Let’s Create a New Standard for Cyber Due Diligence

Let’s Create a New Standard for Cyber Due Diligence


Let’s Create a New Standard for Cyber Due Diligence

“The result of a flexible and extensible cyber due diligence process is less regret across the board.”

M&A Cybersecurity Concerns

Recently, I was in a meeting with a friend who’s a top Corporate Attorney here in town. He was lamenting a recent sizable Mergers and Acquisitions (M&A) deal that left a bad taste with the buyer. Following the transaction’s closing, the buyer uncovered a host of significant IT security concerns, one of which turned out to be remnants of a prior intrusion. So, the buyer’s legal counsel went back to the Purchase Agreement to see what warranties were made by the seller and whether any remedies were available. It turns out the seller had no “actual knowledge” of a problem because they never looked. The buyer never looked either because the seller wouldn’t cooperate. That meant a dispute and likely litigation. There’s got to be a better way.

Way back when…

In a prior life, I was a commercial real estate lender. I know, I’m mostly recovered now, thank you. Back in the day, the environmental clean-up movement was in high gear. The impacts of liability arising from CERCLA (think “Superfund”) were reverberating down the halls of all real estate developers and lenders. If you entered the title chain of a contaminated property, you were potentially liable for a massively expensive clean-up of something you didn’t even do. What came to bear was a new method for conducting due diligence—an Environmental Site Assessment or ESA. A Phase I ESA conducted by an environmental professional (engineer) consisted of a site study and review of current and historical records, adjacent land uses, public agency records, aerial photographs, and interviews with knowledgeable people. If something of concern like suspected soil contamination was noted, a Phase II study would be required. A Phase II study consisted of more intensive study, testing, and analysis to get to the details of the suspected hazard. A Phase III ESA, if needed, would get to the remediation plans, alternate methods for containment, logistics, how the cleanup was done, and outlined the process for follow-up monitoring. That progression of environmental due diligence has been successfully used since the 1980s. Today every transaction has at least a Phase I ESA as part of the process.

A new way forward…

We can use this example as an analogue for a new and improved cyber due diligence process. Let’s even borrow their “ESA” acronym for our Enterprise Security Assessment.

So, in this context, a Phase I ESA might encompass a comparison with a recognized regulatory or industry-accepted security framework (such as NIST or CIS-CSC). The purpose is to find gaps, prove levels of maturity, and supply an industry benchmark comparison of the target organization. An independent security professional or security engineer would perform the Phase I ESA. Phase I might also look at the Dark Web for compromised credentials or stolen data, examine select logs, look for signs of existing vulnerabilities, analyze the external attack surface, and scan threat intelligence sources.

If something of concern appears, a major gap is exposed, or a significant variance from similarly situated organizations is identified, you can move on to a Phase II study with independent data collection, analysis and testing, controls validation, and an expert threat hunt to look for malicious activity as well. If the suspected problem is verified, you can move into a Phase III ESA to remediate the threat and/or close the gap. Follow with monitoring to ensure the situation is adequately resolved and confirm that no advanced persistent threats remain.

Less Regret

The cooperation between the parties is enhanced by a predictable independent process conducted under the supervision of Counsel.  It’s not a fishing expedition but a defined, repeatable process. This flexible, extensible due diligence process for cyber makes much more sense than the current ad hoc model and will result in less regret across the board.  

Less regret equals happier clients. 

Give us a call at 1-800-864-4667 or Contact Us to find out how your practice can partner with PacketWatch to begin implementing a Phased-ESA Cyber Due Diligence program today.

Editor’s Note: We have refined and expanded this phased approach for M&A clients. The public launch of PacketWatch M&A, our suite of M&A Cyber Due Diligence Services, was on November 7, 2022.


Under Pressure. How will your cybersecurity team do?

Under Pressure. How will your cybersecurity team do?


Under Pressure. How will your cybersecurity team do?

(Queue the song “Under Pressure” by the British rock band Queen and singer David Bowie [i])

“Under pressure, you don’t rise to the occasion, you sink to the level of your training”

~ Anonymous Navy SEAL

Under Pressure

Nothing could be truer than the quote above, often attributed to an anonymous Navy SEAL. When things get real, your training kicks in. Training is not just filling your head with stuff, but actually performing it. Try. Fail. Learn. Get it right. Perfect it. And doing it again and again. The better the training, the better the students learn. This truism is the bedrock of high-performing, effective teams everywhere.

Small Teams

Somehow the business world hasn’t taken this to heart yet. As cybersecurity threats have escalated, the business world’s search for an effective solution has evolved. After a period of denial, the great hope was that some AI-powered “black box” would solve all cybersecurity concerns without having to do anything. That didn’t work. Next, let’s outsource to a cyber insurance firm. The only problem is that it’s pricey, and you don’t control the process. The insurance company does, and they aren’t always on the same team as you. So, we’re left with one solution—an in-house or hybrid human-based solution, probably a small group of folks charged with the impossible. Stop any and every attack, 24x7x365 from any source—script kiddie or advanced persistent threat (APT). It’s got to be 100%, every time. There might be some pressure building there.  

The Challenge

Here’s where the challenge comes in. You see, the people on your incident response team, as defined in your IR policy and procedures (if you have one), most likely have never been hands-on with a complex incident (If they had, you probably couldn’t afford to keep them). They may have studied cases, taken classes, read tons of materials, and have an alphabet soup of certifications. But they probably have never executed your Incident Response Plan. They’ve never seen what the adversary’s tactics, techniques, and procedures (TTPs) look like in your technology stack. Do you have sufficient visibility? Is your logging up to snuff? So, how will your team perform in a high-pressure situation? How about with no sleep for 48 hours? Where are the gaps? You need to know. Your company is on the line.

Train Like the Champs

How do you overcome this? You train. And then train some more. This type of training is called Adversary Emulation or Purple Teaming. Regardless, the concept is to step through a targeted attack using real TTPs but without all the dangers of a real attack. Team members are divided into two groups, a Red (Offensive) Team, and a Blue (Defender) Team. PacketWatch team members are on both teams and provide the technical resources to emulate the attack. At each step, Red Team and Blue Team members get together to:

  1. Review the actions that occurred
  2. Analyze the result of those actions
  3. Determine the effectiveness of the current controls
  4. Identify the gaps
  5. Recommend changes
  6. Discuss other lessons learned

Custom Active Security Engagement

The PacketWatch team can fashion engagements tailored to your firm’s specific needs. Whether you need to test tools and visibility, your incident response capabilities, the effectiveness of specific controls around groups of assets, your defenses against a particular targeted threat, or a combination thereof, PacketWatch’s Active Security Team will build an effective engagement for you.

With an Active Security Engagement, you can:

  • Validate your security controls and incident response processes against the tactics of real threat actors representing the most significant risk to your industry vertical.
  • See and experience how real attacker tactics and exploits appear in your security tools. Identify gaps and assess the capabilities and maturity of your team in realistic scenarios.
  • Improve your organization’s readiness for detecting and responding to the next attack. This hands-on exercise is a better experience than just reading a white paper.

Why PacketWatch?

The better the instructor, the better the team learns. PacketWatch is a team of elite experts from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. We respond to hundreds of complex breaches each year. Knowing and countering adversary tradecraft bolsters our effectiveness in quickly identifying and eliminating threats. We bring that real-world experience to bear for you and your team. That makes us the best for delivering this type of engagement for you. Planning, rehearsing, and testing with a high-performing team is key to ensuring your team’s success.

Ultimately, it’s all about the quality of your team’s training. That determines the outcome. Enable their success with a PacketWatch Active Security engagement.

Give us a call or Contact Us to give your team hands-on experience defending complex attack scenarios.

[i] “Under Pressure” by the British rock band Queen and singer David Bowie was originally released as a single in October 1981.


Why Wait for An Alert?

Why Wait for An Alert?


Why Wait for An Alert?

Is this Threat Hunting?

In a recent scan of marketing literature from other security vendors, nearly every piece I read claimed that they will provide you with “threat hunting” services – one even claiming they did 24x7x365. Really? Better double-check that SOW or service description before signing and ask yourself, “What am I really getting?”

Let’s look at what “threat hunting” actually is and compare. Gartner says this about threat hunting (emphasis added):  


To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative, and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.[i]

Automated Threat Detection?

In reality, many of these vendors are selling “threat detection” rather than “threat hunting.” They changed the name of their managed security operations center (SOC) services to use the new marketing buzzword. It’s 24x7x365 because it’s just an automated detection service. Their “analyst” (a Tier 1 SOC guy) waits for an automated alert and then works to adjudicate the alert, likely escalating it to another more senior “analyst” before concluding its relevance and sending it back to you. They only have data from the sources you provided. How’s that any different than the managed SOC services they sold last year? It doesn’t sound like the definition Gartner set forth to me.   

In that same article, Gartner says:


While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis, and creative thinking skills. [ii]

Hunt Before the Alert

Note Gartner’s focus on highly skilled, creatively thinking humans. Preferably experienced ones that have responded to all types of security incidents. These are real analysts looking for an intruder before any alerts are generated. They want different tools to expand the context of what they see and allow them to conclusively adjudicate a potential threat (not just an alert). They make and test hypotheses based on current threat intelligence. Ideally, you’d want a dedicated analyst that has direct knowledge of your unique IT environment. Not a random pod of folks. These real threat hunters are “rare” it says. They are probably not working in the graveyard shift at a SOC.

Real Managed Threat Hunting

PacketWatch offers a real managed threat hunting service. Our team of elite experts is from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. They hunt and respond to incidents using the proprietary PacketWatch platform. They are creative thinkers honed with skills from responding to all types of security incidents across the globe. They work one-on-one with you and your team to further your security program. They are equipped to “uncover hidden, advanced threats missed by automated, preventative and detective controls.” They aren’t waiting for an alert to act. That sounds more like what Gartner meant when they defined the term.

