The Lesson of the Limping Lady

Pushing Pain Back to Our Cyber Adversary

What does any sane individual do when they find themselves on the losing side of a war? Look at any history book and the answer is quite evident: fight dirty. Cheap tricks, a punch 👊 below the belt – whatever it takes to claw back some advantage. And why shouldn’t a defender left with few options decide to fight nasty?

Indeed, the entire world of spycraft and sabotage was born through such events. Legends were made from stories such as the trojan horse or Washington’s crossing of the Potomac.

Throughout World War II, and especially during the German advance throughout Europe, the Allies were bereft of options outside of sabotage or guerilla warfare. And so, the Axis enemy got the dirty fight it was asking for: the proverbial kick to the ol’ manhood. By a woman. With a wooden prosthetic she affectionately named ‘Cuthbert’ ❤️.

I kid you not.

The story is so amazingly interesting and inspiring, when Tom Hanks turns this into the next hit war movie, just remember: you heard about it here first ☝️.

While there were many Allied resistance operators throughout the war, none were held in such contempt by the Nazis than Virginia Hall, more affectionately known by Hitler’s henchman as the “Limping Lady”. Or, as Klaus Barbie, the head hauncho of the Gestapo called her: “that limping Canadian b—ch.” That poor bad guy sounds a little butthurt 🙃. So would you if you got “kicked” by a wooden Canadian prosthetic named Cuthbert.

Throughout Hall’s illustrious career, she was the cause for more sabotage missions, troop movement leaks, jailbreaks, and other nefarious deeds than any other spy in World War II history. Oh, and news flash to you Mr. Barbie: Hall wasn’t even Canadian. Which makes sense because nobody doesn’t like a Canadian.

Are we losing the good fight?

The good fight

So, what does this have to do with cybersecurity? Just this: we seem to be fighting a war we aren’t winning. I won’t bore you with the statistics (💤). Go to any security conference keynote and you can hear the speaker wax long and elegant with all their beautiful bar chart wizardry.

But we know this: we aren’t winning. Our adversaries are on a constant onslaught from basic low-intelligence scams up to sophisticated nation-state threat actors. And we’ve paid a heavy toll for their misdeeds; namely – we’ve turned into mouse-chasing cats. As the old adage goes (which I’ve just now made up), where the mouse goes, so does the cat 🙀.

Unlike Virginia Hall, most of us are so heads down in responding and reacting to threats, we don’t ever take the time to look up and ask ourselves a simple question:

If bad guys are so painful to us, how can I inflict pain back up on them? 💁

When you’re backed into a corner, that is the time to fight back. That’s how a fight gets dirty. And I’m not talking about hack-back. That was so 2014 era passé.

I’m talking about taking a page from Hall’s book. Ignore the rules of engagement for a minute and let’s go through a thought exercise. What can we do to make life hard for the bad guys that make life hard for us? While we may not be as brazen and bold as Hall, springing jailbreaks and sabotaging tanks, we can still think outside the box in some innovative ways. Here’s a few ideas that might strike your fancy. I’m going to call these Cuthbert’s Kicks, simply because Hall is such a BA and you better not mess with anyone who would name their artificial leg Cuthbert.

Cuthbert’s kick #1: Mule burning for fun and profit

Kick #1

I talked to an innovate banker one time that came up with an ingenious way of pushing major pain back onto his cyber miscreants. He once asked me, “Hey Wes, you know all those wire fraud scams that banks face where a fraudulent email “from the CEO” emails the CFO requesting a wire to be sent out?”

Of course, I have. They have been a huge issue for years. Rather than simply ignoring the emails, this brilliant banker made the fight dirty. He actually responds back to the bad guy.

“We actually stood up an email account to reply back to the fraudster. We act like we’ve fallen for the bait and we’re going to initiate the wire. But in all actuality, we’re simply tricking him into giving up the wire instructions. In nearly every case, the wire account belongs to a money mule. We notify the other bank that holds that account for the mule so they can get the account shut down.”

