Shift Delete
Page 8
Behind an unmarked door entryway sat an overweight uniformed security guard with bushy eyebrows and a double chin whose name she was embarrassed to say she didn’t know. He was seated behind a guard desk flanked by two heavy access-protected entrances. To the left were offices; to the right was the Security Information Center, or SIC.
Layla greeted the guard, swiped her identity badge which doubled as an access card, headed down the hall, punched in an access code and entered the SIC to relieve the evening team. Layla liked the night shift. The parking lot outside was empty; she parked her metallic green Nissan Sentra next to the building entrance. It was usually quiet and peaceful, with hardly a soul around to bother her, so she could relax and read a romance novel, and get paid for it. Sometimes she felt like a night watchman sitting in a little booth at a factory with the occasional rounds to break the monotony. No, that’s not a fair comparison, she argued with herself; she liked it. She worked in her field, read books and had no traffic to aggravate her on the brief commute to or from work at DCA’s purpose-designed facilities in a suburban office park of low red-brick buildings, tidy lawns and an artificial pond stocked with colorful jumbo-sized koi fish. And she was home in the morning to send her kids off to school before going to sleep and then waking up in time to receive them when they returned. It suited her lifestyle. She and her husband didn’t go out at night to movies or restaurants to begin with, so it wasn’t like she was missing out. Weekends were a drag when her schedule did an about-face, and she worked the occasional weekend shift, but that was the price for her comfortable job.
Layla had a standard routine. She arrived, draped her thin cotton sweater over her chair in case the air conditioning made the SIC too cold, placed her thermos of herbal tea on her desk and took a banana or apple and granola bar out of her bag. The fruit vending machine down the hall was expensive, and the fruit was never fresh, although it sure beat a bag of potato chips when she had nothing at home to bring in for her nighttime sustenance.
Under a large banner stretching across a good part of a wall that read: “OUR MISSION: MONITOR, DETECT, IDENTIFY, TRACK, PREVENT,” teams of cyber analysts worked before banks of computer monitors looking at color-coded graphs and charts and working problems. Logs and alerts were all automated; no one here was sitting looking at pages of logs to see if something looks wrong or waiting for a red light to go on. The night shift marked the exception to DCA’s normally proactive approach. At night, out of staffing considerations, it was more of ‘night watchmen’ than ‘cyber defenders’.
The SIC’s workstations faced a bank of 50-inch flat screen monitors lining an entire wall, with a dashboard of tri-colored half circle gauges of green, yellow and red, tracking the U.S. federal government’s cyber health. One screen displayed a world map identifying cyber threat origins, highlighting not just the standard cast of characters of China, North Korea and Iran, but others including domestic threats from within the United States. Another featured color-coded bar and pie charts monitoring distribution of attacks by priority, by system, by attacking IP addresses and by time.
Behind the scenes, computers collected and analyzed massive amounts of data, with algorithms searching for telltale and less obvious signs to predict future attacks or discover anomalies in every block of information received, with the processed data displayed on the dashboard. Another screen mapped suspicious IP addresses while another displayed processed intelligence assessments spat out by a specialized automated system that fused intelligence collected from both open source and from sensors located throughout the net that monitor traffic for malware to provide advanced threat detection and global network visibility.
Each operator’s workstation—abandoned during Layla’s night shift—had three monitors displaying pertinent health or attack monitoring information. Analysts at DCA spent their days handling alerts, doing analyses, forensics against incidents and attack severity rankings. “Eighty percent of the constant barrage of cyberattacks, or cyber anomalies as they are called, are stopped by firewalls and antivirus systems,” visitors were told, explaining further that DCA’s resources were dedicated to the 20% of attacks known as the Advanced Persistent Threat—those prolonged campaigns by sophisticated, well-financed organizations specifically attempting to steal data or otherwise impact or damage a network. DCA’s analysts spent their time stopping APT’s being directed against U.S. Government networks. APT’s could go on for days, weeks or even months on end, innovating as they go. Analysts also dealt with zero day attacks, zero-minute attacks, or detection-evading “rapidly evolving malware”—all cases where the analysts’ expertise kicked in.
