Stagehand: S1 Episode 5
I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest fabric were thirty cell satellite phones and my mission was to get them to the Kuwaiti Resistance outside the city.
– – –
We arrive in St. Petersburg, Russia, on a Thursday night. Ms. Hansen, the CEO of Illuminating Solutions, has given my team and me until Monday to find and secure Carl Timmons before she goes to the press. A lot of things weren’t adding up. So far, we had the still-missing CISO of the cybersecurity company, the two hackers that were vaguely political but seriously dead, and the billionaire that hired us to make sure the company was secure (along with his very expensive stake in it). But all signs were pointing to Carl Timmons being a part of this ploy.
He got on the plane without a fight. He was left alive when his supposed kidnappers were left dead. Either Carl was in on it from the start, or someone was going to extreme lengths to get their hands on something neither Lincoln Palmer, nor Laureen Hansen, was telling me about … but that’s above my pay grade.
In war, all the planning, strategy, and surveillance in the world means nothing if you can’t trust your gut on the ground.
– – –
There are moments when you think, “This is it. This is when and how I die.” I’d had plenty of those moments, and this was just another one of them.’
Despite the limited peripheral vision the burka offered, I could see the Iraqi Republican Guard approaching me as I made my way to the drop-off destination with the satellite phones. There was no world in which my height, build, and clearly white face weren’t going to give the whole operation away. My only option was making sure they didn’t have the option of getting close enough to find out. There are moments when you think, “This is it. This is when and how I die.” I’d had plenty of those moments, and this was just another one of them.
The guards’ first mistake was approaching me on my strong side … I didn’t give them time to make a second.
I made my way with the satellite phones.
– – –
The pieces were falling into place. We were starting to catch up. But my gut kept telling me we weren’t quite there.’
Between our mutual contacts, we learned that the flight out of San Jose was booked by one Ivan Popolov. He owned a small, and semi-lucrative, guards-for-hire business in Russia. From there, John was able to identify the three armed men that “escorted” Timmons to the plane. We knew when and where they landed. We were seven hours behind, and whoever was behind this whole thing was a few steps ahead—but we move quickly and I had a plan.
Russians do not take kindly to former Marines pulling covert ops on their land, and we needed all the ground assistance we could get. Through an ex-CIA buddy who now runs security for the U.S. ambassador there, we got the clearance we needed. We had all the papers that validated our legitimacy in this country … but that was all the help we’d get; from this point on, we were on our own. “Security” has a different meaning in Russia. They hire the hackers America puts in prison, and they imprison the anti-government citizens we protect.
Back at home, John had tapped into his network of international contacts and learned that, while the three men that took Carl out of the country were technically employees of Popolov’s security business, they were contracted by one man. Andrei Savin was the billionaire CEO of Savin Labs, the largest cybersecurity company in Russia.
The pieces were falling into place. We were starting to catch up. But my gut kept telling me we weren’t quite there.
– – –
I’d evaded an early demise once again, and now it was time to get the job done. Iraq had been trying to pull Israel into war by launching SCUD missiles into their territory. Our only chance at locating the missiles was getting these satellite phones to the Kuwaiti Resistance. I made my way to the drop-off point.
– – –
“We have a PA, three drivers, six housekeepers, a British au pair, and a Russian nanny as well as a Mandarin tutor for the three kids. But no Andrei, and no Americans on sight,” Frenchy reported into my earpiece. He’s fluent in Russian, and through some back channels, we’d gotten him in under the guise as one of the nineteen armed security guards that cover Andrei Savin’s estate in St. Petersburg. Keith and I listened from a van down the street and watched the visual footage streaming from the hidden camera in his jacket button. Then …
“This is the best part of the job,” Frenchy whispered, as the wife of Andrei Savin made her way through the back yard. She was tall, beautiful, and had the strut of a woman who wants for nothing but craves everything.
Frenchy was assigned to her security detail while Andrei was away. As he followed her to the sprawling back yard, Keith and I watched from the van down the block. The maid followed Mrs. Savin’s statuesque silhouette with a tray to a table beneath the garden veranda.
With her thick Russian accent, Mrs. Savin asked aloud, “Tea or vodka?” We couldn’t see who she was talking to, but the answer came clearly, in an American accent: “Tea please, and thank you.”
Frenchy remained a respectable but protective distance from Andrei’s wife. It wasn’t until she sat down that we could get a clear visual on her guest. The maid approached the guest with the tea and vodka, and began to serve Carl fucking Timmons.
– – –
The drop-off was successful. The resistance got their satellite phones, and the only number they could call was ours. About six days later (twelve hours later in real life) we got the call. The SCUD missiles were being moved from a bridge in northern Kuwait to a parking garage in the city. Mission accomplished.
– – –
Carl Timmons did not have the profile of a man in charge. And with two billionaires in the mix, none of this was sitting right. There’s a trap being set, but I don’t know where it is.’
This was crucial information to pass onto my client Lincoln Palmer—but at that moment the Marine in me took over. My gut told me something is not as it seems. Carl Timmons did not have the profile of a man in charge. And with two billionaires in the mix, none of this was sitting right. There’s a trap being set, but I don’t know where it is.
In that moment, I should have called Lincoln Palmer. Instead, I called Laureen Hansen. She picked up on the first ring.
“Ma’am, we’ve got a situation here.”
“I told you Sully, don’t call me ma’am.”
“Alright, Laureen. I think some very powerful people are seriously compromising the security of your company.”
“Well, that’s not great. The security of my company provides the security of three percent of the global market.”
“Right. Well, the good news is I have a plan. The bad news is, you’re not gonna like it.”
Stagehand: S1 Episode 8
Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...
Stagehand: S1 Episode 7
Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...
Stagehand: S1 Episode 6
Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time. He’d always been good at school. He attended Boston College where his parents thought he might pursue...
What Is Zero Trust Anyway?
About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...
Why Bots Are the Next Big Thing in Account Takeover Fraud
Account takeover fraud may sound like a familiar term in cybersecurity, yet its prevention methods in the e-commerce domain are still nuanced. Retailers are historically concerned with payment fraud systems related to chargebacks. This happens when a customer makes a...
Ransomware: When Policy Matters Most
Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...
Selling to a CISO? Practice Empathy, Not Salesmanship
The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...
The Risk of Measuring Risk
Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...
Stagehand: S1 Episode 4
Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...
SecOps Needs More Democratization, Not Less SOC
An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...
Measuring a Cyber Awareness Culture
Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...
Good Enough Isn’t Good Enough Anymore
The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability. In light of these increasing challenges, our cyber defenses...
Data Classification: Building, and Pitching, a Rock Solid Program
In our final installment, we are going to discuss how you roll all the concepts previously covered into a plan of action. The difference between the success and failure of a data classification program is a lack of action. I have reviewed over 10 programs in my...
Stagehand: S1 Episode 3
Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...
Data Classification – How to Categorize It, Where to Store It
Previously, we discussed the requirements of a mature data classification program. In this post, we are going to review the administrative mechanics of such a program. Data classification, you’ll recall, usually includes a three- or four-layer system akin to the...