The month of May in Indiana is known for the Indianapolis 500, which attracts an estimated 300,000 people annually and is the world’s largest single-day sporting event. But with all big sporting events come security concerns, and the Indianapolis Motor Speedway doesn’t take any chances when hosting their events. That’s why they partnered with Carmel-based Rook Security — along with over 50 law enforcement agencies — for this year’s race.

In fact, the Indianapolis 500 is a specially-rated event, with similar security standards to the Super Bowl. Working alongside law enforcement agencies such as the FBI and Department of Homeland Security, Rook set up a Cyber Command Center inside the Indianapolis Motor Speedway Emergency Operation Center (EOC), to detect and respond to digital threats.

Sarah I., a Threat Intel Analyst for Rook, was one of the analysts working inside the Cyber Command Center on the day of the race. She took part in helping track down a potential threat during the day of the event and providing the appropriate information to law enforcement officials.

During the race, a man sent a concerning tweet referencing the race. “I’m going to trigger someone today @IMS #indy500,” he wrote. The tweet included an image of the individual’s car that was taken on a street.

Due to the language used in the tweet, the Secret Service flagged it and passed it on to her to find additional information. Along with uncovering information about him on the Internet, she started to look closer at the image. She noticed a street sign in the background that could be read if you zoomed in quite a bit.

From that sign, she was able to identify the street and the location of the car. After the car was located by local authorities, they were able to use his license plate number to look up his driver’s license. Using his driver’s license, a law enforcement officer was able to call the ticket office to find out what section he was sitting in during the race.

Using this information and the geolocation coordinates of a selfie the man had taken, Sarah was able to provide authorities everything they needed to find him and approach him within minutes of receiving this information.

Tom Gorup

Tom GorupDirector of Security Operations

“The language you use online — even if it’s not meant to be taken seriously or literally — will raise concerns among professionals whose job it is to monitor and respond to online threats,” said Tom Gorup, Director of Security Operations for Rook. “How many terrorist attacks were preceded by a seemingly innocuous tweet or thinly-veiled threat?”

Because of events leading up to the race, people were sensitive to the possibility of both physical and digital attacks.

“Everybody was sensitive considering the Vice President of the United States was coming in, along with the Manchester terrorist, Google Docs phishing attacks, and WannaCry cyberattack happening right before the event,” said Gorup. “There was a lot of hyperawareness around this time, and it was imperative that IMS was secure.”

A big part of the success of keeping IMS secure was the collaboration between the law enforcement agencies and Rook Security.

“Government agencies often partner with us because we can operate more quickly and effectively without being constrained by red tape,” says Gorup. “I don’t think a lot of events have a security company and law enforcement agencies working together. I think it’s important that we did, and it’s something that more and more events will adopt as the line separating physical and cyber threats continues to blur.”

How Rook Security Monitors Security Risks

Working the Indianapolis 500 isn’t Rook’s first rodeo, so to speak. Rook is extremely efficient in finding, monitoring, and dealing with potential threats, and they follow a process to identify potential threats, both digital and physical.

“The first phase of a potential security risk starts off with someone venting; they’re angry about a product, a service, individual, or group,” says Gorup. “They begin venting on something like 4chan or 8chan, where they’ll try to broaden their following for a cause.”

According to Sarah and Gorup, most hackers hang out inside of Internet Relay Chat (IRC), which is a kind of deep web equivalent to Slack. This is where hackers will start the second phase of their cause.

“After they’ve built a case for whatever it is they’re doing, they’ll try to mobilize a following,” says Gorup. “They go a little more ‘dark’ and use IRC channels instead of forums to communicate.”

As the mobilizing phase is where these individuals or groups are making their plans to attack, Rook agents monitor IRC channels to conduct sentiment analysis, placing individuals into different buckets. When necessary, they escalate certain communications, individuals, or IRC channels to threat intelligence analysts, who will then find an opportunity to get into that channel.

“Our job is to stay in lockstep with them throughout this process,” says Gorup. “We insert ourselves as one of the ‘collective’ and stay in step with what they want to accomplish.”

However, the goal is to take the most preventative approach possible. “Increasingly, breadcrumbs are being left online,” says Gorup. “If we can get ahead of finding them, then we’re getting ahead of their plans.”

While no one is completely immune to cyber attacks, there is a silver lining. “In general, most make a mistake somewhere along the way,” says Gorup. “We just have to keep following the trail and going as deep as possible.”

Want to learn more about how to protect your business? Attend Rook Security’s Lunch and Learn on August 3 or read their featured profile from January 2016.