It wasn’t the call we wanted to make to a newenterprise clienton a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.
“Bad guys are sending data to Russia from their production network. “
The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seenevidence of a remote accesstool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything.Why couldn’t they see it?What was this anomaly inside the client’s otherwise relatively clean production network?
We came in to provide a Proof of Concept (POC) of services using our PacketWatchfull-packet captureplatform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?
We called in again. No answer. Shoot. Got his voicemail again. We left anurgent messageand called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had justdeclared an incidentand enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.
A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted,“Yes, you had seen it first!”
Although that initial assignment was not exactly what we expected, it allowed us to show the strength of thePacketWatch platformin providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our teamto see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.
A Change in Perspective
PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. AnEnterprise Security Assessmentusing the PacketWatch platform will tell you more aboutwhat’s hiding in your network– especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.