Now this is an interesting way to make a fraudster angry – and worse, will truly sabotage their miscreant operation. The banker explains: “It takes months, and sometimes years for these fraudsters to build up their repertoire of mules. When we reply back and get the fraudster to expose their mules, we can burn those accounts and truly make life difficult for them. These bad guys fall for it every time, and it makes me so happy to know I’m truly fighting them back.” 🙌

Cuthbert’s kick #2: Feed that deep dank dark Web

Kick #2

The Dark Web is all abuzz these days. All the radio ads I hear tell me about how our PII are hiding in the ‘deep dark Web’ (shocker) ready for any seedy neckbeard in a fedora to gobble up. But when we deconstruct the hype, there is a healthy (can I call it that?) and active criminal market place with a supply chain for anything a cybercriminal might want. Shameless plug: I even made a video about it many years ago.

Now ask yourself this: Why do these bad guys use Tor? Simply this: the anonymity it provides. It’s an excellent place to sell your wares and pop off about what dark deeds ail you. Oh, and it’s also a great place for us to push some pain back to the baddies. Here’s one idea.

Did you know password dumps are often left on pastebin and dark Web forums? Why don’t we take advantage of that anonymity? One security practitioner I know does something innovative with it. “We occasionally like to feed a password dump into these places with fake credentials. Bad guys don’t know they’re fake. But we sure do – we created them after all.”

When pressed on why he does this, his response was one for the record books: “We wait for a few days and then search the SIEM for logins attempting to use these fake credentials. From there, we can cross-correlate for legitimate logs and hunt down compromised accounts.” Now that is some outside the box thinking if ever I’ve heard of one.

Cuthbert’s kick #3: Ripping a page out of the MPAA’s playbook

Kick #3

Remember the time that the MPAA got caught seeding fake movie torrents to expose those pesky internet pirates? Maybe they were on to something. What if we did the same thing? There’s lots of opportunity here.

How much fun could we have uploading and selling malicious malware to miscreants? What if we sold them software that ransomed their own computers? What if we provided fake C2 infrastructure (e.g. botnets) that burned their identities? How would they be any wiser? While much of this might borderline into criminal activity on our own, it’s still an innovative idea that might be worth exploration. Perhaps, our fine friends in the federal government are already doing this 😉.

Cuthbert’s final kick: Killing time

The final kick

There’s one way we can all make bad guys hurt: waste their time, while not wasting our own. There’s a lot of ways we can do this, and I can’t wait to share a few with you. If we want to remove appeal for these miscreants, we need to also remove their opportunity. Here’s a few fun ways others have done this. (A lawyer made me say this: I would caution you to not get involved directly with any fraudster unless you know the risks involved.)

Final lesson

Virginia Hall was a notorious thorn in the side of her enemies. Anyone the Nazis call a “limping Canadian b—ch” is a sure winner in my book. While we all struggle with our common adversaries, perhaps it is time for us to think a bit more outside the box. Bad guys place enough pain on us, perhaps it’s time we think about pushing some pain back upon them 💯.

What about you? What ideas do you have? Anything innovate and fun you’ve done to kick those miscreants where the sun don’t shine? We’d love to hear!

Wes Spencer

Wes Spencer
Dictator 2020

Wes Spencer is a hands-on cybersecurity executive with a wealth of experience in the financial services industry and as a professor of information security. Wes built out one of the first threat intelligence platforms for a community bank. Wes is passionate about information security and has a knack for clearly articulating cybersecurity to all levels of the organization. While at FNB, Wes served as the chairman for the Financial Services Information Sharing and Analysis Center's (FS-ISAC) Community Institution Council, providing leadership to over 4,000 member financial institutions. Wes was also selected as a charter member of American Banker's Digital Leadership Council and is a frequently requested speaker at conferences throughout the country.