There’s Your Sign.

There’s Your Sign.


There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.


PacketWatch Article Published on

PacketWatch Article Published on

Blog | News

PacketWatch Article Published on

So Where Did the Leak Come From?

PacketWatch CEO Chuck Matthews collaborated with Jeffrey Dennis, a privacy and data security expert from the law firm Buchalter, to write an article that explains why it is more important than ever to address data security in detail from the start of new vendor relationships.

The article described a recent client case where sensitive information was leaked to a dark website, but no data breach was found. A vendor was likely the target of a  cyberattack, but they refused to cooperate.

The article shares several components that should be included in a vendor agreement data security addendum. These representations, warranties, and covenants could have prevented many of the headaches the client experienced.

If you would like to learn how to protect your organization from a similar fate, read “So Where Did the Leak Come From? Settle Key Data Protection Issues With Vendors Before a Crisis” on or (requires registration for a free account).

If you need assistance with any of the recommendations in the article, please contact us for assistance.

“Common sense provisions should be ironed out when starting a relationship with a vendor, not in the midst of crisis.”


Lawyers for Civil Justice | 2022 Fall Meeting

Lawyers for Civil Justice | 2022 Fall Meeting

Blog | Event

Lawyers for Civil Justice | 2022 Fall Meeting

Who’s Discovering Your Discovery?

Our Chief Technology and Security Officer, Michael McAndrews, is a principal speaker this week at the prestigious Lawyers for Civil Justice 2022 Fall Meeting in New York City. Other scheduled speakers include federal judges Robert Dow, Jr., and Robin Rosenberg, former U.S. House Ethics Committee Chairman Charlie Dent. The meeting runs from November 30th to December 2nd. Twice a year LCJ assembles nationally recognized policymakers and practitioners, including members of Congress, distinguished judges, and other opinion leaders, to discuss the latest developments in civil justice reform.

Michael’s session is “Who’s Discovering Your Discovery?” He’ll provide a tour of the Dark Web and show the audience what they need to know about how it exposes confidential information exchanged in civil litigation.  They are a few other sessions throughout the day discussing the importance of cybersecurity and privacy during the civil discovery process.

The organization’s membership includes over 60 law firms and 25 corporate members. Corporate attendees this year include Google, Microsoft, AstraZeneca, CVS Health, Johnson & Johnson, Walgreen Co., Bayer, Campbell Soup Company, Chubb, Comcast, ExxonMobile, Toyota, Walmart, and many others.

“Law firms and healthcare providers are enticing targets at the moment because they hold so much confidential information.”

– Michael McAndrews

The audience was introduced to the way the Dark Web works—it can be eye-opening and a little scary for most law-abiding citizens. Michael walked them through:

  • How tor and a tor browser work
  • How people remain anonymous on the Internet 
  • How ransomware groups extort victims
  • How Confidential Information gets posted on the Dark Web
  • How contraband is sold through Dark Net Markets

The primary takeaway was seeing how quickly and easily criminals can capitalize on stolen information. Securing data is hard work. Enterprises invest heavily in people, processes, and technology to keep their trade secrets, proprietary information, and employment records safe and out of the hands of criminals. But once a judge requires that it must be shared as part of Discovery, the security of that data is now in the hands of multiple, smaller organizations (i.e., law firms). Criminals know their job just got easier—the defenses likely won’t be enterprise-grade, and there are more people to target (phish).

If you are in New York City for the conference, be sure to stop by the session on Thursday or reach out to Michael on LinkedIn if you want to connect in person.