I had seen Finne cross the parking lot and enter the store as we flew past towards our landing site at the National Geospacial Intelligence Agency nearby. After a swift drop-off, I was being driven in discreet looking Chevy blazer for the quarter mile distance to the Target. Based on the comm. chatter, I had estimated that Finne would be deep inside the store before my arrival which would allow me to enter without drawing any attention to myself.
The dark blue SUV pulled in and along the fire lane curb to the sidewalk in front of the store beyond the view of persons looking out of the windows and doors. Upon exiting the vehicle, the driver drove off slowly, but with purpose to join the fleet of support vehicles staged nearby. Before proceeding to the entrance I quickly scanned the landscape of the parking lot. There had not been any comm. chatter about this area of the “playground”, but something seemed askew. Then I saw it. Barely visible above the second to last row of cars was the dark silhouette of baseball cap that I recognized as the standard issue headwear for the contract security personnel hired by Target.
[“SMACK come in!”] Jack blurted over the comm. from the microphone embedded in his collar. [“Command and Control here, what is it Jack?”] was the reply. [“There is a uniformed security guard headed for the front door. Confirm that you have the rest of them contained, I’ll head this one off before coming in.”] Jack informed them. [“Roger. We’ll confirm the schedule and roster”] was returned with a subtle tone of dejection in the speaker’s voice. SMA protocol’s required precision, and the loss of control over external security and management personnel that were affected by an operation was unacceptable. This could have been a huge mistake if the approaching guard – probably late for his shift or coming in off the clock - had breached the playing field.
I reached the guard just as he had crossed the service lane to the sidewalk at the far end of the store’s front wall. This was a safe distance to have a conversation with him without attracting anyone else’s attention. I approached him with my left index finger extended and pressed to my lips motioning him to be quiet while reaching out towards him with my right arm to present a set of FBI credentials. I have used badges and commission books from the FBI, Secret Service, State Police, DEA, ATF, ICE, and CBP because they were better cover for our organization then any of the intelligence agencies could provide. Frankly, when you approached someone and told them you were with the CIA, you ended up with more trouble than you would if you said you were with the gas company. Either you encountered a spy buff that would dive head first into nostalgia or you would elicit tirades of opinions judging you for the nefarious actions of the company - both true and based on conspiracy. The FBI credentials seemed to be the most easily accepted among the average American citizen. Mostly due to the amount of time and effort that they put into their public image versus the other smaller and more narrowly focused law enforcement agencies, such as the DEA and ATF. The FBI were always on the scene and helping take the credit for the major busts brought in by any of the other agencies. In fact, the FBI was generally responsible for calling the press conference in the first place. This attention to PR has served them well, allowing them to retain the all-encompassing jurisdiction they operate within, crossing over the line between domestic law enforcement and global intelligence activities for counter-espionage and counter-terrorism. From this, the FBI has produced the most accepted brand identity, and therefore has become my choice in under cover credentials.
“Special Agent Jack Wooten, FBI” I stated in a low volume but with a firm and authoritative tone. “I need you to make alternate plans for the afternoon. We are engaged in a surveillance operation inside and have taken over security operations from the store’s management under federal authority. Our suspect is in the store at this moment and you are restricted from entering at this time. The rest of the security staff is sequestered in the management offices on the second floor. Until we have released the store back to its management, you are to leave the premises. Do you understand?”
“Yes sir” was his only reply.
“And hand me your radio!” I continued. The last thing we needed was someone interfering with or corrupting the “airspace” – or radio communications spectrum - over the playing field while this operation took place.
With a stunned look, the young man reached to his belt and unfastened his walkie-talkie and handed it to Jack. “This is only my second day” he said with a slight tone of fear penetrating through his words. “If I don’t clock in, I’ll loose my job.” He said.
“What’s your name? I’ll make sure you get credit for being here.” Jack responded with a sigh of frustration with the length of time this conversation was taking and therefore keeping him from running the plays from inside. Jack knew that he had a top-notch staff controlling the game inside, but he couldn’t help himself from wanting to play quarterback every chance he could. He loved making things happen from the control position.
