The Lesson of the Limping Lady
What does any sane individual do when they find themselves on the losing side of a war? Look at any history book and the answer is quite evident: fight dirty. Cheap tricks, a punch đ below the belt â whatever it takes to claw back some advantage. And why shouldnât a defender left with few options decide to fight nasty?
Indeed, the entire world of spycraft and sabotage was born through such events. Legends were made from stories such as the trojan horse or Washingtonâs crossing of the Potomac.
Throughout World War II, and especially during the German advance throughout Europe, the Allies were bereft of options outside of sabotage or guerilla warfare. And so, the Axis enemy got the dirty fight it was asking for: the proverbial kick to the olâ manhood. By a woman. With a wooden prosthetic she affectionately named âCuthbertâ â¤ď¸.
I kid you not.
The story is so amazingly interesting and inspiring, when Tom Hanks turns this into the next hit war movie, just remember: you heard about it here first âď¸.
While there were many Allied resistance operators throughout the war, none were held in such contempt by the Nazis than Virginia Hall, more affectionately known by Hitlerâs henchman as the âLimping Ladyâ. Or, as Klaus Barbie, the head hauncho of the Gestapo called her: âthat limping Canadian bâch.â That poor bad guy sounds a little butthurt đ. So would you if you got âkickedâ by a wooden Canadian prosthetic named Cuthbert.
Throughout Hallâs illustrious career, she was the cause for more sabotage missions, troop movement leaks, jailbreaks, and other nefarious deeds than any other spy in World War II history. Oh, and news flash to you Mr. Barbie: Hall wasnât even Canadian. Which makes sense because nobody doesnât like a Canadian.
Are we losing the good fight?
So, what does this have to do with cybersecurity? Just this: we seem to be fighting a war we arenât winning. I wonât bore you with the statistics (đ¤). Go to any security conference keynote and you can hear the speaker wax long and elegant with all their beautiful bar chart wizardry.
But we know this: we arenât winning. Our adversaries are on a constant onslaught from basic low-intelligence scams up to sophisticated nation-state threat actors. And weâve paid a heavy toll for their misdeeds; namely â weâve turned into mouse-chasing cats. As the old adage goes (which Iâve just now made up), where the mouse goes, so does the cat đ.
Unlike Virginia Hall, most of us are so heads down in responding and reacting to threats, we donât ever take the time to look up and ask ourselves a simple question:
If bad guys are so painful to us, how can I inflict pain back up on them? đ
When youâre backed into a corner, that is the time to fight back. Thatâs how a fight gets dirty. And Iâm not talking about hack-back. That was so 2014 era passĂŠ.
Iâm talking about taking a page from Hallâs book. Ignore the rules of engagement for a minute and letâs go through a thought exercise. What can we do to make life hard for the bad guys that make life hard for us? While we may not be as brazen and bold as Hall, springing jailbreaks and sabotaging tanks, we can still think outside the box in some innovative ways. Hereâs a few ideas that might strike your fancy. Iâm going to call these Cuthbertâs Kicks, simply because Hall is such a BA and you better not mess with anyone who would name their artificial leg Cuthbert.
Cuthbertâs kick #1: Mule burning for fun and profit
I talked to an innovate banker one time that came up with an ingenious way of pushing major pain back onto his cyber miscreants. He once asked me, “Hey Wes, you know all those wire fraud scams that banks face where a fraudulent email “from the CEO” emails the CFO requesting a wire to be sent out?”
Of course, I have. They have been a huge issue for years. Rather than simply ignoring the emails, this brilliant banker made the fight dirty. He actually responds back to the bad guy.
“We actually stood up an email account to reply back to the fraudster. We act like weâve fallen for the bait and weâre going to initiate the wire. But in all actuality, weâre simply tricking him into giving up the wire instructions. In nearly every case, the wire account belongs to a money mule. We notify the other bank that holds that account for the mule so they can get the account shut down.”
Now this is an interesting way to make a fraudster angry â and worse, will truly sabotage their miscreant operation. The banker explains: “It takes months, and sometimes years for these fraudsters to build up their repertoire of mules. When we reply back and get the fraudster to expose their mules, we can burn those accounts and truly make life difficult for them. These bad guys fall for it every time, and it makes me so happy to know Iâm truly fighting them back.” đ
Cuthbertâs kick #2: Feed that deep dank dark Web
The Dark Web is all abuzz these days. All the radio ads I hear tell me about how our PII are hiding in the âdeep dark Webâ (shocker) ready for any seedy neckbeard in a fedora to gobble up. But when we deconstruct the hype, there is a healthy (can I call it that?) and active criminal market place with a supply chain for anything a cybercriminal might want. Shameless plug: I even made a video about it many years ago.
Now ask yourself this: Why do these bad guys use Tor? Simply this: the anonymity it provides. Itâs an excellent place to sell your wares and pop off about what dark deeds ail you. Oh, and itâs also a great place for us to push some pain back to the baddies. Hereâs one idea.
Did you know password dumps are often left on pastebin and dark Web forums? Why donât we take advantage of that anonymity? One security practitioner I know does something innovative with it. “We occasionally like to feed a password dump into these places with fake credentials. Bad guys donât know theyâre fake. But we sure do â we created them after all.”
When pressed on why he does this, his response was one for the record books: “We wait for a few days and then search the SIEM for logins attempting to use these fake credentials. From there, we can cross-correlate for legitimate logs and hunt down compromised accounts.” Now that is some outside the box thinking if ever Iâve heard of one.
Cuthbertâs kick #3: Ripping a page out of the MPAAâs playbook
Remember the time that the MPAA got caught seeding fake movie torrents to expose those pesky internet pirates? Maybe they were on to something. What if we did the same thing? Thereâs lots of opportunity here.
How much fun could we have uploading and selling malicious malware to miscreants? What if we sold them software that ransomed their own computers? What if we provided fake C2 infrastructure (e.g. botnets) that burned their identities? How would they be any wiser? While much of this might borderline into criminal activity on our own, itâs still an innovative idea that might be worth exploration. Perhaps, our fine friends in the federal government are already doing this đ.
Cuthbertâs final kick: Killing time
Thereâs one way we can all make bad guys hurt: waste their time, while not wasting our own. Thereâs a lot of ways we can do this, and I canât wait to share a few with you. If we want to remove appeal for these miscreants, we need to also remove their opportunity. Hereâs a few fun ways others have done this. (A lawyer made me say this: I would caution you to not get involved directly with any fraudster unless you know the risks involved.)
- Hereâs one way to get back at phone fraudsters â and look! Is it ever fun to listen to their best hits. These con-men sure get angry when they learn theyâve been conned themselves.
- One of the most famous scamming the scammers of all time: The Anus Laptop Anti-Scam.
- Ronnie T. has a great Slack channel for learning more.
Final lesson
Virginia Hall was a notorious thorn in the side of her enemies. Anyone the Nazis call a “limping Canadian b—ch” is a sure winner in my book. While we all struggle with our common adversaries, perhaps it is time for us to think a bit more outside the box. Bad guys place enough pain on us, perhaps itâs time we think about pushing some pain back upon them đŻ.
What about you? What ideas do you have? Anything innovate and fun youâve done to kick those miscreants where the sun donât shine? Weâd love to hear!
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Is Cybersecurity the Death of Digital Marketing?
Share this on:
Subscribe to our blog
