Cybersecurity

The Wolves Were Already Inside the Barn. They Had Badges.

Victor Woolridge

2 min read
Share
The Wolves Were Already Inside the Barn. They Had Badges.

I have been saying this for thirty-one years. Thirty-one years of warnings, memos, and one very strongly worded fax in 1994 that I am convinced was intercepted. Nobody listened. Now look.

Two so-called "incident responders" have been handed four-year sentences after it emerged they were the ones deploying ransomware on the very flocks they were hired to protect. They arrived as sheepdogs. They were, in fact, coyotes in high-visibility vests.

Let that sink in.

The Shepherds paid these individuals to walk the perimeter, check the electric fence, and report back. Instead, they were quietly cutting holes in the fence themselves and then charging a premium to patch them. This is not a novel concept. This is the oldest trick in the manual. I have a photocopy of that manual. It is from 1987 and it was printed on a dot-matrix printer and it still holds up.

Modern "threat intelligence platforms" and their cheerful dashboards would not have caught this. You know what catches insider threats? Suspicion. Healthy, rigorous, professionally maintained paranoia. I keep a written log. In a notebook. With a pen.

The details, for those who require them: the two individuals leveraged their trusted access during active incident response engagements to seed parasites and then collect remediation fees. A protection racket dressed up in a polo shirt with a company logo on it. Four years apiece. Frankly, I would have recommended exile, but I was not consulted.

The Shepherds, naturally, had no idea. They never do. They were probably approving a budget for a motivational poster about "cyber hygiene" while the barn burned.

In the old days, you verified everyone. You compartmentalized. You did not hand a contractor the keys to the entire pasture because they had a certification and a firm handshake. We had protocols. We had paper trails. We had magnetic tape backups that nobody could silently encrypt because they were in a physically locked cabinet in a room that smelled of industrial solvent.

Those were better times.

Remediation

1. Vet your incident responders like you are hiring a border collie, not adopting a stray. Background checks, references, and a formal scope-of-work agreement with legal teeth.

2. Log everything your responders touch. If they are in your systems, you should have an independent record of every door they opened. Not their record. Yours.

3. Segregate access. A responder needs access to the affected pen, not the entire farm. Principle of least privilege is not a suggestion.

4. Bring in a second set of eyes. An independent auditor reviewing an active engagement is not an insult. It is how trust is verified.

Stay paranoid. It is the only rational position.

Original Report: https://therecord.media/ransomware-cyber-incident-responders