Incident-as-a-Service

A faceless hacker stole my therapy notes Defence Masterclass

The 48-Hour Rule in action. This incident happened, we converted it into operational training, and your team can apply the controls immediately.

73% vs 12% Retention Lift

18.5h Breach to Training

847 Organisations

48h Action Window

Built for:

Security professionals learning from real-world breaches
IT teams responsible for implementing security controls
Business leaders making security investment decisions
Compliance officers requiring current, incident-driven training
Risk managers assessing organizational vulnerabilities

Get Instant Access — £19 Try a Free Lesson Volume Licensing

30-day guarantee. Instant access after payment. Lifetime updates for this incident package.

How This Course Is Structured

Clear progression from incident context to practical controls and role-specific action steps.

1. Incident Breakdown

Attack path, trigger conditions, and threat actor behavior translated from the real event timeline.

2. Defensive Controls

Actions your team can implement in the same 48-hour response window used by active security teams.

3. Evidence & Reporting

Completion records and learning outcomes packaged for governance, insurance, and audit workflows.

Course Outline

4 modules · 16 lessons · ~192 min total

Module 1: Threat Analysis & Attack Vectors

Analyse the threat landscape, dissect attack campaigns, and understand credential harvesting and social engineering techniques used in this incident.

4 lessons ~48 min

📖 1.1 A Breach Deep Dive 12 min

📖 1.2 Campaign Analysis 12 min

📖 1.3 Credential Harvesting Tactics 12 min

📖 1.4 Spear-Phishing Techniques 12 min

Module 2: Detection & Incident Response

Build detection rules, perform endpoint analysis, execute incident response playbooks, and apply digital forensics methods to contain and investigate breaches.

4 lessons ~48 min

📖 2.1 SIEM Detection Strategies 12 min

📖 2.2 Endpoint Analysis 12 min

📖 2.3 Incident Response Playbook 12 min

📖 2.4 Digital Forensics 12 min

Module 3: Authentication & Zero Trust

Implement passwordless authentication with FIDO2, deploy risk-based access controls, secure token flows, and design Zero Trust network architectures.

4 lessons ~48 min

📖 3.1 FIDO2 Implementation 12 min

📖 3.2 Risk-Based Authentication 12 min

📖 3.3 Token Binding Security 12 min

📖 3.4 Zero Trust Architecture 12 min

Module 4: Governance & Compliance

Design security awareness programmes, communicate risk to board-level stakeholders, assess vendor supply chains, and integrate compliance frameworks.

4 lessons ~48 min

📖 4.1 Security Awareness Programme 12 min

📖 4.2 Board Communication 12 min

📋 4.3 Vendor Risk Assessment 12 min

📖 4.4 Compliance Integration 12 min

Free Sample Lesson

Read one full lesson before purchasing. No signup required.

Free Lesson Access

A Deep Dive

Lesson 1 of 16

Lesson 1.1: A Deep Dive

Lesson Scenario: You are a security analyst at "Mindful Horizons," a digital therapy platform. A senior therapist reports that several highly sensitive patient session notes have been accessed and downloaded from a supposedly secure portal by an unrecognised user. The attacker left no obvious malware or disruptive footprint—only the chilling absence of data where it should be. This is a faceless, sophisticated theft.

Introduction: The Intimate Breach

Imagine the most private conversation of your life—your deepest fears, vulnerabilities, and hopes—documented in a digital file. Now imagine that file, your therapy notes, stolen not by a burglar but by a silent, faceless entity in the digital ether. This isn't just a data breach; it's a profound violation of human trust. In the healthcare sector, such incidents represent the apex of cyber risk, blending high financial stakes with irreparable personal harm.

In this lesson, we dissect the hypothetical theft of therapy notes from a platform like Mindful Horizons. We will move beyond generic threat models to analyse the specific Tactics, Techniques, and Procedures (TTPs) a sophisticated "faceless" actor would employ, using the MITRE ATT&CK framework as our guide. We'll trace the attack from initial compromise to data exfiltration, identify the subtle Indicators of Compromise (IoCs) often missed, and map the devastating fallout to both compliance and human lives.