“Sam Peterson Jr., sir” he uttered, “My father has been a guard here for five years. He got me this job. I came in yesterday to sign a lot of papers and get my uniform and sit through a bunch of training videos, but today was going to be my first day really working.”
“Sam, I can take care of all of this. Just take off for a while and don’t tell anyone about all of this. It will just cause us interference. Why don’t you come back to clock-in in two hours? I’ll make sure you get paid for this down time, ok?” Jack asked empathetically.
“Ok. Thank you, sir.” Sam responded.
Sam turned around and headed back towards the lane of parked cars from which I had first spotted him. I was thankful to have headed off that disaster before it happened. I turned and headed towards the entrance.
Once inside the automatic bi-folding doors, the starting line was easily spotted inside the store. It was marked by two yellow folding “Wet Floor / Piso Mojado” placards that were separated by a distance of twelve feet between the last register and the store greeter, who was being played by an SMA agent. There was little room to maneuver around this starting line, but it was there as required by the rules of engagement. Just like a sobriety check point risks becoming an illegal search and seizure if it is placed along a route that has no viable alternative, the successful outcome of our gaming could be nullified by a tainting of entrapment if there was no path around the starting line.
I approached the greeter and asked where the target was located. “He is straight ahead in the electronics department. He has spoken with our floor sales staff and has just requested to see the floor manager to discuss the advertisement”, the agent replied. “He is poking around the DVD racks while he is waiting, so be careful as you approach” she continued.
“Thank you. Take this radio, please.” I said as I headed toward the electronics department.
The SMA command and control (SMACK) office was set up in an upper level manager’s office that had a bird’s eye view of the store layout and access to the array of video surveillance feeds coming from the 75 cameras positioned around the property. Directions to the field actors and agents was being delivered via comm. channels and by use of the store’s overhead speakers as coded control messages disguised as innocuous store broadcast interruptions to the background music that was playing. Messages, such as a request for manager’s assistance or a price check were in reality basic play calling for the benefit of the team on the field playing with or against Finne.
As I neared the large enclosed area beneath the hanging sign that read “Electronics”, I spotted Finne. He was strolling the aisles of DVDs with his head down and his hands buried deep within the outer pockets of his overcoat. I was confident that my approach hadn’t drawn his attention so I continued to the sole entrance to the enclosure that was located between two cashier stands. I just had stepped past the inventory control scanners that read the magnetization status of the security devices enclosed in the boxes of expensive electronics equipment and accessories sold in this part of the store when a play came over the loudspeaker.
“Scott Adder there is a call waiting for you on extension 33” said a polite yet monotone voice for all of the store to hear. This was a general announcement. It let everyone know that the SAC was on the field. Then again, the same announcement was repeated, “Scott Adder there is a call waiting for you on extension – Dad, the FBI says I can’t come in….”
Damn It! I cursed myself. Someone had broadcast on phone or walkie-talkie from within the control room while the PA was on. I kept my eyes trained on Finne looking for a reaction to the breach of the operation’s security. Sure enough, he raised his brow in surprise and muttered softly but with enough detail on his lips for me to read him say “huh? F-B-I”. This was a disaster. All I could think about was Best Buy.
Wednesday, February 28, 2007
Saturday, February 24, 2007
Chapter 12 - The Champion-Challenger Project
The request for information or RFI most likely went unnoticed by the majority of federal contract seekers. Likely, the thought of solving one of DARPA's problems was too much for most to consider. However, a select group of companies poured through the RFI with a fine toothed comb. This was it. DARPA was finally looking for a bake-off of the competing technologies being used in the field trials. The energy around this program will be climaxing soon.
