He’s on to Something.

He’s on to Something.

Blog

He’s on to Something.

Dedicated Threat Hunting Investigations

I always enjoy reading an article from someone who truly gets it. This particular article was a preview of a forthcoming ebook from SC Media titled “All about MDR: What it is and how to optimize it.” The article describes managed detection and response (MDR) services as when a “vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.” [The analysts at Gartner would properly add that the vendor needs to bring their own technology to the table as part of the service as well.] The article emphasizes the following key prerequisites for anything called “MDR”:
  • Access to real human threat hunters – a truly rare breed.
  • Specific focus on threat detection and threat response.
  • Continuous monitoring and scanning.
  • Guided remediation and prioritization.
  • Working partnership built on shared and non-shared responsibilities.

Proactively Fight the Fire

The article goes on to distance MDR from (M)EDR, XDR, MSSP and SIEM/SOC services. Providers of these services often say they are performing “MDR Services” when they are just slapping a new label on their old MSSP services or selling products. MSSPs are more focused on the administration of alerts (reactive) than (proactive) threat hunting, threat intelligence and incident response. The later three skills define what you should look for in a MDR provider. When an MSSP, EDR, XDR or SIEM/SOC provider calls themselves an MDR provider, it’s akin to a Fire Department radio dispatcher saying they put out fires. A bit of a stretch. You want the people that actually fight the fire on scene with your team.

Dedicated Threat Hunting Investigations | PacketWatch

A Passion for Eliminating Threats

MDR is when a…

“vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.”

Daniel Thomas SC Media

At PacketWatch, we employ dedicated threat hunters whose passion and sole occupation is to hunt and eliminate threats. That’s it – nothing else. Their vernacular is formed by the incidents they respond to each week. Our PacketWatch platform is the ultimate threat-hunting tool because it is designed by and for threat hunters. It provides the additional detailed visibility into the network and context that EDR, XDR, and SIEM lack. Our threat hunting team knows what to prioritize and how to kill it. That’s what hunters do.

So, good for the folks at SC media!  I look forward to reading the rest of their ebook. In speaking recently with the Gartner analysts, we expect they will be reinforcing many of the same points in their upcoming revised MDR Market Guide too.  The reason you want an MDR provider is for the quality and experience of the people you will be working with, not just another technology.  So, if you are considering Managed Detection and Response services (or want to upgrade from your current provider), please give us a call today at 1.800.864.4667.  We’ll be happy to show you what outcomes a real MDR provider can provide your firm.

Tags:
There’s Your Sign.

There’s Your Sign.

Blog

There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:

PacketWatch Article Published on Law.com

PacketWatch Article Published on Law.com

Blog | News

PacketWatch Article Published on Law.com

So Where Did the Leak Come From?

PacketWatch CEO Chuck Matthews collaborated with Jeffrey Dennis, a privacy and data security expert from the law firm Buchalter, to write an article that explains why it is more important than ever to address data security in detail from the start of new vendor relationships.

The article described a recent client case where sensitive information was leaked to a dark website, but no data breach was found. A vendor was likely the target of a  cyberattack, but they refused to cooperate.

The article shares several components that should be included in a vendor agreement data security addendum. These representations, warranties, and covenants could have prevented many of the headaches the client experienced.

If you would like to learn how to protect your organization from a similar fate, read “So Where Did the Leak Come From? Settle Key Data Protection Issues With Vendors Before a Crisis” on Buchalter.com or Law.com (requires registration for a free account).

If you need assistance with any of the recommendations in the article, please contact us for assistance.

“Common sense provisions should be ironed out when starting a relationship with a vendor, not in the midst of crisis.”

Tags:

Maybe, with a Little Practice.

Maybe, with a Little Practice.

Blog

Maybe, with a Little Practice.

Let Me Explain Why

Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.

A Football Analogy

It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field. Time to run the play! Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.

Incident Response Plan

So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster.  If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.

Practice, Practice, Practice

“A winning effort begins with preparation”

– Coach Joe Gibbs

The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.

The Tabletop Exercise

A Incident Response Tabletop Exercise (TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:

Don’t Just Go With The Flow…

Don’t Just Go With The Flow…

Blog

Don’t Just Go With The Flow…

Full Packet Capture (FPC)

One of the key features of the PacketWatch technology is continuous Full Packet Capture (FPC). FPC constantly records the individual network packets into files called PCAPs (Packet Capture). Collecting PCAPs over time allows retrospective and time series analysis. Many security vendors have chosen to provide only “flow”-based network information (e.g., NetFlow, IPFIX, sFlow, etc.).

Full Packet Capture (FPC)

“Allows retrospective and time series analysis.”

80% isn’t Good Enough in Security

Flow-based Data

“Is a summary or just a sampling of what happened.”

Flow-based data is a summary or, in some cases, just a sampling of what happened on the network. Details are removed to reduce overhead and simplify processing. For instance, flow data does not permit you to analyze the actual packet payload for specific data. That would be akin to noting a truck going down the street from point A to point B but not being able to see what it is carrying inside. Afterall, NetFlow was created by Cisco for network performance monitoring, not security uses. Flow data can be beneficial in presenting summary information about conversations and provide a quick, high-level context, but it lacks details to allow conclusive determination of what is happening. As such, Gartner sees most organizations implementing a dual approach with flow data used perhaps 80% of the time and packet-level data from key network locations for the critical 20% remainder. Having both flow and PCAP data is key to a threat hunter’s success and why PacketWatch is such a favorite of experienced hunters.

Here’s Why

With the massive increase in zero-day attacks, lingering advanced persistent threats, mutable malware, and ransomware attacks, organizations are realizing that investigating threats with their NetFlow-based tools alone leaves them unable to draw definitive conclusions about what’s happened. Last year 80 zero-days were reportedly exploited in the wild before patches existed.  That is more than double the volume in 2019, the prior record. The average time to patch a vulnerability (MTTP) is between 60 and 150 days. So, the ability to look back and conclusively identify the potential exploit of a zero-day vulnerability is key. Having full PCAPs and the high-level flow data for that period permits a threat hunter to look back in time and conclusively identify a successful exploit of that zero-day vulnerability.

Combine the Data

Further, to understand a network or application performance problem, flow data, while useful, often isn’t sufficient. Again, combining flow data and recorded PCAPs provides a definitive record for network operations personnel. The combination of Flow and FPC/PCAPs gives both your NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened. Ask us how you can easily add flow data, FPC and PCAPs to your security toolset today with PacketWatch. Even better, ask us how we can provide a fully managed MDR solution, including PacketWatch.

Remember, 80% isn’t good enough when it comes to your security! Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags: