E4 - Storms on the Horizon - The Weather Turns Cold

Jan 05, 2016 | by RSA

Marty went through packet captures once more to make sure he wasn't missing anything important. He had pulled traffic logs and netflow data for the last few weeks specifically looking for anomalous activity. His sixth sense was piqued by the vNextGen's security team mentioning increased commotion on their network. As he drilled deeper into the traffic he found no common indicators of compromise. The malware episode earlier had intensified his search for strange activity but he found no telltale signs of bad actors. Port activities looked normal. No weird encrypted packets. No incongruent protocols.

Marty pulled back from his monitor and stretched his back. His eyes burned and he rubbed them with his clenched fists. He looked at his watch and realized his nonstop inspection of packets had just passed the four hour mark for today. Adding on to the 3 hours the day before, and 5 hours the day before that...he realized he might be looking for nothing of significance in a pile of insignificance. He told himself enough is enough. Tomorrow is a new day, he thought as he signed off his laptop. His hand was poised over the button to release his laptop from the docking station when Greg sauntered up.

"Afternoon, matey..." Greg chirped enthusiastically. "You finally coming up for air?"

Marty sighed. "Yep. I am calling it a day. How was the meeting with the compliance folks?"

"Riveting as usual. So what did you find out on the administrative tool usage?" Greg rounded the corner into his own cube.

Marty had popped his laptop out of the docking station and was about to place it in his shoulder bag when the clue hit him square in the face. He groaned aloud.

"Ugh! I have been looking at all the wrong traffic. I am not looking for increases in UNUSUAL traffic. I should be looking for higher rates of USUAL traffic."

Marty slid his laptop from his bag, clicked it into place and hustled off to get a pot of coffee percolating.


The Hunter spread out the large tomes of parchment on the Gate Keeper's massive desk. The Gate Keeper opened the curtains over the massive windows, flooding the room with light. She circled around the table and stood next to the Hunter.

"Now tell me again what we are looking for?" the Gate Keeper asked.

"I have suspicions that we have some compromised credentials. I have been looking into members of the Castle staff and there is evidence that the activity doesn't fit normal procedures."

The two scanned down the list of entries into key protected areas in the Castle. Guards at these locations had to check credentials and log each person entering. The Hunter ran his finger along the parchment. He paused at various entries. His mental processes were in overdrive working through correlations and recalling items from a dozen other documents. He barely noticed the Gate Keeper peering over his shoulder, following his finger. She was mentally noting each hesitation and organizing her own lists in her head.

They both threw themselves in the task. The Gate Keeper broke off on her own, gathering up different manuscripts and poring over the volumes. The light soon faded and they lit lamps to continue working.

After a few hours of reviewing entry after entry, the Hunter and Gate Keeper had amassed a series of contradictory activities. None of the activity was blatantly out of the ordinary. There were some anomalies but the Hunter and Gate Keeper both started to see a cycle of frequent visits to protected portions of the Castle by certain guards. It wasn't so much the Guards were out of boundaries. They were checking the important rooms. It was the frequency of visits or the time of day or night that just didn't add up. Members of the staff had some of the same patterns. The logs didn't serve up a simple answer. Whatever was happening was complicated. Whoever was gaming the system understood how the Castle operated. They left hints and clues - but never anything significant enough to point out the final issue.

The Hunter had gathered the evidence he needed. Something was afoot and the Gate Keeper concurred with his suspicions. She agreed to investigate certain staff the next day and verify their credentials, work assignments and dig into the mystery.


The Siren peered through her carriage window and watched as the sturdy brick building of the Frontier Station grew bigger and bigger in her view. She listened to the click clack of the horse's hooves on the hard, parched earth. A satin bag lay at her side underneath her resting hand. A small stack of papers - all credentials valid throughout the Kingdom - were piled on the seat. Pondering how much it was going to take to accelerate the process of leaving the Kingdom, she slipped her hand into the pouch and settled on five thick gold coins as the carriage stopped.

The Guard at the Frontier checkpoint whistled low as he inspected the grand vehicle approaching. The carriage was intricately carved - a masterpiece of wood, steel and velvet. The horse pulling the wagon was a beautiful chestnut brown, clearly a thoroughbred that would have been the envy of any equestrian. He knocked on the finely crafted door of the carriage. A dainty hand slipped out the window clutching her credentials. The guard inspected the papers and handed the credentials back to the woman through the window of the carriage pocketing the gold coins surreptitiously passed along with the documents. The guard stepped back, allowing the carriage to continue, and watched the opulent coach and its beautiful occupant churn up a dust cloud as it disappeared into the distance.

Author: RSA

Category: Research and Innovation, Blog Post

Keywords: Advanced Threats, Enterprise Security, Risk & Compliance (GRC), Risk Management, Security Management, Security Short Stories