Next Steps

So, if you are considering hiring a team for Threat Hunting:

  1. Ask to meet the analyst assigned to your account
  2. Read the Statement of Work (SOW)
  3. Measure them against the Gartner standard
  4. Make a wise decision

Give us a call or Contact Us to meet some of these rare, highly skilled, creatively thinking humans.

[i] Gartner. “How to Hunt for Security Threats
[ii] Ibid.

The Packet Never Lies

The Packet Never Lies


The Packet Never Lies

The Black Box

“Self-learning, autonomous artificial intelligence (AI) security solution.”

That’s the marketing double-speak to sell you a “black box” that supposedly teaches itself about your computer network. Then, it autonomously spots bad stuff happening and takes actions to fix it.

It sees all things, knows all things, and is never wrong. You don’t need to do anything. Plus, it has an awesome graphical user interface (GUI).

Well, not exactly. You see, it may learn bad behaviors and think they’re good. It has to be trained properly. It sounds like something from a movie I once saw.


HAL 9000 from 2001: A Space Odyssey

The Packet Never Lies

Customer Story

In the not-too-distant past, a client called us to help assess their security posture as part of a merger and acquisition (M&A) transaction. The company is part of an international manufacturing organization. They had a large footprint of internet of things (IoT) manufacturing devices and a network interconnected with global supply chain partners. The internal security team was pretty confident. They greeted us with folded arms. After all, they’ve had one of those “black boxes” monitoring their environment for several years. There is no way we would find anything.

We deployed our PacketWatch sensors and began to collect data. Right away, we detected an older “bot” operating on one of the computer controllers for an IoT device. “No way,” they said. It’s simply not possible. And they dismissed our claim. We showed them in our PacketWatch analysis GUI, but they still didn’t believe us. So, we pulled a packet capture (PCAP) of the device’s traffic over the previous 48-hour period and showed the internal team the results.

The packets never lie. Sure enough. There it was.

Wireshark was brought in to definitively prove our claim. We had all the packets, including the payloads showing repeated malicious activity: inbound commands and outbound responses. If we only had net flow data, they probably would have wiggled off the hook claiming some ambiguity in interpreting the data. But we had the whole enchilada—full packet capture history. If we didn’t have historical data, a quick fix would have caused the bot to “disappear” before additional forensics could be run. But there’s no wiggle-room when you have the actual packets. In fairness, we asked the black box for its opinion, but it wasn’t capable of responding.

That meeting prompted an angry call from the client’s Chief Information Security Officer (CISO) to the black box vendor demanding answers. He had staked his reputation on the black box. The vendor went back and reviewed their application history. They couldn’t say exactly how, but the “bot” traffic was detected and somehow whitelisted. What? It had been whitelisted several years prior. So, a detection went without action, and the black box had “learned” it was OK. Oops. How do you un-learn that?

As a result of our findings, the client had to send an embarrassing incident disclosure to their supply-chain partners. The client’s CEO was angry, too. He had blown his budget on all this black box stuff the CISO guaranteed would work. The truth was that an entry-level human analyst with the proper tools would have found the bot easily for roughly the same spend.

Would this be a resume-generating event for the CISO?

Fortunately, not. As we worked together on the balance of the assignment, we continued to show our value.

  1. We were able to troubleshoot an application configuration error by providing them with the session negotiation packets. We showed them exactly where the handshake was failing. None of their other tools could.
  2. We also showed them some misconfigured DNS entries creating daily internal DNS storms.
  3. Our threat hunters showed them several design vulnerabilities (i.e., clear text credentials) that needed attention.

Again, the packets never lie. The CISO was now a hero for bringing us in.

Humans are Necessary

The point here is not to disparage the black box but to convince people that experienced “humans” are necessary to the security process. A black box can automate the detection of threats, but the only sure way to adjudicate a threat is for a human to go back to review the actual packets. If you don’t have the packets, that’s a problem. If your team lacks network visibility at the packet level and/or needs help figuring out exactly what your black box solution has been doing all these years, please call us. We’d love to help you out.
PacketWatch Log4J Article also Published on Law360

PacketWatch Log4J Article also Published on Law360

Blog | News

PacketWatch Log4J Article also Published on Law360

PacketWatch CTO Michael McAndrews recently collaborated with Squire Patton Boggs to create an article for the law firm’s Consumer Privacy World blog. The blog post focused on the recent Log4J vulnerability that has become a top cybersecurity concern for most organizations.

We learned that Law360, a prominent news service for attorneys operated by Portfolio Media (subsidiary of LexisNexus), picked up the article to share with their paid subscriber base. The article provides technical and operational guidance to companies trying to respond to the Log4J vulnerability concerns.

Law360 subscribers can read the article “A Case Study in Appropriately Responding to the Log4J Cybersecurity Vulnerability” (pdf) on the Law360 website. If you need assistance with any of the recommendations in the article, please contact us for assistance.

“This article illustrates how vulnerabilities create both technical and legal challenges for organizations. Working with Squire Patton Boggs helps PacketWatch ensure our clients get the highest level of attention on both fronts.”

Michael McAndrews Chief Technology Officer PacketWatch