Layla took stock of the situation she was inheriting, checking the status of all dashboard screens before signing off in the shift log that all was running smoothly in the government IT systems. She typed for a moment on her computer, hit enter and then classic rock music began streaming through her computer. It was against the rules since it sucked up bandwidth, but that wasn’t a concern at this hour when all the offices were empty, and rules could be bent. After settling in, she would look at the Washington Post website for the latest news and other articles that caught her eye. She dressed as she pleased, with no need to “dress to impress”; she wore jeans or even sweatpants, a t-shirt and her trademark pink flip-flops to work every night, and no one cared.
It was just her and the two male students. Even though she was nearly twenty years their senior, she still felt like a kid, like she was fresh out of college, and therefore their contemporary. Reality checks came when she looked in the bathroom mirror and saw unruly grey hairs sprouting from her scalp, and a wrinkle or two extending from the corners of her eyes. The interns saw her as a cool, young-at-heart and not bad- looking—for her age-boss. She’s kinda hot, they said amongst themselves, with a compact figure and straight, jet-black hair that danced at her shoulders, an unblemished face with smooth olive skin, thin lips that formed a straight line, and inviting brown eyes accentuated by the large-frame pink plastic eyeglasses that gave her a bookish look.
Layla was jolted from an article she was reading in a fashion magazine by an audible warning buzzer. The two interns picked up their heads from behind their schoolbooks and looked her way.
Layla got up from her chair and slowly wandered over to a control panel, figuring it just some routine matter—common fare in the SIC. It was far from an emergency control room situation from a TV thriller when everyone jumps at the sound of an alarm.
Looking at a bank of monitors, she quickly found the culprit, which wasn’t difficult considering everything was color-coded. It was the Department of State’s website. All agencies were green, while State’s was edging into yellow. The warning had come from State’s server health-monitoring tool.
“Not again!” she said out loud. Just a week before, the Department of State’s website had been defaced with “Estonia Blood on Washington Hands,” with an image of two bloody handprints, and “Estonia People Die and Washington Do Nothing.”
She chuckled to herself, remembering the GIRT director’s sarcastic remark that if they’re going to deface one of his websites, the bad guys should at least run spell-checker first.
A group of hackers called “Estonia with Honor” was attacking American websites to express their displeasure over the U.S. abandonment of their country in its time of need. “Estonia with Honor” supported by cyber hacktivist group Anonymous also attacked Russian websites, part of a campaign known as #OpRussia.
Using a touch screen, Layla was able to dive down to the State Department’s “StateApp” portal. The Department of State’s proprietary citizen services portal Web server handles requests from what the State calls the “customer”—meaning the public, StateApp is far more than just passport applications and travel advisories; it was the main interface between United States citizens and their government. As the outward face of the U.S. Government, the Department of State invested a great deal of money to ensure t
he StateApp application Web server was robust, and of course, always available. State’s system was built with enough processing power and memory to handle far more than its regular traffic. Layla generated a quick report that showed StateApp’s server loads average 15% yet the server health-monitoring tool indicated it was at 30% maximum load, causing the alarm.
“That’s not good,” she said out loud to herself. “What’s going on here?” She turned off the streaming music from her workstation in order to better concentrate.
Layla assigned the two interns to check INN, News Central and other major news outlets to see if some incident or disaster had triggered the flood of traffic for citizen services. The two boys left their open school books and Smartphones and began checking news websites: one online while the other flipped through channels on cable television. All they found was standard fare: “Israeli and Palestinian leaders trade recriminations over stalled peace process,” “Hundreds killed in flooding from intense monsoon rains across India and Pakistan,” “London mayor warns of terror threat,” “Suicide bomber kills 11 in market north of Baghdad.” They surfed some additional channels but found only infomercials peddling incredible kitchen gadgets evidently one cannot live without, and drugs with side effects that seem far more dangerous than the ailments they are meant to cure. Nothing out of the ordinary.
Layla made an entry into the incident log: AQWF, their shorthand for “All Quiet on the Western Front.” In other words, no obvious external events that could have necessitated such a spike in legitimate traffic. Next.
“Maybe the alert threshold parameters are set incorrectly in the monitoring tool,” Layla suggested to the interns, who were now standing around her watching over her shoulder. This sure beat the often boring nights in the SIC. She brought up State’s IT configuration on one of her desk monitors to check its parameters.
“There’s an industry trend towards maintaining a dynamic network as a defensive strategy,” she explained to the boys as the information loaded onto the screen. “Hackers stalk static networks looking for their weaknesses, right?” The boys nodded in agreement. “You can combat this by frequently changing the set-up.” Pointing to the months-old date appearing in the “Last Updated” column, she added, “but we can see from these logs that nothing’s been changed here in a long time.”
This might all be a simple configuration error,” she said out loud, but not likely at this hour of the night. She was systematically running all the traps before determining it was an attack. She started to generate another report summarizing StateApp’s present status and how it might affect processes.
She was jolted from her concentration by the phone ringing, not a usual occurrence at this hour. The Department of State’s Chief Information Security Officer, or CISO, was on the line. He had been awakened by the sound of an incoming text message automatically generated about the server load spike and wanted to make sure DCA was aware of the situation, which she assured him was being worked on. She informed him of the server load status and what she was doing to determine the cause.
State’s dashboard indicator moved firmly to yellow when the usage indicator reached 40% capacity. Layla was getting more and more concerned as her checks failed to reveal any easily-corrected system issues. Her heart beat faster and adrenaline flowed.
“What is going on?” she asked the computer, her voice a little shaky as she looked with concern at the screen showing State’s server load.
There was still plenty of bandwidth available, the ample excess capacity buying time to react long before resources would be overwhelmed.
“I’m guessing it’s a DDOS attack,” she surmised.
During the changeovers with both the evening and morning shifts, workers mostly ignored the boys, so they appreciated that Layla took the time to explain things to them.
“It means ‘Distributed Denial of Service.’ If I’m right, attackers may be bombarding the State Department’s network with massive amounts of requests or data, and it is simply overloading the network and its computing resources, preventing legitimate users from having access.”
Watching the attack slowly grow in intensity, as reflected on the dashboard display on the monitor, Layla muttered, “In Case of Emergency Break Glass,” joking with the interns to help herself remain calm and collected. But the fine hairs on her arms were standing up, and her skin became bumpy as if she were cold. She asked one of the boys to bring her the red 3-ring binder clearly labeled “PROCEDURES HANDBOOK” that was ready for these very situations. She had gone through drills before, and this certainly wasn’t her first cyber anomaly, so she was familiar with procedures for responding to a generic cyber incident of this import. While Layla joked about being the night watchman, Washington DC’s overnight was actually prime time for trouble-makers in Eastern Europe and Asia, the source of most attacks DCA saw.
The two students remained by her side looking over her shoulder, which didn’t help ease the stress she was under.
-Find the page for the specific government agency’s IT set-up -Check configuration
-Check Health Usage Tool logs
And so forth.
At the end, if all else fails:
-Notify DCA CIRT Director
It wasn’t like she had to wake up DCA’s CISO or even the agency head, but she found CIRT director Elliot Parovsky aloof and intimidating. “Better he knows about this,” she reasoned out loud, even if he might be pissed off about being disturbed at this hour. The three of them glanced at the large digital clock.
She had already performed all the checks in the Procedures Handbook, but she did them again before that final—which was for her scary— step of escalating the incident reporting. She could see the server load continuing its climb. When it reached 50%, she pushed the proverbial panic button, calling Parovsky.
9. TRIAGE
The phone call jolted Elliot Parovsky out of his deep sleep. He glanced at the hour on his digital clock radio: 03:07.