The notice (FedBizOpps May 17, 2010):
https://www.fbo.gov/download/56c/56c82971c27d3d3a067639e1606e06a8/SMITE_RFI_17May10.pdf
Information systems security personnel are drowning in ever expanding oceans of observational data from heterogeneous sources and sensors from which they must extract indicators of increasingly sophisticated malicious insider behavior. The Defense Advanced Research Projects Agency (DARPA) Information Processing Techniques Office (IPTO) is requesting information on areas of research related to the development of methods, tools, and techniques to reduce these enormous volumes of data to actionable information. Such technology must be flexible, scalable and highly interactive in order to cope with the dynamic nature of the insider threat. For the purposes of this RFI, we define insider threat as malevolent (or possibly inadvertent) actions by an already trusted person with access to sensitive information and information systems and sources.
The fundamental challenge is one of finding a poorly understood, subtle, or hidden signal (indicators of malicious behavior) buried in enormous amounts of noise (observational data of no immediate relevance) under the constraint that the measures of significance are themselves moving targets (based on dynamic context) that must be continually monitored and updated. The first step in meeting this challenge is to create a scalable, distributed infrastructure to securely collect, store, access, process, and correlate relevant data from heterogeneous sources over extended periods of time. The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious. However, this analysis is very heavily dependent on the context of the individual, groups of individuals and any data involved. Furthermore, context (e.g., location, time, roles and relations) is dynamic and so must be continually inferred, managed and applied automatically. Part of the challenge is detecting deceptive behavior. Deceptive behavior is characteristic of malicious intent which leads to the problem of assigning intent to observed behaviors.
Looking for clues that suggest an insider attack 1) can be anticipated, 2) is underway or 3) has already taken place could potentially be easier than recognizing explicit attacks. On the other hand, in both the real and virtual world, it is very difficult to do anything without leaving some evidence behind. Attempts to conceal or remove evidence generally create new evidence that, if detected, could be a strong indication of the perpetrator’s intent. Security is often difficult because the defenses must be perfect, while the attacker needs to find only one flaw. An emphasis on forensics could reverse the burden by requiring the attacker and his tools to be perfect, while the defender needs only a few clues to recognize an intrusion is underway.
Forensic-like techniques can be used to find clues, gather and evaluate evidence and combine them deductively. Many attacks are combinations of directly observable and inferred events. Topics of interest to this RFI include, but are not limited to, techniques to (a) derive information about the relationship between deductions, the likely intent of inferred actions, and suggestions about what evidence might mean and (b) dynamically forecast context-dependent behaviors –2 both malicious and non-malicious. Also of interest are on-line and off-line algorithms for feature extraction and detection in enormous graphs (as in billions of nodes) as well as hybrid engines where deduction and feature detection mutually inform one another.
DARPA is requesting white papers in the following three broad areas relating to malicious insider threat detection.........
The notice (FedBizOpps May 17, 2010):
https://www.fbo.gov/download/56c/56c82971c27d3d3a067639e1606e06a8/SMITE_RFI_17May10.pdf
Information systems security personnel are drowning in ever expanding oceans of observational data from heterogeneous sources and sensors from which they must extract indicators of increasingly sophisticated malicious insider behavior. The Defense Advanced Research Projects Agency (DARPA) Information Processing Techniques Office (IPTO) is requesting information on areas of research related to the development of methods, tools, and techniques to reduce these enormous volumes of data to actionable information. Such technology must be flexible, scalable and highly interactive in order to cope with the dynamic nature of the insider threat. For the purposes of this RFI, we define insider threat as malevolent (or possibly inadvertent) actions by an already trusted person with access to sensitive information and information systems and sources.
The fundamental challenge is one of finding a poorly understood, subtle, or hidden signal (indicators of malicious behavior) buried in enormous amounts of noise (observational data of no immediate relevance) under the constraint that the measures of significance are themselves moving targets (based on dynamic context) that must be continually monitored and updated. The first step in meeting this challenge is to create a scalable, distributed infrastructure to securely collect, store, access, process, and correlate relevant data from heterogeneous sources over extended periods of time. The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious. However, this analysis is very heavily dependent on the context of the individual, groups of individuals and any data involved. Furthermore, context (e.g., location, time, roles and relations) is dynamic and so must be continually inferred, managed and applied automatically. Part of the challenge is detecting deceptive behavior. Deceptive behavior is characteristic of malicious intent which leads to the problem of assigning intent to observed behaviors.
