He’s on to Something.

He’s on to Something.


He’s on to Something.

Dedicated Threat Hunting Investigations

I always enjoy reading an article from someone who truly gets it. This particular article was a preview of a forthcoming ebook from SC Media titled “All about MDR: What it is and how to optimize it.” The article describes managed detection and response (MDR) services as when a “vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.” [The analysts at Gartner would properly add that the vendor needs to bring their own technology to the table as part of the service as well.] The article emphasizes the following key prerequisites for anything called “MDR”:
  • Access to real human threat hunters – a truly rare breed.
  • Specific focus on threat detection and threat response.
  • Continuous monitoring and scanning.
  • Guided remediation and prioritization.
  • Working partnership built on shared and non-shared responsibilities.

Proactively Fight the Fire

The article goes on to distance MDR from (M)EDR, XDR, MSSP and SIEM/SOC services. Providers of these services often say they are performing “MDR Services” when they are just slapping a new label on their old MSSP services or selling products. MSSPs are more focused on the administration of alerts (reactive) than (proactive) threat hunting, threat intelligence and incident response. The later three skills define what you should look for in a MDR provider. When an MSSP, EDR, XDR or SIEM/SOC provider calls themselves an MDR provider, it’s akin to a Fire Department radio dispatcher saying they put out fires. A bit of a stretch. You want the people that actually fight the fire on scene with your team.

Dedicated Threat Hunting Investigations | PacketWatch

A Passion for Eliminating Threats

MDR is when a…

“vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.”

Daniel Thomas SC Media

At PacketWatch, we employ dedicated threat hunters whose passion and sole occupation is to hunt and eliminate threats. That’s it – nothing else. Their vernacular is formed by the incidents they respond to each week. Our PacketWatch platform is the ultimate threat-hunting tool because it is designed by and for threat hunters. It provides the additional detailed visibility into the network and context that EDR, XDR, and SIEM lack. Our threat hunting team knows what to prioritize and how to kill it. That’s what hunters do.

So, good for the folks at SC media!  I look forward to reading the rest of their ebook. In speaking recently with the Gartner analysts, we expect they will be reinforcing many of the same points in their upcoming revised MDR Market Guide too.  The reason you want an MDR provider is for the quality and experience of the people you will be working with, not just another technology.  So, if you are considering Managed Detection and Response services (or want to upgrade from your current provider), please give us a call today at 1.800.864.4667.  We’ll be happy to show you what outcomes a real MDR provider can provide your firm.

There’s Your Sign.

There’s Your Sign.


There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Maybe, with a Little Practice.

Maybe, with a Little Practice.


Maybe, with a Little Practice.

Let Me Explain Why

Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.

A Football Analogy

It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field. Time to run the play! Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.

Incident Response Plan

So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster.  If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.

Practice, Practice, Practice

“A winning effort begins with preparation”

– Coach Joe Gibbs

The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.

The Tabletop Exercise

A Incident Response Tabletop Exercise (TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.


Well, that was Awkward.

Well, that was Awkward.


Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.

SEC Rulemaking Necessitates Updating Incident Response Plans

SEC Rulemaking Necessitates Updating Incident Response Plans

Blog | News

SEC Rulemaking Necessitates Updating Incident Response Plans

As part of a recently announced strategic relationship, HKA and PacketWatch released a co-authored article on the impact of proposed Securities and Exchange Commission’s (SEC) cybersecurity rulings. The rulings have entered the final stages of their Comment Period and will soon be released in their final form.

Written by HKA’s Michael Corcione, Partner, and Chuck Matthews, CEO, PacketWatch, the article highlights:

  • The Proposed Rules
  • The Impact on Incident Response Programs

The proposed SEC rulemaking will significantly influence cybersecurity risk management, governance, board oversight, and compliance programs.  This action also signals a change in regulatory tenor and elevates cybersecurity to a new level of accountability and transparency.

The article is available on the HKA Website under News and Insights.

“We estimate that registrants will be dealing with hundreds of hours in modifying processes and hundreds of hours more for each incident.”

Michael and Chuck provide their expert insight into actions your organization should take following the SEC’s recent proposed rule on cybersecurity incident disclosures.

About HKA
HKA is the world’s leading consultancy of choice for multi-disciplinary expert and specialist services in risk mitigation, dispute resolution and litigation support.

HKA’s Cybersecurity and Privacy Risk Management practice is one of five risk mitigation related services lines, focusing on governance, risk and compliance, third-party and vendor risk management, incident response, training and cryptoasset operations advisory.

HKA has in excess of 1,000 consultants, experts and advisors in more than 40 offices across 18 countries.  For more information about HKA, visit www.hka.com and connect with us on LinkedIn, Twitter (@HKAGlobal) and Facebook.