“What the fu...?” he started to say as he fumbled for his IPhone on the night stand beside his bed. It was easy to find once he opened his eyes since the large color screen illuminated, but it took another two rings as he fumbled to press the green “answer” button.
“Parovsky,” he answered, recognizing the incoming number from DCA’s SIC.
After listening to the voice on the other end of the line, he responded, “Fuck,” and then added, “OK, I’m on my way.”
He threw on black Levi 505 jeans and a button-down casual white shirt, topped with a Los Angeles Dodgers baseball cap to hide his unruly hair and left his apartment. Normally his face was clean shaven—always with shaving cream and a razor—but there was no time for that this morning. His thick 5 o’clock shadow added to his masculine good-looks.
The early morning air was cool and refreshing, and the sky was a pink hue that he normally wasn’t awake early enough to see, but this would soon give way and become a typical DC summer day, hot and thick with humidity. It was too early for Washington’s Metrorail subway system, which is how he normally commuted to work, but at least he would beat the morning traffic if he had to take his car. Early as it was, he already dreaded the drive home, and figured he would pick up some slugs in order to get home faster traveling in the HOV commuter lane reserved for multi-passenger cars. He liked the uniquely Washington symbiotic commuting arrangement of “slugging”, where free-riding commuters fill empty seats in a vehicle that would otherwise be stuck in Washington’s daily traffic. He could still listen to his music without having to deal with some jerk trying to make conversation with him, as slugging etiquette called for silence from the rider, unless conversation was initiated by the driver. Depending upon his mood, sometimes the only words exchanged between Parovsky and riders he picked up were the customary “thank you” at the drop-off.
After calling for help, Layla checked State’s health monitoring tool logs, finding t
hat the alert thresholds were correctly set. She knew there would be lots of questions, and she better be equipped with answers. Network traffic continued surging, with thousands of connections opened to State’s server, requesting different pages on State’s website.
By the time CIRT director Parovsky reached the SIC, Layla reported that StateApp’s load had reached 70%.
“Shit!” was all Parovsky had to say before sitting down at one of the abandoned workstations to see for himself what was happening. He didn’t say anything more to Layla as he looked for information he could easily have asked her for. Rather condescending, she thought to herself, reaffirming the opinion she already had about Parovsky.
They were soon joined by DCA’s Chief Technology Officer—better known by its acronym of CTO- Brendan Soloway, whom Parovsky had notified while rushing to DCA’s offices in the pre-dawn hours. Brendan’s eyes were bloodshot and his hair disheveled, revealing a slightly receding hairline. He wore his trademark outfit of a collared golf shirt sporting some IT company logo-a giveaway at a conference or seminar he had attended, pleated dress pants cuffed at the bottom and colorful running sneakers.
Normally well-groomed with his hair parted on the side which gave him a boyish look, Soloway was their system architect and all-around IT expert who could always solve a problem. And if he couldn’t, he made it his mission to find a solution. While admired by his contemporaries, the secretaries always complained that he never got the administrative stuff right, like expense or travel reports.
Soloway was a real asset to the team. The way his mind worked, he could quickly dissect an IT infrastructure to understand where an attack would be hitting.
After graduating from Carnegie Mellon University in computer science and mathematics, Brendan had done network resiliency testing where he was actually paid to attack a company or organization’s network, hacking his way in as part of a search for vulnerabilities, seeing what information he could access, like customer names, email addresses, credit card numbers, or medical information. Called “ethical hacking,” findings from the exercise were summarized in a report prepared for the customer recommending areas for improved IT security. Sometimes it was as easy as visiting the target and glancing at computer screens, looking for those tell-tale yellow sticky notes that some gum-chewing secretary was too busy sending WhatsApp messages or updating Facebook status than to be bothered remembering a password-affixed to her monitor with her network password written clear as day. Other times it meant sending phony Phishing emails—ones designed to look like a legitimate email containing a faulty link to some website—something that if malicious intent were at play, could expose the network to a virus or intrusion. This type of work provided a thrill of vicariously breaking and entering, but sanctioned by the target and immune to law enforcement.