Maybe, with a Little Practice.

Maybe, with a Little Practice.

Blog

Maybe, with a Little Practice.

Let Me Explain Why

Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.

A Football Analogy

It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field. Time to run the play! Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.

Incident Response Plan

So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster.  If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.

Practice, Practice, Practice

“A winning effort begins with preparation”

– Coach Joe Gibbs

The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.

The Tabletop Exercise

A Incident Response Tabletop Exercise (TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:

Don’t Just Go With The Flow…

Don’t Just Go With The Flow…

Blog

Don’t Just Go With The Flow…

Full Packet Capture (FPC)

One of the key features of the PacketWatch technology is continuous Full Packet Capture (FPC). FPC constantly records the individual network packets into files called PCAPs (Packet Capture). Collecting PCAPs over time allows retrospective and time series analysis. Many security vendors have chosen to provide only “flow”-based network information (e.g., NetFlow, IPFIX, sFlow, etc.).

Full Packet Capture (FPC)

“Allows retrospective and time series analysis.”

80% isn’t Good Enough in Security

Flow-based Data

“Is a summary or just a sampling of what happened.”

Flow-based data is a summary or, in some cases, just a sampling of what happened on the network. Details are removed to reduce overhead and simplify processing. For instance, flow data does not permit you to analyze the actual packet payload for specific data. That would be akin to noting a truck going down the street from point A to point B but not being able to see what it is carrying inside. Afterall, NetFlow was created by Cisco for network performance monitoring, not security uses. Flow data can be beneficial in presenting summary information about conversations and provide a quick, high-level context, but it lacks details to allow conclusive determination of what is happening. As such, Gartner sees most organizations implementing a dual approach with flow data used perhaps 80% of the time and packet-level data from key network locations for the critical 20% remainder. Having both flow and PCAP data is key to a threat hunter’s success and why PacketWatch is such a favorite of experienced hunters.

Here’s Why

With the massive increase in zero-day attacks, lingering advanced persistent threats, mutable malware, and ransomware attacks, organizations are realizing that investigating threats with their NetFlow-based tools alone leaves them unable to draw definitive conclusions about what’s happened. Last year 80 zero-days were reportedly exploited in the wild before patches existed.  That is more than double the volume in 2019, the prior record. The average time to patch a vulnerability (MTTP) is between 60 and 150 days. So, the ability to look back and conclusively identify the potential exploit of a zero-day vulnerability is key. Having full PCAPs and the high-level flow data for that period permits a threat hunter to look back in time and conclusively identify a successful exploit of that zero-day vulnerability.

Combine the Data

Further, to understand a network or application performance problem, flow data, while useful, often isn’t sufficient. Again, combining flow data and recorded PCAPs provides a definitive record for network operations personnel. The combination of Flow and FPC/PCAPs gives both your NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened. Ask us how you can easily add flow data, FPC and PCAPs to your security toolset today with PacketWatch. Even better, ask us how we can provide a fully managed MDR solution, including PacketWatch.

Remember, 80% isn’t good enough when it comes to your security! Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:
Why am I Paying for Cyber Insurance?

Why am I Paying for Cyber Insurance?

Blog

Why am I Paying for Cyber Insurance?

History

Since its origins in the mid-2000s, cyber insurance has become a staple for transferring financial risks arising from information technology assets and operations. The risk of loss from malware, unauthorized access, email compromise, ransomware, and other threats is difficult to quantify. For most of that period, cyber insurance was a relatively cheap and abundant way to insure against loss from these risks. That’s no longer the case. Huge hikes in premiums, reduced capacity, increased retentions, and constantly changing underwriting requirements are the game today. What you have today, you may not get next year.

The Industry

“For the past two years, the cyber insurance market has been characterized by a high volume of claims, severe losses, climbing rates, reduced insurer appetite, and an increased focus on accumulation risks.”

Marsh McLennan, 2022

New Exclusions

Lloyds Exclusions

“We are therefore requiring that all standalone cyber-attack policies… must include… a suitable clause excluding liability for losses arising from any state-backed cyber-attack…”

Lloyds, 2022

Adding to the concern, Lloyds’ new exclusions for state-backed cyber-attacks in standalone cyber policies are making buyers think twice. AXA dropped coverage for ransom payments in 2021. Beazley now has multiple addenda to its cyber applications covering details down to specific vulnerabilities (e.g., Log4j). So, if the policy is expensive, hard to get, and doesn’t cover significant risks like ransomware and state-backed actors – why buy it at all? 