Looking for clues that suggest an insider attack 1) can be anticipated, 2) is underway or 3) has already taken place could potentially be easier than recognizing explicit attacks. On the other hand, in both the real and virtual world, it is very difficult to do anything without leaving some evidence behind. Attempts to conceal or remove evidence generally create new evidence that, if detected, could be a strong indication of the perpetrator’s intent. Security is often difficult because the defenses must be perfect, while the attacker needs to find only one flaw. An emphasis on forensics could reverse the burden by requiring the attacker and his tools to be perfect, while the defender needs only a few clues to recognize an intrusion is underway.
Forensic-like techniques can be used to find clues, gather and evaluate evidence and combine them deductively. Many attacks are combinations of directly observable and inferred events. Topics of interest to this RFI include, but are not limited to, techniques to (a) derive information about the relationship between deductions, the likely intent of inferred actions, and suggestions about what evidence might mean and (b) dynamically forecast context-dependent behaviors –2 both malicious and non-malicious. Also of interest are on-line and off-line algorithms for feature extraction and detection in enormous graphs (as in billions of nodes) as well as hybrid engines where deduction and feature detection mutually inform one another.
DARPA is requesting white papers in the following three broad areas relating to malicious insider threat detection.........
Thursday, February 22, 2007
Chapter 13 - Distortion, Distraction, and Discovery
Having left the parking with his new toy awkwardly, yet securely wedged in to the back seating area of his BMW, Finne felt relief not only for the lack of complications he encountered to purchase what he wanted but also by the confirmation of his suspicions about the people around him recently. The FBI was involved which meant that many of the recent things he considered out of the norm, probably were. No worries. Finne walked off any nervousness on the way to the car. Now heading north on Springvale Rd. towards the river Finne was confident that the federal investigators were not looking to arrest him, as he has presented several opportunities for them to approach him unarmed. Likely, he thought, this involved a re-up of his security clearance or someone he knew was under similar scrutiny. Just to be sure, Finne had thrown the last half of his joint out the window in the middle of the first large intersection he had crossed. No one could retrieve it from there and find any useful evidence.
Heading North yet downhill towards the river seemed like a contradiction in Finne’s mind. The tall maple and oak trees so prevalent in Virginia’s landscape created a canopy over the two-lane road shading the sunlight and producing a dark tunnel-like atmosphere. Finne was alone on the road. He could see ahead and behind at least a half-mile and no one was coming or going in either direction around him. With the canopy above, Finne knew that he could not be seen by a drone or helicopter, so he pulled to the shoulder under a well-shaded area of trees. Finne popped the trunk lever and unlocked his doors before getting out. First he went to the passenger side of the call and reached under the dashboard to get the small stash box of bud that he kept hidden there. This is a shame he thought as he opened the box and dumped the beautiful green, red, and crystalic flower on the ground. Next wiped down the perfect-sized plastic box that he bought at the Container Store and threw it in the other direction across the road. A quick check of the trunk turned up a half a pack of Joker rolling papers which are not illegal in themselves, but definitely would provide a good impression. Finne shut the trunk and dropped the rolling papers in front of the left rear tire before getting back into the driver’s seat. As he spun his wheels on the climb from the shoulder to the road, he knew the rolling papers had been trashed to the point that fingerprints were impossible even if someone found them and cared to try to figure out who touched them. He was driving clean. Best to be safe when it can come back to bite your, he thought.
Approaching the turn towards Georgetown Pike, Finne began to feel increasingly nervous. He was still the only car on the road as far back and in front of him that he could see. The suburban traffic in this area is usually light but consistent with people commuting between homes, farms and the various retail and commercial establishments stretched out over the near river countryside and the larger cities, such as, Leesburg nearby. What could be going on? As Finne rounded the top of a small hill in the roadway, he caught sight of large truck ahead of him down the hill. He quickly dismissed his feelings of isolation and down-shifted to reduce his speed as he approached the truck. As Finne got closer he saw a dark brown tree services truck and shredder trailer stopped on the side of his lane and the shoulder with a crew of four workers standing in the other lane. Behind them and in front of their truck a large sycamore tree trunk lay across the road. Ah Hah! The road is closed, Finne thought. At least the tree guys are here. Maybe they can open the road shortly and save me the time and effort to double back to the nearest detour route, though Finne.