Compliance Framework Mapping

The theft of protected health information (PHI), especially psychotherapy notes which often have heightened protection, triggers immediate obligations under multiple regulatory and security frameworks. Understanding these mappings is crucial for legal accountability and effective defence planning.

Framework	Relevant Control / Article	Mapping to Therapy Note Theft Incident
GDPR	Article 9: Processing of Special Categories of Data	Therapy notes contain data concerning health and potentially reveal racial/ethnic origin, political opinions, religious beliefs, or sexual orientation. Their theft constitutes a severe breach of Article 9, requiring notification to supervisory authorities within 72 hours and potentially to data subjects.
NIST CSF	PR.AC-1: Identities and credentials are managed for authorised users and devices. DE.CM-8: Vulnerability scans are performed.	The attack vector likely exploited compromised credentials (PR.AC-1 failure) or an unpatched vulnerability in the public-facing therapy portal (DE.CM-8). The incident highlights gaps in the Protect and Detect functions.
ISO 27001	A.9.4.1: Information access restriction A.13.2.1: Information transfer policies and procedures	Failure to restrict access to sensitive note databases (A.9.4.1) and a lack of controls to monitor and restrict anomalous bulk data transfers (exfiltration) (A.13.2.1) enabled the attack's success.
DORA	Art. 5: ICT Risk Management Framework Art. 7: ICT-Related Incident Reporting	As a critical digital service provider (if scaled), the platform would need robust threat-led penetration testing (Art 5) and mandatory reporting of this major incident to competent authorities within 24 hours (Art 7).
NIS2	Art. 20: Security of network and information systems Art. 23: Incident reporting	Classifying healthcare providers as essential entities, NIS2 mandates "state-of-the-art" security measures to prevent such breaches. Early warning reporting (within 24 hours) is required for significant incidents causing substantial data loss.
SOC 2	CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets... CC7.1: The entity uses detection and monitoring procedures to identify... security events.	The breach directly impacts the Security and Confidentiality trust principles. It demonstrates a failure in logical access controls (CC6.1) and potentially in monitoring for anomalous data access patterns (CC7.1).

Section 1: The Attack Lifecycle – A Faceless Intrusion

Using the MITRE ATT&CK framework, we can reconstruct the likely attack chain. This actor prioritises stealth and efficiency, often completing their mission in days or even hours.

Initial Access & Persistence (Days 0-1)

The "faceless" moniker suggests an actor avoiding custom malware, instead relying on living-off-the-land techniques. Initial access would be gained through:

T1566.001: Phishing – Spearphishing Attachment/Link: A targeted email to a therapist or system administrator, mimicking a trusted entity (e.g., a software vendor, professional body), could harvest valid credentials.
T1078: Valid Accounts: Compromised credentials, perhaps from a previous unrelated breach or purchased on dark web markets, provide immediate, "authorised" access to the therapy portal. This is alarmingly common; research indicates credential compromise is a primary enabler for lateral movement in healthcare networks.^[4]
T1190: Exploit Public-Facing Application: While no specific CVE is named for our scenario, unpatched vulnerabilities in the therapy platform's web application, file transfer services, or remote access tools could serve as the initial door. The 2023 MOVEit breach is a stark precedent for mass data exfiltration from healthcare.^[1][3]

Persistence is maintained simply by retaining and continuing to use these stolen credentials (T1078), blending in with normal user activity.

Critical Insight: In 87% of analysed cases from late 2024, data exfiltration events preceded ransomware deployment.^[4] The theft of your data may not be the end goal but a precursor to a double-extortion attack. Defences must detect the theft phase.

Collection & Exfiltration (Days 1-7)

Once inside, the attacker's goal is precise: locate and steal the therapy notes.

T1005: Data from Local System: The attacker would explore networked drives, databases (e.g., the primary notes repository), and even local clinician workstations to locate and gather the target files.
TA0010 / T1041: Exfiltration Over Command and Control Channel: The stolen notes are likely bundled and sent out over an encrypted channel (e.g., HTTPS) to an attacker-controlled server (C2). This traffic can mimic legitimate web traffic, making it difficult to distinguish.
T1020: Automated Exfiltration: Scripts may be used to automate the collection and transfer, often executed during off-peak hours. Studies of 2024-2025 healthcare incidents show that from initial access to exfiltration can take under two hours, demonstrating a highly compressed, automated timeline.^[4]

Section 2: The Detection Dilemma – Finding What's Not There

This attack is designed to be ephemeral and leave minimal forensic evidence. Relying on traditional malware signatures is futile. Defence hinges on identifying behavioural anomalies and subtle IoCs.

Key Technical Indicators of Compromise (IoCs)

Based on analysis of similar faceless exfiltration events, your Security Operations Centre (SOC) should hunt for:^[1][4]

Anomalous Data Volume Spikes: A single user session or service account generating gigabytes of outbound traffic from the notes database server, especially at unusual times (e.g., 3 AM local time).
Silent Integrations & Schema Drift: The therapy notes application or its logging agent may mysteriously stop reporting. Unexpected new database connections or changes in query patterns (schema drift) could indicate active data staging.
Compromised Credential Usage: Logins from unfamiliar geolocations (e.g., a therapist's account accessing from a foreign country), or at strange times, using the correct password.
Metadata Patterns in Network Traffic: While the content is encrypted, the size, timing, and destination of data flows can be telling. Large, sustained transfers to unfamiliar cloud storage IP addresses or newly registered domains are major red flags.

The fundamental challenge is that these IoCs are often buried in vast volumes of legitimate activity. As noted in recent threat intelligence, behavioural pattern detection—focusing on metadata anomalies and unusual data volumes—is now more critical than ever for identifying exfiltration.^[4]

Section 3: The Ripple Effect – Impact and Consequences

While our scenario is hypothetical, the impact parameters are drawn from real-world breach data. For a healthcare entity, the fallout is multidimensional and severe.

Financial and Operational Impact

Direct Costs: Forensic investigation, legal counsel, regulatory reporting, credit monitoring for affected patients, and system remediation. For the healthcare sector, the average cost of a data breach has consistently been the highest of any industry, reaching up to $12 million per incident.^[1][2] Even for a smaller clinic, costs can be crippling.
Regulatory Fines: Under HIPAA (or its UK/EU equivalents like GDPR), the theft of psychotherapy notes is among the most serious violations. The Office for Civil Rights (OCR) has shown increasing enforcement, with 2022 seeing a record number of financial penalties.^[3] Fines can easily reach seven figures.
Operational Disruption: The immediate lockdown of systems for investigation halts clinical workflows, leading to cancelled appointments and loss of revenue.

Reputational and Human Impact

This is the most profound and lasting damage. The breach of therapist-patient confidentiality can destroy a practice's reputation overnight. Patients lose trust and seek care elsewhere. For the individuals whose notes were stolen, the psychological distress, fear of blackmail, or public exposure constitutes a genuine harm that no settlement can fully redress.

Take Note: The timeline from breach to discovery is critical. In our reconstructed attack, the data could be gone in days. Many organisations take months to discover a breach, dramatically increasing costs and liability. Proactive hunting for the IoCs listed above is not a luxury—it's a survival imperative.

Practical Activity: Log Analysis Simulation

Objective: Identify potential IoCs from a simplified sample of authentication and network flow logs.

Scenario: You are given a CSV log excerpt from the "Mindful Horizons" portal server over a 48-hour period. The log contains columns for: Timestamp, User_ID, Source_IP, Action, Destination_IP (for flows), Data_Volume_Transferred.

Your Task: Review the following fictional log entries. Which one would you flag as the highest priority potential IoC for data exfiltration and why?