Why buy it at all?

That’s a good question, and one echoing around risk managers’ offices throughout the world. By its very nature, cyber insurance can only lessen the impact of a major event. It does nothing to stop it. Yet thousands of CEOs think they are protected simply because they have cyber insurance. Nothing could be farther from the truth. Buying a cyber insurance policy for pre-breach services is no longer necessary, in fact it’s pointless. The offerings are typically limited and not very helpful. You can find a dozen vendors offering every imaginable service directly without the encumbrance of the insurer.

To make matters even more confusing, you may even need to hire your separate legal counsel in addition to the one provided by the cyber insurer just to make sure you are treated properly. The “tripartite relationship” among an insured, the legal counsel appointed under the policy, and the insurer can lead to conflicts and ethical dilemmas necessitating additional counsel for you, the insured. Consider that the legal counsel appointed by the insurer may have more loyalty to the insurer than to you. They may have hundreds of cases at stake. Be mindful of potential conflicts and carefully review any coverage letters or reservation of rights letters.  

Remember that insurers have cut deals with their “panel” legal counsel providers. That means they have negotiated reduced rates. Law firms may respond by using their least expensive resources. Make sure the legal counsel provided by the insurer is not a junior associate. Your entire organization is at stake!

Be aware that you may also need to hire a separate incident response firm to make sure the one provided by the insurance company properly eradicated the threat from your computing environment. One method insurers have used to cut response costs is to hire cheaper, less experienced responders. It may be cheaper by the hour, but the quality and timeliness of the service suffers significantly. (The jury is still out on whether these low-cost providers actually save the insurer any money.)  PacketWatch has had to ride shotgun and clean up problems from insurer-provided response firms on multiple occasions. Pro tip: Avoid hiring response firms that derive most of their revenue from participating in insurance panels. Guess where their loyalties lie.

The Shift to Proactive and Preventative

Given all of the problems noted above, astute organizations are shifting more spend to proactive and preventative services. By engaging a managed detection and response (MDR) provider to proactively hunt for threats and engaging in common sense security hygiene practices (MFA, patching, email filtering, etc.) the risk of a significant incident is greatly diminished. Some organizations are forgoing traditional cyber insurance and self-insuring at least some of the risk. They are setting up their own retainers with specialized legal counsel and incident response firms like PacketWatch. They are rehearsing incident response plans, testing protective tools, and pre-deploying response tools — ready to roll in the event of any type of incident. Compare that to waiting for your insurer to appoint someone you may not want to use anyway.

Refine Your Strategy

With tumultuous conditions in the cyber insurance markets and the problems noted above, now is the perfect time to revisit how you use cyber insurance. Ask yourself, why am I paying for this and what do I get out of it anyway? You may just find that the strategy you’ve used over the past several years is no longer workable and needs to be refined. You may find that shifting more spend to proactive and preventative services is a better strategy for your organization. If you’d like to discuss the specifics of how a more proactive and preventative strategy can benefit your organization, call us today. We don’t sell insurance and we are not attorneys, but we have cleaned up dozens of messes created by them. Our mission is to help you avoid similar problems.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:

Well, that was Awkward.

Well, that was Awkward.

Blog

Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.
Tags:

Yes, But Does It Actually Work?

Yes, But Does It Actually Work?

Blog

Yes, But Does It Actually Work?

Comparing and Choosing Cybersecurity Tools

RSA Conference Survey

A survey conducted at this year’s RSA conference summed up a looming problem in the cybersecurity realm. Forbes reported that:

  • 53% of the responding businesses feel they have wasted more than 50% of their cybersecurity budget and still cannot remediate threats
  • 43% of survey respondents say their number one challenge in threat detection and remediation is an overabundance of tools
  • 10% of organizations lack effective tools for remediating cybersecurity threats

Conglomeration of Tools

As we enter a time of economic slowdown and rising threats, now is not the ideal time to reduce cybersecurity budgets. Rather, you need to ensure that every dollar you spend leads to real measurable results. The typical midsized company has 50 to 60 security tools, and enterprises can have up to 130, according to Anomali. The best way to evaluate your unique conglomeration of tools, people, and practices is to look at how effectively it stops attacks. Ideally, this testing would also serve as a training opportunity for your security team. That’s where PacketWatch’s Active Security team comes in.

