Maybe, with a Little Practice.

Maybe, with a Little Practice.

Blog

Maybe, with a Little Practice.

Let Me Explain Why

Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.

A Football Analogy

It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field. Time to run the play! Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.

Incident Response Plan

So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster.  If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.

Practice, Practice, Practice

“A winning effort begins with preparation”

– Coach Joe Gibbs

The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.

The Tabletop Exercise

A Incident Response Tabletop Exercise (TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

Tags:

Well, that was Awkward.

Well, that was Awkward.

Blog

Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.
Tags:

SEC Rulemaking Necessitates Updating Incident Response Plans

SEC Rulemaking Necessitates Updating Incident Response Plans

Blog | News

SEC Rulemaking Necessitates Updating Incident Response Plans

As part of a recently announced strategic relationship, HKA and PacketWatch released a co-authored article on the impact of proposed Securities and Exchange Commission’s (SEC) cybersecurity rulings. The rulings have entered the final stages of their Comment Period and will soon be released in their final form.

Written by HKA’s Michael Corcione, Partner, and Chuck Matthews, CEO, PacketWatch, the article highlights:

  • The Proposed Rules
  • The Impact on Incident Response Programs

The proposed SEC rulemaking will significantly influence cybersecurity risk management, governance, board oversight, and compliance programs.  This action also signals a change in regulatory tenor and elevates cybersecurity to a new level of accountability and transparency.

The article is available on the HKA Website under News and Insights.

“We estimate that registrants will be dealing with hundreds of hours in modifying processes and hundreds of hours more for each incident.”

Michael and Chuck provide their expert insight into actions your organization should take following the SEC’s recent proposed rule on cybersecurity incident disclosures.

About HKA
HKA is the world’s leading consultancy of choice for multi-disciplinary expert and specialist services in risk mitigation, dispute resolution and litigation support.

HKA’s Cybersecurity and Privacy Risk Management practice is one of five risk mitigation related services lines, focusing on governance, risk and compliance, third-party and vendor risk management, incident response, training and cryptoasset operations advisory.

HKA has in excess of 1,000 consultants, experts and advisors in more than 40 offices across 18 countries.  For more information about HKA, visit www.hka.com and connect with us on LinkedIn, Twitter (@HKAGlobal) and Facebook.

Tags:
HKA and PacketWatch expand collaboration to provide immediate cybersecurity incident response services

HKA and PacketWatch expand collaboration to provide immediate cybersecurity incident response services

Blog | News

HKA and PacketWatch expand collaboration to provide immediate cybersecurity incident response services

NEW YORK, June 21, 2022 /PRNewswire/ — HKA and PacketWatch announce plans to expand their strategic collaboration to provide quick reaction incident response and crisis management capabilities to global businesses impacted by a security incident including data breaches, email compromises, business disruption, or other cyber-related attacks.

Michael Corcione, Partner, Global Cybersecurity & Privacy Risk Management Lead at HKA, commented, “I am excited to expand our relationship with PacketWatch and offer an expert team of incident response and investigations professionals to our clients. Supporting organizations throughout an incident, from detection, investigation, and post-incident response analysis is a critical service. 

For over a year, both firms have been working together on incident investigations. PacketWatch and HKA have successfully collaborated on many complex cyber-related incidents working closely with clients and their legal counsel, across a multitude of industries such as manufacturing, financial services, government organizations, irrigation, information technology and many more. This advanced collaboration will further allow HKA and PacketWatch to offer complementary and enhanced services to HKA’s global client base, spanning many industries.

“Cyber-attacks attacks are becoming increasingly sophisticated. Our partnership with HKA brings clients the expertise, scale, and professionalism necessary to rapidly address these threats on a global basis. Our combined expertise bolsters the capabilities brought to bear on incidents and helps reduce future risks.”

Chris Krueger Vice President PacketWatch

Christopher Krueger, Vice President, PacketWatch, said, “Cyber-attacks are becoming increasingly sophisticated.  Our partnership with HKA brings clients the expertise, scale, and professionalism necessary to rapidly address these threats on a global basis. Our combined  expertise bolsters the capabilities brought to bear on incidents and helps reduce future risks.”

About HKA
HKA is the world’s leading consultancy of choice for multi-disciplinary expert and specialist services in risk mitigation, dispute resolution and litigation support.

