Catch Me If You Can: A Rogue Cyber Security Professional

A real-life security espionage incident and the use of cyber counter intelligence operations. Learn how to detect and defend against yourself as an APT.

It’s not every day that you get a phone call at 2 AM asking for a breach response job. Let alone, one that we would later discover to be originated from not just any insider threat — a rogue security professional insider threat. In this article I will walk you through what happened in this incident, the indicators of compromise (IOCs), Tactics, Tools, and Procedures (TTPs), and the strategies involved with detecting and responding to a rogue cyber insider.

The article will be a blend of technical details and strategic oversight guidance in tandem with our story. After the details and story, you will find strategic mind maps and other thoughts on combating this type threat. We created this article largely because everyone has mentioned insider threats at some point; but no one has really addressed any specific scenarios around if the actor was one of their own defenders.

Disclaimer: I will go over what is allowed to be shared given our negotiations with the customer and of course our well-equipped OGC. Many details have been limited including time, location, and references to specific tools. Any referenced TTP’s involving syntax will be referenced using publicly known tools common in many cyber incidents. Any and…