An Example

I recently spoke with a CEO who completed a merger with a competitor. He assumed the other company had spent as much on their cybersecurity tools as he had. The challenge he faced was how to sort out the tools they would use going forward in the new organization. He just wants it to work.

Opinions abounded from team members about which tools to keep and which to retire. Tempers flared when each team member’s ‘sacred cow’ was placed on the chopping block. I suggested he consider a slightly different approach. I advocated that he set forth a simple goal to the team — keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels. Hard to object to that.

Simple Goal

“Keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels.”

To make this happen, I suggested he bring in an outside “Red Team” (PacketWatch in this case) to work side-by-side with his internal defenders – creating a custom “Purple Team” exercise. With PacketWatch’s Red Team members emulating the Tactics, Techniques, and Procedures (TTPs) of identified threat actors, the participants could objectively say which tools could best detect, deter, or defeat the threat actor.

The ineffective tools could be retired and/or processes modified. Another benefit of Purple Teaming is the experience the internal team members would gain from seeing an attacker’s behavior and learning how to react quickly using the tools. That turned out to be a winner for the CEO, and it can be for you too.

Next Steps

Your cybersecurity budget will likely face scrutiny from your CFO this year. Why not arm yourself with a proven methodology for optimizing your security tools and retiring any ineffective ones? The result will be a more efficient use of your security budget and some real-world experience defending your network from adversaries for your team. If you’d like to Learn More about a PacketWatch Purple Team engagement, call us at 800-864-4667. Our team of Active Security experts will scope a custom exercise for your organization.

Tags:

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Blog | Event

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

On July 12th, The Arizona Tech Council convened a panel of experts for a forthright discussion about cyber insurance. The panel, moderated by PacketWatch’s CEO, Chuck Matthews, included industry experts Anthony Dagostino, CEO & Founder of Converge Insurance; Chris Branch, Chairman of ATS Underwriting; Wes Gates, CIO of the Arizona School Risk Retention Trust (the Trust), and Tracy Foss, Senior Program Director, Risk Program Administrators, a division of Arthur J. Gallagher. The specialist panel explored current market dynamics, discussed changes in underwriting practices, and shared experiences with the claims process. The goal of the discussion was to help member businesses understand how to effectively use cyber insurance in their arsenal of risk management tools and avoid common pitfalls.

Recent estimates show that the $4.8 billion cyber insurance market is growing at a rapid 25% compound annual growth rate (CAGR) and is expected to triple in the coming years. However, as a result of poor underwriting, direct loss ratios have ballooned to unsustainable numbers. Over the past two years, nearly 70¢ of every dollar in premium went to cover losses from claims involving ransomware, funds transfer loss, and business email compromise-related claims.

The resultant impact on businesses as insurers seek to stem losses is huge and wide-reaching. Smaller businesses are reportedly being priced out of the market entirely. For others, cyber insurance premiums are skyrocketing with an average 97% increase in 2021. Some companies experienced up to 300% increases. Businesses lacking key cyber controls were not even renewed. Panel members said they expect that trend to continue. In the first quarter of 2022 premiums for the top 25% of businesses increased an average 83.3%. Companies experienced other impacts from loss mitigation methods employed by the insurers including:

Key Takeaways

  • Read the Policy! Make sure you understand what you are getting and the requirements you are obligated to follow.
  • Make sure you know the Insurer’s Panel Providers which you are required to use in the event of a claim!
  • Expect more changes to coverages, policy language, premium increases, and underwriting practices.
  • Consider preventing losses with additional controls or self-insuring some 1st party risks to reduce premiums.
Cyber Insurance Lost Rates Mean Big Changes
  • Reduced Policy Limits – Policy amounts were reduced by a third or half as industry capacity dropped
  • Increased Deductibles or Retentions – for one small business going from $25k to $150k
  • Coverage limitations – including new coinsurance provisions for ransomware; new exclusions of certain types of losses, and new sublimits for others
  • Greater underwriting scrutiny – multiple applications and technical addenda focused on the existence of key vulnerabilities
  • Tougher claims management practices – strict use of panel providers, denial of claims based on application deficiencies.

Shared Experiences

The panel explored and shared experiences on several other topics impacting the use of cyber insurance including:

  1. The applicability of “Act of War” and “Terrorism” policy exclusions in light of nation-state and state-sponsored malware campaigns given recent “special military actions’ with Russia and Ukraine
  2. Conflicts in legal representation and the insured’s loss of control when panel legal counsel and responders are involved
  3. The vicious cycle of ransom payments by insurers creating the need for more cyber insurance to cover ever larger ransoms to criminal organizations
  4. The impact of non-standardized policy language and definitions hindering coverage comparisons for those actively shopping policies
  5. The risk of paying ransoms to potentially (OFAC) sanctioned entities/affiliates given warnings from the US Treasury and others
  6. Small businesses are being priced out of the market or excluded because they lack some protective controls of larger organizations
  7. Recent litigation surrounding voiding policies due to inaccurate application materials submitted by the insured
  8. The practical impact of insurers underwriting at the time of claim rather than at the time of application and the resultant uncertainty created
  9. The difficulty in managing overlap between conflicting or duplicate provisions in other insurance policies (e.g., crime coverage in a package policy vs. stand-alone cyber policies)
  10. Obligations to use Insurance Panel Counsel and Responders with Reservation of Rights and very large deductibles
  11. Whether policies offering bundled pre-breach, response, and post-breach services were beneficial to the insured vs. managing the effort internally
  12. The necessity to quantify potential 1st- and 3rd-party liability before selecting a policy and limits
  13. The need for a government backstop for systemic risk and terrorist activity to promote additional capital necessary for market growth

Final Thoughts

The panel concluded that ultimately businesses must carefully read every word of the policy being offered, shop around to the myriad of insurers, obtain expert help where needed and judiciously consider what they are purchasing. Five years ago, cyber insurance was relatively inexpensive, and its promises seemed relatively clear and simple. The panel concluded that is no longer the case and businesses can expect more change in the cyber insurance marketplace in the coming years.

If you are considering cyber insurance and would like to discuss the alternatives for your organization, give us a call.

Tags:

Let’s Create a New Standard for Cyber Due Diligence

Let’s Create a New Standard for Cyber Due Diligence

Blog

Let’s Create a New Standard for Cyber Due Diligence

“The result of a flexible and extensible cyber due diligence process is less regret across the board.”

M&A Cybersecurity Concerns

Recently, I was in a meeting with a friend who’s a top Corporate Attorney here in town. He was lamenting a recent sizable Mergers and Acquisitions (M&A) deal that left a bad taste with the buyer. Following the transaction’s closing, the buyer uncovered a host of significant IT security concerns, one of which turned out to be remnants of a prior intrusion. So, the buyer’s legal counsel went back to the Purchase Agreement to see what warranties were made by the seller and whether any remedies were available. It turns out the seller had no “actual knowledge” of a problem because they never looked. The buyer never looked either because the seller wouldn’t cooperate. That meant a dispute and likely litigation. There’s got to be a better way.

Way back when…

In a prior life, I was a commercial real estate lender. I know, I’m mostly recovered now, thank you. Back in the day, the environmental clean-up movement was in high gear. The impacts of liability arising from CERCLA (think “Superfund”) were reverberating down the halls of all real estate developers and lenders. If you entered the title chain of a contaminated property, you were potentially liable for a massively expensive clean-up of something you didn’t even do. What came to bear was a new method for conducting due diligence—an Environmental Site Assessment or ESA. A Phase I ESA conducted by an environmental professional (engineer) consisted of a site study and review of current and historical records, adjacent land uses, public agency records, aerial photographs, and interviews with knowledgeable people. If something of concern like suspected soil contamination was noted, a Phase II study would be required. A Phase II study consisted of more intensive study, testing, and analysis to get to the details of the suspected hazard. A Phase III ESA, if needed, would get to the remediation plans, alternate methods for containment, logistics, how the cleanup was done, and outlined the process for follow-up monitoring. That progression of environmental due diligence has been successfully used since the 1980s. Today every transaction has at least a Phase I ESA as part of the process.