Finne pulled his car to the side of the road roughly 100 feet behind the truck and shredder and got out of his car. He read “ACACIA Tree Services, LLC “ on the side of the over-sized brown covered truck as he approached the group of men in similar colored uniforms ahead. “Good thing you guys are here.” Finne exclaimed trying to get their attention and see if he could gain their sympathies. “I know it will take me 45 minutes to detour around this to get where I need to go. If I offer to help, could we cut through this thing faster?”
All four men turned toward Finne as if they had just broken up a huddle. Three of the men walked towards Finne at a uniform pace but with slightly diverse paths such that they began to fan out in front of him as the approached. The fourth man looked directly into Finne’s eyes and replied, “We are going to cut through this thing fast, Mr. Seldnak. Your offer to help makes our job much easier.”
Finne’s jovial mode turned to panic instantly when he was identified by name. Before he could process his flight or fight emotions, the first man to approach him from his left had taken exceptionally strong hold of Finne’s left forearm. Finne swung his right fist toward the face of the man clasping his arm but his swing was caught in mid motion at the elbow by the man to his right. Finne’s feet were swept out from underneath him and he was quickly manipulated into a standard police hold lying on his face with both hands restrained behind his back. Thick plastic cable ties were secured around Finne’s wrists and ankles. Then Finne was stood up in front of the only man to have spoken a word since he pulled up.
“You didn’t scream” he said. “No one would hear me if I did out here” Finne replied. “Exactly” was the only response.
The man in front of Finne was just about 6 feet tall and looked to be carrying 200lbs on him though it was hard to tell with the bulky tree service jumpsuit covering him up. He had an athletic looking jaw and face, Finne observed. Likely, he was built like a linebacker and was as strong as one too. He motioned to the other men with a nod of his head in the direction of the truck. Before Finne could follow the glance towards the right side of the road, two hand picked him up from under his armpits and he was lifted off of his feet and being carried toward the backend of the truck and trailer into the area illuminated by the headlights of his running car.
“This is the end of the branch for you” Finne heard as dark hood was placed over his head from behind. Next a secondary motor being started followed by a loud combustion noise Finne knew was the sound of the shredder being warmed up. A sustained bursts of grinding followed for 6 seconds that felt like 6 minutes to Finne. “You can take comfort in knowing that the branch that was just shredded was as thick as your shoulders and taller than you by a foot. Also, tree trunks are much harder to grind than flesh and bones.”
Heading North yet downhill towards the river seemed like a contradiction in Finne’s mind. The tall maple and oak trees so prevalent in Virginia’s landscape created a canopy over the two-lane road shading the sunlight and producing a dark tunnel-like atmosphere. Finne was alone on the road. He could see ahead and behind at least a half-mile and no one was coming or going in either direction around him. With the canopy above, Finne knew that he could not be seen by a drone or helicopter, so he pulled to the shoulder under a well-shaded area of trees. Finne popped the trunk lever and unlocked his doors before getting out. First he went to the passenger side of the call and reached under the dashboard to get the small stash box of bud that he kept hidden there. This is a shame he thought as he opened the box and dumped the beautiful green, red, and crystalic flower on the ground. Next wiped down the perfect-sized plastic box that he bought at the Container Store and threw it in the other direction across the road. A quick check of the trunk turned up a half a pack of Joker rolling papers which are not illegal in themselves, but definitely would provide a good impression. Finne shut the trunk and dropped the rolling papers in front of the left rear tire before getting back into the driver’s seat. As he spun his wheels on the climb from the shoulder to the road, he knew the rolling papers had been trashed to the point that fingerprints were impossible even if someone found them and cared to try to figure out who touched them. He was driving clean. Best to be safe when it can come back to bite your, he thought.