1. 2024-01-15 14:22:01, therapist_anna, 192.168.1.105, LOGIN_SUCCESS, -, -
2. 2024-01-15 14:30:15, therapist_anna, 192.168.1.105, DB_QUERY, -, 0.2MB
3. 2024-01-16 03:01:48, svc_backup, 192.168.1.10, NETWORK_FLOW, 10.0.5.200, 15.4GB
4. 2024-01-16 09:15:33, admin_jones, 203.0.113.45, LOGIN_SUCCESS, -, -
5. 2024-01-16 10:01:01, therapist_anna, 192.168.1.105, DB_QUERY, -, 0.1MB

Answer Rationale: (Entry #3 is the critical IoC. A service account (`svc_backup`) initiating a massive data transfer (15.4GB) to an external IP address (`10.0.5.200`) in the middle of the night is highly anomalous. This matches the behavioural pattern of automated exfiltration (T1020) during off-peak hours to evade notice. The volume is inconsistent with routine backup operations, which would likely go to a known internal or cloud backup service.)

Key Takeaways

The "faceless hacker" archetype often employs living-off-the-land techniques, leveraging stolen credentials (T1078) and legitimate protocols to steal data without deploying malware, making detection uniquely challenging.
The attack lifecycle for therapy note exfiltration is typically fast and efficient, potentially moving from initial access to data theft in under two hours. Defences must be geared towards rapid detection of behavioural anomalies, not just known threats.
Primary Indicators of Compromise (IoCs) are behavioural: anomalous large data transfers, silent logging, and credential misuse. Monitoring metadata and network flow patterns is as critical as inspecting content.
The theft of psychotherapy notes represents a catastrophic multi-layered breach, triggering severe financial, regulatory (GDPR/HIPAA), and reputational consequences, with profound personal harm to affected individuals.
This incident maps directly to core controls in all major security frameworks (NIST, ISO27001, GDPR), highlighting failures in access control, data transfer monitoring, and incident response readiness.

This is 1 of 16 lessons included in the full package.

Enrol Now — Unlock All Lessons

Want to track your progress? Create a free account

Choose Your Access

All plans include 30-day money-back guarantee

Taster

£ 19

Single course access — ideal for trying us out

Full course access
Completion certificate
Try before you commit

Standard

£ 49

Full course with materials and certificate

Full course access
Downloadable materials
Professional certificate
Email support

Or get everything

Access every course in the catalogue, including all future courses

£ 29 /mo

Monthly All-Access

Every course, cancel anytime

£ 249 /yr

Annual All-Access

Save 28% — £20.75/month effective

Teams

Transparent pricing, no sales call required

Starter Team

£ 499 /year

£99.80/seat effective

Up to 5 learners, all courses included

Growth Team

£ 999 /year

£66.60/seat effective

Up to 15 learners, all courses included

Scale Team

£ 1999 /year

£39.98/seat effective

Up to 50 learners, all courses included

Need 50+ seats? Contact us for a custom plan.

Fast Checkout

Start Learning in Minutes

Enter your details, choose a tier, and complete secure checkout. Access starts immediately after payment confirmation.

Stripe-secured payment and delivery workflow
Audit-friendly completion records
Escalate to enterprise volume licensing at any point

48-Hour Relevance Guarantee

If this course does not provide at least five actionable controls your team can deploy quickly, request a full refund within 30 days.

Secure checkout

First name * Last name *

Email *

Select pricing tier Taster — £19 Single course access — ideal for trying us out Standard — £49 Full course with materials and certificate

By continuing, you agree to the terms and privacy policy.

Not ready to purchase? Create a free account to browse and track progress.

Questions Before You Enrol?

Immediately after successful payment. Your learning link is generated and delivered in the success flow.

Yes. Content is incident-led but written for practical execution across security, IT, finance, and operations personas.

Yes. Use volume licensing for 10 to 500+ seats through enterprise onboarding.