SEC Rulemaking Necessitates Updating Incident Response Plans

Jun 30, 2022 | News

Blog | News

SEC Rulemaking Necessitates Updating Incident Response Plans

As part of a recently announced strategic relationship, HKA and PacketWatch released a co-authored article on the impact of proposed Securities and Exchange Commission’s (SEC) cybersecurity rulings. The rulings have entered the final stages of their Comment Period and will soon be released in their final form.

Written by HKA’s Michael Corcione, Partner, and Chuck Matthews, CEO, PacketWatch, the article highlights:

The Proposed Rules
The Impact on Incident Response Programs

The proposed SEC rulemaking will significantly influence cybersecurity risk management, governance, board oversight, and compliance programs. This action also signals a change in regulatory tenor and elevates cybersecurity to a new level of accountability and transparency.

The article is available on the HKA Website under News and Insights.

“We estimate that registrants will be dealing with hundreds of hours in modifying processes and hundreds of hours more for each incident.”

View Article on HKA.com

Michael and Chuck provide their expert insight into actions your organization should take following the SEC’s recent proposed rule on cybersecurity incident disclosures.

About HKA
HKA is the world’s leading consultancy of choice for multi-disciplinary expert and specialist services in risk mitigation, dispute resolution and litigation support.

HKA’s Cybersecurity and Privacy Risk Management practice is one of five risk mitigation related services lines, focusing on governance, risk and compliance, third-party and vendor risk management, incident response, training and cryptoasset operations advisory.

HKA has in excess of 1,000 consultants, experts and advisors in more than 40 offices across 18 countries. For more information about HKA, visit www.hka.com and connect with us on LinkedIn, Twitter (@HKAGlobal) and Facebook.

Tags:

Under Pressure. How will your cybersecurity team do?

Jun 28, 2022 | Vantage Point

Blog

Under Pressure. How will your cybersecurity team do?

(Queue the song “Under Pressure” by the British rock band Queen and singer David Bowie [i])

“Under pressure, you don’t rise to the occasion, you sink to the level of your training”

~ Anonymous Navy SEAL

Under Pressure

Nothing could be truer than the quote above, often attributed to an anonymous Navy SEAL. When things get real, your training kicks in. Training is not just filling your head with stuff, but actually performing it. Try. Fail. Learn. Get it right. Perfect it. And doing it again and again. The better the training, the better the students learn. This truism is the bedrock of high-performing, effective teams everywhere.

Small Teams

Somehow the business world hasn’t taken this to heart yet. As cybersecurity threats have escalated, the business world’s search for an effective solution has evolved. After a period of denial, the great hope was that some AI-powered “black box” would solve all cybersecurity concerns without having to do anything. That didn’t work. Next, let’s outsource to a cyber insurance firm. The only problem is that it’s pricey, and you don’t control the process. The insurance company does, and they aren’t always on the same team as you. So, we’re left with one solution—an in-house or hybrid human-based solution, probably a small group of folks charged with the impossible. Stop any and every attack, 24x7x365 from any source—script kiddie or advanced persistent threat (APT). It’s got to be 100%, every time. There might be some pressure building there.

The Challenge

Here’s where the challenge comes in. You see, the people on your incident response team, as defined in your IR policy and procedures (if you have one), most likely have never been hands-on with a complex incident (If they had, you probably couldn’t afford to keep them). They may have studied cases, taken classes, read tons of materials, and have an alphabet soup of certifications. But they probably have never executed your Incident Response Plan. They’ve never seen what the adversary’s tactics, techniques, and procedures (TTPs) look like in your technology stack. Do you have sufficient visibility? Is your logging up to snuff? So, how will your team perform in a high-pressure situation? How about with no sleep for 48 hours? Where are the gaps? You need to know. Your company is on the line.

Train Like the Champs

How do you overcome this? You train. And then train some more. This type of training is called Adversary Emulation or Purple Teaming. Regardless, the concept is to step through a targeted attack using real TTPs but without all the dangers of a real attack. Team members are divided into two groups, a Red (Offensive) Team, and a Blue (Defender) Team. PacketWatch team members are on both teams and provide the technical resources to emulate the attack. At each step, Red Team and Blue Team members get together to:

Review the actions that occurred
Analyze the result of those actions
Determine the effectiveness of the current controls
Identify the gaps
Recommend changes
Discuss other lessons learned

Custom Active Security Engagement

The PacketWatch team can fashion engagements tailored to your firm’s specific needs. Whether you need to test tools and visibility, your incident response capabilities, the effectiveness of specific controls around groups of assets, your defenses against a particular targeted threat, or a combination thereof, PacketWatch’s Active Security Team will build an effective engagement for you.

With an Active Security Engagement, you can:

Validate your security controls and incident response processes against the tactics of real threat actors representing the most significant risk to your industry vertical.
See and experience how real attacker tactics and exploits appear in your security tools. Identify gaps and assess the capabilities and maturity of your team in realistic scenarios.
Improve your organization’s readiness for detecting and responding to the next attack. This hands-on exercise is a better experience than just reading a white paper.

Why PacketWatch?

The better the instructor, the better the team learns. PacketWatch is a team of elite experts from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. We respond to hundreds of complex breaches each year. Knowing and countering adversary tradecraft bolsters our effectiveness in quickly identifying and eliminating threats. We bring that real-world experience to bear for you and your team. That makes us the best for delivering this type of engagement for you. Planning, rehearsing, and testing with a high-performing team is key to ensuring your team’s success.

Ultimately, it’s all about the quality of your team’s training. That determines the outcome. Enable their success with a PacketWatch Active Security engagement.

Give us a call or Contact Us to give your team hands-on experience defending complex attack scenarios.

[i] “Under Pressure” by the British rock band Queen and singer David Bowie was originally released as a single in October 1981.

Tags:

HKA and PacketWatch expand collaboration to provide immediate cybersecurity incident response services

Jun 21, 2022 | News

Blog | News

HKA and PacketWatch expand collaboration to provide immediate cybersecurity incident response services

NEW YORK, June 21, 2022 /PRNewswire/ — HKA and PacketWatch announce plans to expand their strategic collaboration to provide quick reaction incident response and crisis management capabilities to global businesses impacted by a security incident including data breaches, email compromises, business disruption, or other cyber-related attacks.

Michael Corcione, Partner, Global Cybersecurity & Privacy Risk Management Lead at HKA, commented, “I am excited to expand our relationship with PacketWatch and offer an expert team of incident response and investigations professionals to our clients. Supporting organizations throughout an incident, from detection, investigation, and post-incident response analysis is a critical service.

For over a year, both firms have been working together on incident investigations. PacketWatch and HKA have successfully collaborated on many complex cyber-related incidents working closely with clients and their legal counsel, across a multitude of industries such as manufacturing, financial services, government organizations, irrigation, information technology and many more. This advanced collaboration will further allow HKA and PacketWatch to offer complementary and enhanced services to HKA’s global client base, spanning many industries.

“Cyber-attacks attacks are becoming increasingly sophisticated. Our partnership with HKA brings clients the expertise, scale, and professionalism necessary to rapidly address these threats on a global basis. Our combined expertise bolsters the capabilities brought to bear on incidents and helps reduce future risks.”

Chris Krueger Vice President PacketWatch

HKA and PacketWatch Expand Collaboration | Press Release

Christopher Krueger, Vice President, PacketWatch, said, “Cyber-attacks are becoming increasingly sophisticated. Our partnership with HKA brings clients the expertise, scale, and professionalism necessary to rapidly address these threats on a global basis. Our combined expertise bolsters the capabilities brought to bear on incidents and helps reduce future risks.”

View Press Release

About HKA
HKA is the world’s leading consultancy of choice for multi-disciplinary expert and specialist services in risk mitigation, dispute resolution and litigation support.

