ASSOCIATE Magazine FBINAA Q1-2026

continued from "Spidey Senses" page 26

posted on several social media platforms that he’s interested in changing jobs. Commander’s question: Where was the weak point (people, pro cess, or system) and how long has it existed? GAIN ENTRY [CYBER JARGON: EXPLOIT A VULNERABILITY] Physical: One night the intruder slips in behind the night-shift cleaner using the classic “tailgating” technique. Digital equivalent: An intruder, posing as a recruiter, sends the phishable employee an email containing a job offer. The email contains a .pdf attachment containing malicious code that gives the intruder access into the company’s network. Commander’s question: How did they get in, and what controls should have detected that initial access? COMMISSION OF THE CRIME [CYBER JARGON: DELIVERING A PAYLOAD] Physical: The burglar goes straight to the target room, opens in ner doors, and copies what they came for. Digital equivalent: The cyber equivalent is delivering a payload, tailored to the intruder’s objective. This may involve installing a remote-access tool for espionage (e.g., Lazarus Group’s Sony Pictures breach in 2014), running data-collection scripts for finan cial theft (e.g., the FIN7 malware campaign from 2013 to 2018), deploying wiper software to destroy systems (e.g., the NotPetya attack in 2017), or tampering with a software build or update process by inserting malicious code that corrupts future software releases (e.g., the SolarWinds supply-chain compromise in 2020). Commander’s question: Once inside, what did they do first, and how did they move toward their objective? COMMAND AND CONTROL Physical: The intruder signals a lookout, radios a driver, and uses pre-arranged cues. Digital equivalent: The intruder maintains control by implant ing malware that causes compromised systems to “call home” through scheduled check-ins (beaconing). They may also use store-and-forward mailbox techniques, such as hidden email inboxes, to send instructions and collect stolen data. Commander’s question: How were they communicating with the compromised systems, and how did they direct the activity? COVERING TRACKS [CYBER JARGON: PERSISTENCE & OBFUSCATION ] Physical: Before leaving, the intruder wipes surfaces, loops or disables cameras, and stashes a spare key for a return. Digital equivalent: The intruder tampers with the logs, alters timestamps, and creates hidden accounts for repeat access. Commander’s question: What signs suggest they tried to hide, stay, or come back—and what evidence remains? GETAWAY [CYBER JARGON: EXFILTRATION & EXIT] Physical: The intruder exits by a planned route, carrying folders in a bag and handing them to an accomplice. Digital equivalent: The intruder covertly transfers stolen data by sending encrypted uploads to an external server. Criminal intrud ers often depart once exfiltration is complete, while nation-state intruders frequently create backdoors to maintain ongoing access. Commander’s questions: What left the network, when, and how much of it can we confirm? Is the intruder still present?

the server, the risks are the same: employees face fraud risk, the corporation faces legal exposure, and corporate trust takes a hit. The investigative steps are also identical: casing, entry, theft, and exit. Only the method and the visibility change. Your “Spidey senses” work on the street and in cyberspace if you apply them through a structured investigative lens. In the physical world, instincts help spot what feels off: a tiny glitch in surveillance footage that suggests a camera loop, a nervous witness, or a car parked too long outside a building. In the digital world, those same instincts help you question anomalies: unexpected logins, strange data transfers, or unusual patterns of access. The differ ence is visibility. In cyberspace, you can’t rely on sight or sound, so you must rely on sequence and digital evidence. WHY THIS MATTERS This analogy isn’t about becoming a technical expert. It’s about becoming fluent in what your investigators are seeing and what they mean when they use cyber terms like exploit, pay load, persistence, obfuscation, and exfiltration. It’s also about understanding the sequence so that cyber frameworks such as Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework make practical sense. Viewing intrusions as familiar crimes carried out with hard-to-see tools turns cybercrime from a technical mystery into a practical policing problem. The easiest way to explain a cyber intrusion is to walk through a familiar burglary (physical intrusion) and, at each step, show the digital equivalent in plain language. Step by step, the pattern stays the same; what changes are the door, the tools, and the visibility. MOTIVE Physical: A burglar intends to steal a company’s HR files to sell on the dark web (a hidden part of the internet that regular search engines like Google or Bing cannot find) and to plant a device on the HR director’s computer to maintain continued access. Digital equivalent: An intruder intends to penetrate a company’s network to steal information for espionage and establish digital access to maintain continued access. Commander’s question: What is the intruder trying to achieve: Physical: An intruder studies staff routines, observes which doors are left ajar, and identifies the blind spots in the building’s camera coverage. Digital equivalent: An intruder gathers publicly available infor mation using Google Maps and Shodan (a website that shows what devices a company has connected to the internet by looking at its IP address). They review the company website, employee social media, job postings, public code repositories, and domain registration records. They also look for exposed subdomains or services and search past data breaches for leaked passwords. The goal is the same: to find what is visible, unlocked, or weakly protected before deciding where to strike. Commander’s question: What did the intruder already know about the company, and how could they have gathered it? VULNERABILITY IDENTIFICATION Physical: The intruder spots a side door that is often propped open by the cleaners. Digital equivalent: The intruder finds a phishable employee, who money, leverage, access, revenge, or intelligence? CASING THE JOINT [CYBER JARGON: RECONNAISSANCE]

continued on page 29

28 FBINAA.ORG | Q1 2026