountain Dew.

Mark dove into his task with a remarkable ferocity. He was supposed to be working from home, but hearing terms like “hack” and “war room” spiked his adrenaline and caused him to want to be in on the action. He drove into the office immediately. After all, it was one of his systems that appears to have been hacked. Mark could not let that stand.

Sugar, Caffeine, and Fear

Stress can do interesting things to the human body. We’ve been programmed by Mother Nature to respond well in an emergency. Senses are heightened, heart rate accelerates, fight-or-flight takes hold. It’s an effective resource in an incident handling scenario... until a person crashes. Joanna doesn’t know that one of her primary responsibilities is to keep track of her team during this stressful time and ensure no one is close to flaming out. After the excitement wears off and exhaustion set in, mistakes are made.

The Rabbit Hole

Joanna and Fred shared the details of the email with Mark as soon as he set up in the conference room. Mark shoulder surfed as Fred brought up the email and made the few clicks to show the detailed headers. Mark made notes, mumbling to himself the whole time. When he had what he needed, Mark tunnel-visioned on his laptop screen and said to the room, “let me track down that email.”

ACME was fortunate to have an IT person like Mark. He knew where to look and what to look for when it came to a compromised email account. There was just one problem: there were zero indicators of compromise on Joanna’s account. Mark couldn’t find anything in ACME’s systems to show that the email came from them. His initial theories caused him serious concern. Perhaps ACME got compromised by a hacker who was so good, and covered their tracks so well, that Mark could not find any trace of their activity.

When Mark was about to give up in frustration, he decided to take a step back and start over with his troubleshooting. He focused his attention on the email to Fred again – the email that requested a wire to be sent. And shortly after his re-focus, Mark saw it. The information was there all along, but the idea of a hack was too strong to ignore. Mark realized he had wasted so much time assuming it had been a hack.

When You Assume, You...

In an incident response scenario, it is so very easy to jump to conclusions. Assuming the worst (“we’ve been hacked!”) is the easiest reaction to an unusually suspicious event. Seeing an email from you that you didn’t send is certainly disconcerting, and one may jump to the conclusion that there’s a hacker lurking in your email account. The trouble is, making awrong guess early on can cause a lot of wasted effort by some team members and great confusion among others. Patience is often lacking in a time of crisis.

It turns out that ACME was not hacked after all; the email was a spoof. The email claimed to be from Joanna, and Joanna’s email was displayed in the TO: line. But, under the covers, Mark could see the spoof came from outside the system. Somehow, it was delivered without getting flagged as Spam or blocked along the way. Mark had followed the rabbit hole deep enough to figure out what had happened. Next, he had to find the root cause – what allowed that spoof email to be delivered the way it was.

Mark briefed Joanna and Mark and showed them some of the details in his findings. It took some time to settle in: ACME had not been breached! There was a brief sense of relief as the implication set in. This was not a scenario where the trio would have to find and kick out a hacker lurking in their system. It was something else. Something still bad, but something perhaps not as bad as the worst-case scenario.

Join Us At the End of the Week

The team at ACME Co. are in the middle of an incident and making progress in finding out what happened... and how. Later this week, we’ll see if they can recover any of the money they lost.

Disclaimer: This story is 100% fictional and does not represent any person or company in any way.