About PacketWatch
PacketWatch is a boutique provider of cybersecurity services with in-depth expertise in complex incident response, digital forensics, managed detection & response (MDR), and active cybersecurity services for mid-sized and enterprise organizations. Our responsive expertise allows us to quickly engage with our clients – rapidly identifying, containing, and eradicating threats in their environment.

For more information about PacketWatch, visit packetwatch.com and connect with them on LinkedIn and Twitter (@packetwatch).

Tags:

Robbinhood Ransomware Gang Still Operational

Jun 14, 2022 | Threat Intelligence Brief

Blog

Robbinhood Ransomware Gang Still Operational

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

Blackhole.exe
steel.exe
Runtime_Service.exe
robnr.exe
BlackholeCleaner.exe
NewBoss4.exe
Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive¹. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware². To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.

Figure 1: Malicious executables in Windows directory

Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.

Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.

Figure 5: NewBoss4 executable in Windows update directory

Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).

Figure 7: Ransom note

Cleanup

Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

Deploy Endpoint Detection and Response (EDR) across endpoints and servers
- Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
Monitor network traffic for suspicious activity
- Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
Implement and maintain data backups
- Back up data regularly to offline/off-site storage
- Test these backups regularly
Implement multi-factor authentication (MFA) across the environment
Regularly patch software and operating systems to the latest available versions
Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.

References

Tags:

PacketWatch Announces Jeff Beall as
Vice President of Business Development

Jun 9, 2022 | News

Blog | News

PacketWatch Announces Jeff Beall as
Vice President of Business Development

The company looks to expand cybersecurity relationships with more Law Firms, Private Equity Groups, and IT/Security Channel Partners

SCOTTSDALE, Ariz., June 9, 2022 — PacketWatch announced today that tech industry veteran, Jeff Beall, has joined their team as Vice President of Business Development. In this newly created position, Beall is responsible for driving strategic partnerships to support the company’s growth and business strategy. Beall will report to Chief Executive Officer Chuck Matthews.

“PacketWatch has a tremendous opportunity to accelerate our growth through key strategic partnerships, and we’re excited to have Jeff join our leadership team,” said Chuck Matthews, CEO of PacketWatch. “Jeff has extensive experience and invaluable relationships within the technology industry.”

PacketWatch cyber incident response services are endorsed by prominent law firms, private equity groups, and IT/security partners throughout the United States. The PacketWatch technology, expertise, and experience help identify and remediate advanced persistent threats and tighten the clients’ overall security posture. Partners appreciate PacketWatch’s unique ability to collaborate with their end-client and ensure that they understand their cybersecurity risks, adversaries, and regulatory requirements.

“PacketWatch has a tremendous opportunity to accelerate our growth through key strategic partnerships, and we’re excited to have Jeff join our leadership team, Jeff has extensive experience and invaluable relationships within the technology industry.”

Chuck Matthews
Chief Executive Officer
PacketWatch

Jeff Beall
Vice President
Business Development

The PacketWatch cybersecurity services include:

Incident Response
(Triage, Data Collection, Digital Investigation & Forensics, Containment, Remediation, Recovery, and Hardening)
Managed Detection and Response (MDR)
(Monitoring, Analysis, Threat Hunting, Remediation, and Reporting)
Active Security
(Controls Testing, Application Testing, Penetration Testing, Threat Scans, Vulnerability Management, Adversary Emulation, and Table Top Exercises)
Security Advisory Services
(Assessments, Plan Development, Policy Development, and Governance)

“I am excited and honored to join the PacketWatch team and build on the company’s solid roster of existing strategic partnerships,” said Jeff Beall, Vice President of Business Development at PacketWatch. “I look forward to extending the reach of the company’s services and the PacketWatch platform to key segments in North America and Europe. The PacketWatch model is fundamentally built on trusted relationships with its clients and channel partners. I look forward to sharing our collaborative, Active Defense approach and key differentiators within these industry segments.”

View Press Release

Tags:

« Older Entries