Approaching the turn towards Georgetown Pike, Finne began to feel increasingly nervous. He was still the only car on the road as far back and in front of him that he could see. The suburban traffic in this area is usually light but consistent with people commuting between homes, farms and the various retail and commercial establishments stretched out over the near river countryside and the larger cities, such as, Leesburg nearby. What could be going on? As Finne rounded the top of a small hill in the roadway, he caught sight of large truck ahead of him down the hill. He quickly dismissed his feelings of isolation and down-shifted to reduce his speed as he approached the truck. As Finne got closer he saw a dark brown tree services truck and shredder trailer stopped on the side of his lane and the shoulder with a crew of four workers standing in the other lane. Behind them and in front of their truck a large sycamore tree trunk lay across the road. Ah Hah! The road is closed, Finne thought. At least the tree guys are here. Maybe they can open the road shortly and save me the time and effort to double back to the nearest detour route, though Finne.
Finne pulled his car to the side of the road roughly 100 feet behind the truck and shredder and got out of his car. He read “ACACIA Tree Services, LLC “ on the side of the over-sized brown covered truck as he approached the group of men in similar colored uniforms ahead. “Good thing you guys are here.” Finne exclaimed trying to get their attention and see if he could gain their sympathies. “I know it will take me 45 minutes to detour around this to get where I need to go. If I offer to help, could we cut through this thing faster?”
All four men turned toward Finne as if they had just broken up a huddle. Three of the men walked towards Finne at a uniform pace but with slightly diverse paths such that they began to fan out in front of him as the approached. The fourth man looked directly into Finne’s eyes and replied, “We are going to cut through this thing fast, Mr. Seldnak. Your offer to help makes our job much easier.”
Finne’s jovial mode turned to panic instantly when he was identified by name. Before he could process his flight or fight emotions, the first man to approach him from his left had taken exceptionally strong hold of Finne’s left forearm. Finne swung his right fist toward the face of the man clasping his arm but his swing was caught in mid motion at the elbow by the man to his right. Finne’s feet were swept out from underneath him and he was quickly manipulated into a standard police hold lying on his face with both hands restrained behind his back. Thick plastic cable ties were secured around Finne’s wrists and ankles. Then Finne was stood up in front of the only man to have spoken a word since he pulled up.
“You didn’t scream” he said. “No one would hear me if I did out here” Finne replied. “Exactly” was the only response.
The man in front of Finne was just about 6 feet tall and looked to be carrying 200lbs on him though it was hard to tell with the bulky tree service jumpsuit covering him up. He had an athletic looking jaw and face, Finne observed. Likely, he was built like a linebacker and was as strong as one too. He motioned to the other men with a nod of his head in the direction of the truck. Before Finne could follow the glance towards the right side of the road, two hand picked him up from under his armpits and he was lifted off of his feet and being carried toward the backend of the truck and trailer into the area illuminated by the headlights of his running car.
“This is the end of the branch for you” Finne heard as dark hood was placed over his head from behind. Next a secondary motor being started followed by a loud combustion noise Finne knew was the sound of the shredder being warmed up. A sustained bursts of grinding followed for 6 seconds that felt like 6 minutes to Finne. “You can take comfort in knowing that the branch that was just shredded was as thick as your shoulders and taller than you by a foot. Also, tree trunks are much harder to grind than flesh and bones.”
Wednesday, February 21, 2007
Chapter 14 - After-party
Sarah found herself riding in the back of a car moving quickly though a series of continuous curves in near total darkness. Her vision was cloudy but she was gaining her senses back enough to know that she was riding with a man beside her in the back seat and two men up front, one driving and one riding in the passenger seat, in a well-appointed four seat sedan sports coupe that was traveling far faster than she was comfortable with at the moment. The turns were endless...sixty degrees to the left...fourty degrees to the right...one hundred fifty degrees to the left. She felt herself being bounced between the door to her right and the man she did not recognize to her left. "What day is it?" she thought.
Subscribe to:
Comments (Atom)