A new way forward…

We can use this example as an analogue for a new and improved cyber due diligence process. Let’s even borrow their “ESA” acronym for our Enterprise Security Assessment.

So, in this context, a Phase I ESA might encompass a comparison with a recognized regulatory or industry-accepted security framework (such as NIST or CIS-CSC). The purpose is to find gaps, prove levels of maturity, and supply an industry benchmark comparison of the target organization. An independent security professional or security engineer would perform the Phase I ESA. Phase I might also look at the Dark Web for compromised credentials or stolen data, examine select logs, look for signs of existing vulnerabilities, analyze the external attack surface, and scan threat intelligence sources.

If something of concern appears, a major gap is exposed, or a significant variance from similarly situated organizations is identified, you can move on to a Phase II study with independent data collection, analysis and testing, controls validation, and an expert threat hunt to look for malicious activity as well. If the suspected problem is verified, you can move into a Phase III ESA to remediate the threat and/or close the gap. Follow with monitoring to ensure the situation is adequately resolved and confirm that no advanced persistent threats remain.

Less Regret

The cooperation between the parties is enhanced by a predictable independent process conducted under the supervision of Counsel.  It’s not a fishing expedition but a defined, repeatable process. This flexible, extensible due diligence process for cyber makes much more sense than the current ad hoc model and will result in less regret across the board.  

Less regret equals happier clients. 

Give us a call at 1-800-864-4667 or Contact Us to find out how your practice can partner with PacketWatch to begin implementing a Phased-ESA Cyber Due Diligence program today.


Editor’s Note: We have refined and expanded this phased approach for M&A clients. The public launch of PacketWatch M&A, our suite of M&A Cyber Due Diligence Services, was on November 7, 2022.

Tags:

Under Pressure. How will your cybersecurity team do?

Under Pressure. How will your cybersecurity team do?

Blog

Under Pressure. How will your cybersecurity team do?

(Queue the song “Under Pressure” by the British rock band Queen and singer David Bowie [i])

“Under pressure, you don’t rise to the occasion, you sink to the level of your training”

~ Anonymous Navy SEAL

Under Pressure

Nothing could be truer than the quote above, often attributed to an anonymous Navy SEAL. When things get real, your training kicks in. Training is not just filling your head with stuff, but actually performing it. Try. Fail. Learn. Get it right. Perfect it. And doing it again and again. The better the training, the better the students learn. This truism is the bedrock of high-performing, effective teams everywhere.

Small Teams

Somehow the business world hasn’t taken this to heart yet. As cybersecurity threats have escalated, the business world’s search for an effective solution has evolved. After a period of denial, the great hope was that some AI-powered “black box” would solve all cybersecurity concerns without having to do anything. That didn’t work. Next, let’s outsource to a cyber insurance firm. The only problem is that it’s pricey, and you don’t control the process. The insurance company does, and they aren’t always on the same team as you. So, we’re left with one solution—an in-house or hybrid human-based solution, probably a small group of folks charged with the impossible. Stop any and every attack, 24x7x365 from any source—script kiddie or advanced persistent threat (APT). It’s got to be 100%, every time. There might be some pressure building there.  

The Challenge

Here’s where the challenge comes in. You see, the people on your incident response team, as defined in your IR policy and procedures (if you have one), most likely have never been hands-on with a complex incident (If they had, you probably couldn’t afford to keep them). They may have studied cases, taken classes, read tons of materials, and have an alphabet soup of certifications. But they probably have never executed your Incident Response Plan. They’ve never seen what the adversary’s tactics, techniques, and procedures (TTPs) look like in your technology stack. Do you have sufficient visibility? Is your logging up to snuff? So, how will your team perform in a high-pressure situation? How about with no sleep for 48 hours? Where are the gaps? You need to know. Your company is on the line.

Train Like the Champs

How do you overcome this? You train. And then train some more. This type of training is called Adversary Emulation or Purple Teaming. Regardless, the concept is to step through a targeted attack using real TTPs but without all the dangers of a real attack. Team members are divided into two groups, a Red (Offensive) Team, and a Blue (Defender) Team. PacketWatch team members are on both teams and provide the technical resources to emulate the attack. At each step, Red Team and Blue Team members get together to:

  1. Review the actions that occurred
  2. Analyze the result of those actions
  3. Determine the effectiveness of the current controls
  4. Identify the gaps
  5. Recommend changes
  6. Discuss other lessons learned

Custom Active Security Engagement

The PacketWatch team can fashion engagements tailored to your firm’s specific needs. Whether you need to test tools and visibility, your incident response capabilities, the effectiveness of specific controls around groups of assets, your defenses against a particular targeted threat, or a combination thereof, PacketWatch’s Active Security Team will build an effective engagement for you.

With an Active Security Engagement, you can:

  • Validate your security controls and incident response processes against the tactics of real threat actors representing the most significant risk to your industry vertical.
  • See and experience how real attacker tactics and exploits appear in your security tools. Identify gaps and assess the capabilities and maturity of your team in realistic scenarios.
  • Improve your organization’s readiness for detecting and responding to the next attack. This hands-on exercise is a better experience than just reading a white paper.

Why PacketWatch?

The better the instructor, the better the team learns. PacketWatch is a team of elite experts from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. We respond to hundreds of complex breaches each year. Knowing and countering adversary tradecraft bolsters our effectiveness in quickly identifying and eliminating threats. We bring that real-world experience to bear for you and your team. That makes us the best for delivering this type of engagement for you. Planning, rehearsing, and testing with a high-performing team is key to ensuring your team’s success.

Ultimately, it’s all about the quality of your team’s training. That determines the outcome. Enable their success with a PacketWatch Active Security engagement.

Give us a call or Contact Us to give your team hands-on experience defending complex attack scenarios.

[i] “Under Pressure” by the British rock band Queen and singer David Bowie was originally released as a single in October 1981.

Tags:

Why Wait for An Alert?

Why Wait for An Alert?

Blog

Why Wait for An Alert?

Is this Threat Hunting?

In a recent scan of marketing literature from other security vendors, nearly every piece I read claimed that they will provide you with “threat hunting” services – one even claiming they did 24x7x365. Really? Better double-check that SOW or service description before signing and ask yourself, “What am I really getting?”

Let’s look at what “threat hunting” actually is and compare. Gartner says this about threat hunting (emphasis added):  

Gartner:

To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative, and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.[i]

Automated Threat Detection?

In reality, many of these vendors are selling “threat detection” rather than “threat hunting.” They changed the name of their managed security operations center (SOC) services to use the new marketing buzzword. It’s 24x7x365 because it’s just an automated detection service. Their “analyst” (a Tier 1 SOC guy) waits for an automated alert and then works to adjudicate the alert, likely escalating it to another more senior “analyst” before concluding its relevance and sending it back to you. They only have data from the sources you provided. How’s that any different than the managed SOC services they sold last year? It doesn’t sound like the definition Gartner set forth to me.   

In that same article, Gartner says:

Gartner:

While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis, and creative thinking skills. [ii]

Hunt Before the Alert

Note Gartner’s focus on highly skilled, creatively thinking humans. Preferably experienced ones that have responded to all types of security incidents. These are real analysts looking for an intruder before any alerts are generated. They want different tools to expand the context of what they see and allow them to conclusively adjudicate a potential threat (not just an alert). They make and test hypotheses based on current threat intelligence. Ideally, you’d want a dedicated analyst that has direct knowledge of your unique IT environment. Not a random pod of folks. These real threat hunters are “rare” it says. They are probably not working in the graveyard shift at a SOC.

Real Managed Threat Hunting

PacketWatch offers a real managed threat hunting service. Our team of elite experts is from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. They hunt and respond to incidents using the proprietary PacketWatch platform. They are creative thinkers honed with skills from responding to all types of security incidents across the globe. They work one-on-one with you and your team to further your security program. They are equipped to “uncover hidden, advanced threats missed by automated, preventative and detective controls.” They aren’t waiting for an alert to act. That sounds more like what Gartner meant when they defined the term.

Next Steps

So, if you are considering hiring a team for Threat Hunting:

  1. Ask to meet the analyst assigned to your account
  2. Read the Statement of Work (SOW)
  3. Measure them against the Gartner standard
  4. Make a wise decision

Give us a call or Contact Us to meet some of these rare, highly skilled, creatively thinking humans.

[i] Gartner. “How to Hunt for Security Threats
[ii] Ibid.
Tags: