Select Page
Stagehand: Episode 2

Stagehand: S1 Episode 2

Jack Sullivan

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel Thursday night. By Friday afternoon, Lincoln Palmer, the CEO of the hedge fund that owns a majority stake in Illuminating Solutions, was on the phone with me.

As the CISO, Carl Timmons had access to the private data of some of the largest U.S. companies – we’re talking giant corporations from pharmaceuticals to defense. So, when someone like Carl goes missing, it’s natural to think the worst. Up until now, we thought “the worst” was covert Chinese agents, spies, or some other shadow operative, but then Lincoln received an email from Carl’s work email. There was no subject or text; only a link. I clicked on it.

I needed my team to see the video because I know organized kidnapping and this had chaos written all over it.

The camera’s staged in a dark room, covered in black canvas. Carl is on his knees, and his arms are tied behind his back. The kidnappers have blindfolded him, and covered his face with a plastic pig nose. It’s unclear if he knows he’s being filmed but he appears to be alone. There’re no demands. There’s no agenda or threats, and the primary motivation seems to be humiliation. This video is not the work of an operationally sound governmental unit. This wasn’t a declaration, or a threat; at the very best it’s a weak middle finger. I needed my team to see the video because I know organized kidnapping and this had chaos written all over it.

Columbia ~ 1986

We’d all seen the videos of the hostages taken by FARC. They all looked the same: emaciated, empty-eyed, standing in the jungle, unbound but surrounded by child soldiers with assault weapons. And all were at the mercy of senior leadership. FARC was desperately trying to stay relevant by kidnapping American citizens and using them as political pawns. These videos were provocations, and the hostages were prisoners of a war FARC was inviting the world to watch. My bosses in the US Government took them up on that invite and sent us in to retrieve the hostages.

John’s office sits directly across from mine. He’s a Special Forces guy, and the first hire I made at Stagehand. He’s precise, brilliant, and has that Steve McQueen cool —everybody loves him, nobody knows if he loves you back.

John’s been digging up what he can from the video link to Carl’s kidnapping. As I enter his office, he rolls his chair around, and I can tell by the look in his eyes, he’s found something. His laptop screen is filled with endless images of text exchanges from chat rooms from the dark web. “Well Sully, here’re the cookie crumbs: I see black leather gloves, acne scars, and hoodies, maybe some questionable hygiene. I can’t tell you who kidnapped Carl, but I’m gonna point you in the direction of someone who might.”

I can’t tell you who kidnapped Carl, but I’m gonna point you in the direction of someone who might.

The encryption on the IP address was sophisticated but recognizable to John. The pig nose and the stripped clothing suggested the kidnappers were most likely a fringe organization, with anarchistic or radical motivations that are more concerned with destabilization and making some ransom income than actually instigating anything. Also, whoever kidnapped Carl had to have known where he was staying, and his patterns. Carl disappeared on his walk from the hotel to the restaurant where he always ate when in San Jose. We found nothing suggesting that Carl’s private information had been hacked, so if Carl wasn’t being virtually tracked, someone must have been tracking him in person.

On John’s desktop was a picture of Angela Freidman. She was a twenty-three-year-old Computer Science major, frequenter of the dark web, and part-time employee of the hotel where Carl Timmons was last seen. This was the link we needed. Next to Angela’s picture were printouts of four separate chats, each with highlighted data that John had programmed into the language processing system. Angela Freidman was communicating with someone about the exact date Carl checked into the hotel. It doesn’t appear she did more than that, but you never know.

When John was sure I had finished reading the chats, he asked, “think you’ll need back up?”

We’re a little softer, a little older, but we’re still three of the best trained men on the continent, and we’re off to interrogate a young woman that probably has no idea what she just got herself into.

Columbia ~ 1986

My team and I drove around Bogota in an old van packed with direction finding equipment to pick up the transmissions coming from a known FARC cell phone. Two similarly communications equipment laden vans also circled the city helping us triangulate the location of the FARC phone and thus the FARC kidnappers tucked away in the jungle. We isolated the location of the American hostages to a specific territory, and deployed a group of Columbian soldiers we’d trained who would pose as members of FARC and would transport the hostages. We needed their help because white, sunburned Marines tended to stick out in the Columbian Jungle. Otherwise we’d fly the plane, and we’d be the guns on stand-by.
As we descended into the rescue, we knew the enemy and our mission was clear. Get the hostages out alive, try not to start a war. Simple as that.

Now, I’m on a private jet to San Jose. But the team with me is the same one from the jungle.

Sleeping comfortably in the reclined seat in front of me is Frenchy, a former Gunnery Sergeant in the Marine Corps, who left after ten years to become a Connecticut State Trooper, and an amateur surfer. Frenchy got kicked out of college for mailing a dead rat to a friend who broke a promise.

Keith sat on the other side of the aisle; stoic, silent, and strong as a bull. An Airborne Ranger, raised in the Adirondacks, he was the most gifted interrogator I have ever known.

We’re a little softer, a little older, but we’re still three of the best trained men on the continent, and we’re off to interrogate a young woman that probably has no idea what she just got herself into.

It’s our job to inform her, and then find Carl before his kidnappers get bored with a pig nose.

 

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before he...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue a life in the...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This