HKA’s Cybersecurity and Privacy Risk Management practice is one of five risk mitigation related services lines, focusing on governance, risk and compliance, third-party and vendor risk management, incident response, training and cryptoasset operations advisory.

HKA has in excess of 1,000 consultants, experts and advisors in more than 40 offices across 18 countries.  For more information about HKA, visit www.hka.com and connect with us on LinkedIn, Twitter (@HKAGlobal) and Facebook.

About PacketWatch
PacketWatch is a boutique provider of cybersecurity services with in-depth expertise in complex incident response, digital forensics, managed detection & response (MDR), and active cybersecurity services for mid-sized and enterprise organizations. Our responsive expertise allows us to quickly engage with our clients – rapidly identifying, containing, and eradicating threats in their environment.

For more information about PacketWatch, visit packetwatch.com and connect with them on LinkedIn and Twitter (@packetwatch).

Tags:
THIS MEMORIAL DAY WEEKEND: RANSOMWARE

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

Blog | Threat Intelligence Brief

THIS MEMORIAL DAY WEEKEND: RANSOMWARE

Extensive Remote Workforce and Upcoming American Holiday Likely to Attract Significant Increase in Ransomware Attacks

 

Since May 4th, we have seen an eye-catching increase in cyber incidents, email compromise, and ransomware attacks.

As we approach the US Holiday, Memorial Day, we expect this increase to continue. To help improve your awareness, we offer the following trends and fairly consistent indicators pointing back to Eastern European and Russian criminal actors.

Trends

Here are some of the prevalent trends that we have seen recently:

  • Attackers are using compromised admin credentials. The credentials appear to be coming from successful phishing attacks, or brute forcing/guessing. In at least one case we worked, a laptop appeared to be infected with password-harvesting malware—when an administrator remotely logged in, the attackers were able to collect the admin credentials.
  • Organizations with open ports on 3389 and 21 seem to be especially susceptible to attack.
  • Domain controllers are being encrypted, making deployment of recovery tools difficult. We strongly recommend having good backups of domain controllers.

Recommendations

We are sharing the following recommendations, in order of importance, based on recent research and incidents we’ve worked throughout May:

  • Mandate multifactor authentication (MFA), wherever possible. Even if an attacker can obtain login credentials (password and user name), MFA is very effective at deterring full compromise.
  • Implement advanced endpoint protection, such as CrowdStrike. Traditional antivirus is increasingly becoming less effective (as evidenced by the AV server getting encrypted in a cited case).
  • Use complex passwords for admin accounts, especially those shared with outside vendors.

Network Monitoring 

The knowledge we gain through our Incident Response Practice, often gets “re-invested” into PacketWatch as alerts and queries watching for anomalous trends and threats.

Following is a PacketWatch graph showing activity for the past week from Russian IP addresses. This activity is collected via an externally-facing PacketWatch node not filtered by a firewall, affording us tremendous visibility into the holistic nature of internet traffic.

As you’ll notice in the following graph, Russian activity last week noticeably spiked starting around 00:30 AM HRS on Friday, May 15, and subsided the following Tuesday morning.

 

 

When we break this traffic out by Autonomous System Number (ASN), we see that two ASN’s seem to be primarily responsible for this increase in traffic. Please see the following graph.

 

 

We traditionally see a surge in cyber attacks on or around major American holidays, since attackers are keen to exploit victims they suspect may be less vigilant due to vacations, remote work, or the typical excitement and distractions that accompany holiday activities.

Lately, the surge in attack traffic appears to be focused on ports 445, 23, and 3389 (SMB, Telnet, and RDP, respectively). These ports are typical threat vectors for wormable exploits and ransomware deployment. Based on the timing in this swell of activity as well as the targeted ports, we assess with moderate to high confidence that organizations with services open and responding on these ports may face significant targeting over the coming Memorial Day weekend.

Russian Activity Over the Past Seven Days

Looking at Russian activity over the past week, we also see a fair amount of other traffic looking for interesting services such as Secure Shell (port 22, SSH) and port 5900. Port 5900 is associated with Apple’s remote network computing. Database administrators will be interested to see 1433, SQL, makes an appearance here as well.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Tags: