Sled Meta Blog

Home » Sled Meta Blog

PacketSled Selected as SC Magazine 2018 Trust Award Finalist

in News by Christina Patten Comments are off
SAN DIEGO, Jan 25, 2018. / PacketSled,  a leading provider of cloud-based network visibility, detection, incident response and breach forensics, today announced that the 2018 SC Awards have recognized the PacketSled platform as a Trust Award finalist in the Best Computer Forensic Solution category. The finalists and winners for the Trust Awards are chosen by an expert panel of judges with extensive knowledge and experience in the cybersecurity industry. Winners will be announced at the SC Awards ceremony on April 17, 2018 in San Francisco.

“In an age where threats are ever-evolving, it is reassuring to know that one true constant is the commitment of dedicated information security professionals, as best exemplified by our SC Media Awards finalists,” said Illena Armstrong, VP, editorial, SC Media. “These inspiring innovators have set a high bar for their industry peers, as they continue to protect the world from attacks and vulnerabilities that imperil our security, privacy, and digital infrastructure. The year 2017 brought us WannaCry ransomware infections, the rise of cryptominers, and bugs like Broadpwn and BlueBorne that affected billions of devices. Whatever threats rear their ugly heads in 2018 and beyond, our finalists will be ready to act.”

Now in its 21st year, SC Awards is recognized as the industry gold standard of accomplishment for cybersecurity professionals, products and services. With the awards, SC Media recognizes the achievements of cybersecurity professionals in the field, the innovations happening in the vendor and service provider communities, and the vigilant work of government, commercial and nonprofit entities. Vendors and service providers who offer a product and/or service for the commercial, government, educational, nonprofit or other industries are eligible for the SC Awards’ Trust Award category.

“PacketSled is committed to empowering our clients with the best network visibility, incident response and network forensic capabilities available today,” said Fred Wilmot, CTO of PacketSled. “We are honored to have this recognition by SC Media and our team looks forward to continuing to build market-leading security software that makes a difference in the fight.”

“Finalists for the Trust awards are selected by a panel of approximately 100 professionals and the SC Magazine product reviews team,” added Illena Armstrong of SC Media. “It’s a high bar to clear and we are proud to acknowledge PacketSled as a finalist.”
The SC Awards gala honoring the winners attracts top professionals in the cybersecurity community and provides an invaluable opportunity for networking. To register for the 2018 SC Awards gala, please visit

About PacketSled

PacketSled, the network analytics platform of choice for security experts, automates incident response by bringing together business context, AI, entity enrichment and detection with network visibility. Used for real-time analysis and response, PacketSled’s platform leverages continuous stream monitoring and retrospection to provide network forensics and security analytics. Used by response teams worldwide, security analysts and SOC teams can integrate PacketSled’s deep network context into their playbooks, SIEMS, or independently to dramatically reduce investigation time, cost and expertise required to respond to persistent threats, malware, insider attacks, and nation state espionage efforts. The company has been named an innovator in leading publications and by security analysts, including SC Magazine, earning a perfect score in the online fraud group test. Based in San Diego, the company is backed by investors including Keshif Ventures and Blu Venture Investors. The company is headquartered in San Diego, with offices in Seattle, WA. For continuous product updates and industry news, please visit us at or follow us @packetsled. 

About SC Media

SC Media is cybersecurity. For over 25 years, they have armed information security professionals with in-depth and unbiased information through timely news, comprehensive analysis, cutting-edge features, contributions from thought leaders, and independent product reviews in partnership with and for top-level information security executives and their technical teams. In addition to their comprehensive website, SC Media offers magazines, eBooks, and newsletters. They also host digital and live events such as SC Awards and RiskSec NY to provide cybersecurity professionals all the information needed to safeguard their organizations and contribute to their longevity and success.

Friend us on Facebook:
Follow us on Twitter:

Event Information: Anna Naumoski, Events Manager

Media Contact: Christina Patten
Telephone number (858) 225-2352

PacketSled names John Keister President and CEO

in News, PacketSled by Christina Patten Comments are off
SAN DIEGO, Oct. 25, 2017 /PRNewswire/ — PacketSled, Inc., a leading provider of cloud-based network visibility, detection, incident response and breach forensics, today named John Keister as its new President and Chief Executive Officer. He steps in at an important time for PacketSled as it aims to build its market position and expand its customer footprint. The company also announced that it raised more than $3.5 million, primarily from existing investors, to continue to fund the company’s growth.

Fred Wilmot, who has served as CTO since June 2016 and as interim CEO since November 2016, will remain as CTO. Wilmot is a former Splunk executive and a security industry expert, serving as an advisor at the Managed Security Services Provider Ravenii and as a principal at AM Cyber. The company’s VP Sales, Jared Ballou, is a former sales executive at the public cybersecurity company Rapid7, and he will continue in his current position. Justin Stottlemyer, an Intuit engineering executive with previous technical leadership roles at Facebook and PayPal, will remain on the board as an outside director.

Keister has previous experience as a co-founder, president and chief operating officer at two technology companies focused on search, online advertising and analytics. These two companies, Go2Net and Marchex, each successfully grew to an annual revenue run rate of more than $100 million and successfully completed the IPO process. Keister’s previous operating responsibilities included oversight of sales, business development, marketing, engineering and technical operations. He also has 10-plus years of experience investing in early-stage software companies and sitting on the boards of directors for several of these companies.

“John’s experience as a founder and operator at both early-stage companies and public companies will amplify PacketSled’s product team as we prepare for the next phase of our growth,” said Wilmot.

Read more

Threat Hunting and Endpoints; A Dr. Stephenson tutorial

in Uncategorized by Christina Patten Comments are off

“Packetsled provides the enrichment that triggers early warnings and proactive action to prevent breaches.”


SC Magazine’s Dr. Peter Stephenson analyzes the best threat hunting platforms in cyber security. Read the full blog here

Capture The PCAP challenge

in Events, PacketSled by Fred Wilmot Comments are off
PacketSled PacketSled. The Incident Response platform of choice for security experts.
Congratulations Seminole Gaming on winning the PCAP Challenge at Black Hat USA 2017! Seminole Gaming won $500 and a free PacketSled license for their team.
Do you have traffic with protocols you don’t think anyone can analyze? Does your environment have industry-specific or standard protocols that Wireshark can’t decode?
Take the PCAP challenge!  Due to popular demand, PacketSled is opening up the PCAP challenge to everyone! We want to encourage research and education for all the things we need to protect and support in the IT and OT universe. 
Submit your hairy, scary PCAP and get free analysis of your PCAP, and a 1:1 session with one of our ensemble detection experts to review the results.*
Submit your PCAP, if you’re attending BroCon’17 be sure to stop by our booth!
As security practitioners, we know it’s all about people like us. We want to give you the unfair advantage by weaponizing your Incident Response capability and amplifying your security expertise.

Hunting for DoublePulsar in your networks

in Incident Response, Network Visibility, Security Research, Threat Detection by Mike Spohn Leave a comment
The recent release of the Equation Group’s (NSA) FuzzBunch software by the Shadow Brokers has caused quite a stir in the security community. The volume of files released, (6,547 in one of the dumps), is an extraordinary collection of malicious software including many zero-day exploits.

One of the binaries that caught my interest was DoublePulsar. This is the main tool used by the Equation Group to compromise Windows hosts using a SMB and RDP zero-day exploit.

Although the attack surface is complicated, my fellow researchers at did a highly competent job of describing it. To me, the most interesting step in the attack is the patching of the function dispatch table of the device driver Srv.sys in memory. Slot 0x20 (14) in this table originally pointed to the SrvTransactionNotImplemented() dispatch function. It is hijacked by the malware.

Why is this interesting? Because even though the implementation of this attack is quite brilliant, it is trivial to identify this attack in your network.

I refer you to page 426 of (Microsoft’s Common Internet File System (CIFS) Protocol) protocol document: TRANS2_SESSION_SETUP (0x000E)
“This Transaction2 subcommand was introduced in the NT LAN Manager dialect. This subcommand is reserved but not implemented. Clients SHOULD NOT send requests using this command code. Servers receiving requests with this command code SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc).”
The CIFS/SMB TRANS2_SESSION_SETUP subcommand was never implemented by Microsoft. The standard states that any call to the command by a Windows client should return a STATUS_NOT_IMPLEMENTED reply. Once DoublePulsar redirects the Srv.sys SrvTransactionNotImplemented[] function pointer to its own code injected in memory, any SMB call to a NOT_IMPLEMENTED SMB subcommand will end up calling the DoublePulsar code.

Knowing this, is it possible to identify DoublePulsar in your network by simply looking for SMB requests for NON_IMPLEMENTED subcommands, or even simpler, any SMB STATUS_NOT_IMPLEMENTED response? Yes.

To illustrate this, look at the WireShark screenshot below that shows a SMB call to the TRANS2_SESSION_SETUP (0x000E) subcommmand.

Figure-1: TRANS2_SESSION_SETUP (0x0E) Request

Read more

Analyzing a Spear Phishing Email

in Incident Response by Mike Spohn Leave a comment
About every week or so I receive one of those obvious Phishing Emails telling me a package was not deliverable or some such foolishness. After being very careful not to click on the attachment, I typically permanently delete these Emails. When I got another one of these Emails a few days ago, my curiosity got the best of me, so I decided to figure out how the cyber-punks build these social engineering attacks, and how they work.

I documented my analysis in a Research Paper, “Analyzing a Spear Phishing Email.” You can download the report here.
The findings of my research are summarized below:

1. The appearance of the Phishing Email is very primitive, alleging the postal service could not deliver a package. The from Email address was completely unrelated to the signature line. (k(at) karastel,ru, Eugene Lee.

2. The weaponized payload was a JavaScript file that has “.doc.” in its name, embedded in two zip files. This means the recipient has to open two zip files and click on the JavaScript file for the bad guys to win.

3. The JavaScript file uses Microsoft’s ActiveX framework to create an Object to connect to the Internet and download a malicious dropper JavaScript dropper file. This script is run using an Eval() statement. The script also connects to the Internet and downloads a malicious Window PE file.

4. The miscreants compromise legitimate web sites to host the malicious binaries. The scripts contain multiple dowload URL’s to protect against detection of compromised servers.

5. The Malicious PE file is a Cerber Ransomware binary that encrypts files in the logged on user’s Documents folder, and any attached USB devices.

6. There is a sophisticated web site on the DarkNet that instructs a victim how to obtain BitCoins and pay the ransom.

7. The cyber-punks who send out these Emails bank on economies of scale. If they send out 1 million weaponized Emails, if they have a 5% hit rate – that is 50,000 victims.

8. The ransomware problem is not going away anytime soon. In fact, evidence suggests the cyber-crimnals are getting more aggressive in their tactics. Not only are they encrypting files, they are also wiping out the master boot record (MBR) on compromised systems preventing them from booting.

We are continually adding enhancements to the PacketSled Platform to identify advanced ransomeware compromise techniques.

Packetsled UDP and TCP fallback analyzers

in Incident Response by Leo Linsky Comments are off
There are hundreds of protocols that we need to see in detail to have a clear picture of our customers’ networks, and we have developed a suite of proprietary analyzers to address these. There are hundreds — or even thousands — more relevant protocols and services which we need to identify, but which are not significant enough on their own to warrant their own custom protocol analyzers. Added together, however, these protocols become major obstacles to network visibility and security.

Interestingly enough, this problem is not unique to networking — it’s a statistical phenomenon with numerous socioeconomic implications. For example, the disease advocacy group Global Genes has estimated that more than 300 million people worldwide are living with one of the 7,000 diseases they define as rare in the United States. That’s almost 5% of the world population living with a “rare” disease. And yet, treatment for each is wildly different, so it’s less productive and less lucrative to investigate each of these rare diseases.

Unfortunately, there isn’t a universal ‘rare disease treatment,’ but at Packetsled, we *have* developed a ‘universal treatment’ for unidentified UDP/TCP protocols and services. For flows in which we haven’t associated a high level of metadata, we capture key excerpts from the exchange to allow for analysis by Bro scripts or our platform, which, if interesting, can be used to pull the rest of the flow from our network data recorder.

The entries we find are frequently plaintext, or provide protocol preambles that make their nature obvious, such as the potential WinRM vulnerabilities discussed here:

Here’s an example of a UDP log showing a JSON protocol header (note that excerpt sizes are variable, and we could capture the entire JSON object here):
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       excerpt excerpt_size    payload_size
#types  time    string  addr    port    addr    port    string  count   count
1486600189.506264       589bb7fd0000000000000003    17500 17500   {"host_int": 59724991715298692108921997512624305849, "version":         64      365
This is especially useful for IoT protocols, many of which we have fleshed out into more detailed, dedicated analyzers and many of which are facilitated in healthcare. Recent announcements from leading healthcare device manufacturers indicate that IoT is now being used with fetal monitors, electrocardiograms, glucose monitors, and tracking vital health information. We’ve even heard of pressure sensors being used to determine the ratio of empty hospital beds during disasters, such as floods and fires.

However, the thing to remember is IoT is still in a sort of infancy. Some established standards have been developed, but are not widely adopted. This includes communication protocols and methods of properly handling sensitive data. As personally identifiable data could be transferred using protocols such as HL7, it is highly recommended that a close eye be kept on these valuable data streams.

An example shown below:
OBR|1|341856649^HNAM_ORDERID|000002006326002362|648088^Basic                            Metabolic Panel|||20061122151600|||||||||1620^Hooker^Robert^L||||||20061122154733|||F|||||||||||20061122140000|
OBX|1|NM|GLU^Glucose Lvl|59|mg/dL|65-99^65^99|L|||F|||20061122154733|
As IoT breaks away from traditional data networks, and ways of engaging patients, organizations will find value in how PacketSled dissects these streams of data. This will aid in understanding the risk the organization is accepting with the adoption and implementation of IoT initiatives.

IoT, like Cloud, is extremely disruptive and often noisy and misunderstood. This makes it even tougher to be a Security Professional and unfortunately, executives and board members generally care very little about that. We do.

With the PacketSled platform, it is our goal to perform the following:
  • Reduce the efforts associated with non-contextual, traditional logs by applying Machine Learning and well-researched attack models.
  • Detect multi-staged attacks within ordinary-looking data flows, regardless of protocol type. As most advanced attackers aren’t facilitating 0-days, you need modeling and adaptive baselines that can spot attacks in YOUR network. “One Size Fits All” doesn’t really fit anyone, any longer.
  • Enable you to perform Incident Response at scale. Finding the piece of hay in the haystack is a tough grind and we’re here to help, with event correlation and applied threat data.
It’s time for us to break out of the same problematically applied daily grind, where you are attacked, then respond, then mop up the disaster, then you start all over again.

It’s time to talk to PacketSled.

Co-written by Leo Linsky and Patrick Kelley

Lowering The Poverty Line Of Incident Response

in Incident Response, Security Research by Patrick Kelley Comments are off

Over the years I’ve been part of monumental projects using several forms of technology, including SIEMs, in attempts to offset the talent gaps that plague the Information Security industry and shorten the “dwell” timeframe of attacks.  Taking a moment to define the anticipated goals and define the problem space, I find it necessary to state that properly launching a SIEM and similar technologies isn’t trivial and gaining a meaningful return on the investment is a significant challenge. Personally, I determine that return on investment to be a reduction in MTTD (Mean Time To Detection) and MTTR (Mean Time To Remediate).

The ultimate goal is revealing actionable intelligence that takes into consideration the true risk posed to the business and weights the alerts in that light.  This task cannot be achieved by leveraging and applying “threat intelligence” feeds as the primary form of correlation. Instead, it requires developing context around the core assets, networks, and layers of security controls that comprise the network.

In and of itself, this isn’t an easy problem to solve as businesses and their networks develop organically, as opposed to the more traditional networks created in the past.  This matters as demand for an urgent business needs drives the need for additional computing resources, leaving security as an afterthought.  This makes building contextual solutions around security problems a near impossible feat for most organizations.

Coincidentally, this is where SIEM implementations often fail. The concept of the SIEM is sound, but most implementations make decisions based on single, atomic events that are universally weighted.  This could be the match of an IP address or similar. This fails as security incidents are not singular, but more often contextual and long-playing.  Often I’ve been asked, “If we had signatures for Pass-The-Hash attack binaries and we used UAC, why were we breached? We had controls!”. 

Simply stated. This is a significant problem to solve.

The tough truth is the evolution of our networks and the way organizations communicate accelerate faster that the limited amount of resources the organization has to apply. So, just hire more professionals, right?

Here’s the harsh truth. Developing a proper Security Operations Center takes well over a year on average, and that’s just to nail down the basics.  Once developed, you will need a minimum of 8 well-trained engineers and a Sr. Security Architect to maintain the ability to respond 24/7/365, with ever-evolving breach detections. 

So, what’s the solution?  

In fairness, there isn’t a single one-shot answer for this.  However, I can offer the following advice that can greatly improve the security posture of an organization. 

Maintain a clear understanding that a threat is not just the presence of events, but also the absence of events. A phishing email with a malicious binary is certainly interesting, but so is the failed synchronization of an HA or failure of vMotion Snapshots.

Acknowledging that breaches can remain active for over 100 days, a platform that collects artifacts at the lowest level of ground truth and hold that evidence for hundreds of days, is becoming a requirement.

Threat Intelligence feeds are not the glue that binds together a security platform.  They are simply atomic indicators that can be applied to network flows. That’s not to say there’s no value in these sources of data, but a need to correlate those indicators with other sources.  Additionally, more Threat Feeds isn’t the answer.  It is far more valuable to choose the proper feeds for your environment and prevent as much overlap as possible.

Leveraging platforms, such as PacketSled, that apply multiple sources of enrichment to wire-level data, can provide greater confidence in incident relevance and the reduction of false-positives. For example, a Threat Intelligence match for an Apache attack methodology likely doesn’t represent a true threat when leveraged against a Windows environment.

We need to rely less on signatures and leaning more on User and Entity-based behavioral analytics. This isn’t an easily applied solution, but one that establishes dynamic baselines on observed behaviors with entities, allowing it to determine anomalies.  Anomalies could be determined as user accounts conducting database queries after midnight, which could not symbolize a threat, but an indicator worth additional investigation.

A means of properly prioritizing cases in a meaningful and actionable way. This is a tough problem, but one that will maximize the limited resources an organization has available. 

What’s the overall message in this?  Security is hard. It’s less the process of efficiently identifying the probable state of all enterprise platforms and users, but more so with identifying and understanding the applied risk of all possible operational states of systems and people. 


Reach out today and learn what we are doing to help you close the gaps and lower the poverty line in Incident Response.

How your Refrigerator is a Threat and Why you Should Care: Attacks on IoT

in Security Research by Patrick Kelley Comments are off
Last week, Wikileaks dropped an explosive number of documents related to their surveillance and hacking capabilities.  Much of this information included strategies related to IoT and household devices, such as the Samsung TV.  To be clear, the leak of CIA documents and data didn’t readily include usable source or exploit code for leveraged attacks, but was more of an internal wiki which provided information about available attacks and strategies used by the agency.   

In our research, it appeared that most of the exploits reference full-on remote access vulnerabilities, some of which were already known. Many of the documents outlined planned strategies or half-developed exploits, many of which requiring physical access to the device or the supply line.

WikiLeaks, in a statement, was vague about its source. “The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” the organization said.  

As the data dump is quite lengthy, let’s start with “Weeping Angel”.  This is an attack methodology that was recently published by Wikileaks and outlines that a Samsung TV can be hijacked using vulnerable firmware.  This was developed during a joint workshop between MI5 and BTSS (British Secret Service).  The recent reports disclose how to make the television appear to be powered off but in reality was being used to monitor targets. It describes the television as being in “Fake Off” mode.  Some key things to note is that when the television is compromised, it provides the attacker with a ported and modified TinyShell to provide shell, command execution, and file transfer capabilities.   

This functionality allows the television to be used as a monitoring device, as well as a pivot point for further attacks against devices on the network (persistence).  

The current versions of vulnerable firmware provide the following technical details: 
  • Video capture / Video snapshots
  • Max possible storage usage is 700MB (of 1.6GB).
  • The installation is similar to installing a standard Samsung application.
  • empDownload is the binary that downloads other apps or adverts and is executed by the system.
  • It appears to connect to Dreamhost and supports Telnet and FTP.
  • It has native WPA and iw wireless network capabilities. 
As a longtime security researcher, I tend to believe that these capabilities extend much farther than televisions.

So, you might be asking, “when is he going to tell me about my refrigerator trying to kill me?”. 
Read more

Modeling Multistep Attack Scenarios for Detection

in Incident Response by Troy Molsberry Comments are off
Many incidents that impact an organization’s security involve multiple steps. For example, an alert that a malicious email was transferred over the network is of concern, but there can be many thousands of these per day in a typical environment, and vetting each one out individually is prohibitive. Of more interest to the defender would be information about a malicious email being delivered, followed by a user clicking on a link contained in the email, followed by any downloads initiated by that user from blacklisted servers. In this example, we have an indicator (malicious email) followed by an action (clicked a link), followed by another action (download). In general, a “behavior” or “attack” consists of a sequence of causally related activities. Vetting these complex behaviors out by hand can be tedious at best, and intractable in most cases. You have to manually implement an algorithm known as “forward chaining”. Start with the first step in the sequence, and use attributes from the sensor data to perform a query for the second step using results from the previous query, and continue through the sequence until either a result is found or the trail goes cold. One interesting aspect of the “forward chaining” algorithm is that it explodes in both data and time. Performing this task by hand is more or less impossible, yet we commonly refer to this practice as “incident response”. These “incident responders” rely on a tremendous amount of experience, domain knowledge, and expertise to extract out behaviors that could potentially be security incidents. At Packetsled, we chose to capture that knowledge in a repeatable way.

Capturing knowledge from domain experts into models is a broad research topic, but I think we would all agree that at some point you will need a designer, e.g., a method for users to build models of attacks, so let’s start there. We chose a graphical notation for our models. Domain experts can visually model the causal relationships between queries, and those queries can contain forward- and backward- chaining references, e.g., those queries can depend on the results of previous or future queries. This is the magic.

Let’s create an example model for the example of a user clicking a malicious email link followed by an infection.

Read more
Page 1 of 512345

© 2018 PacketSled, Inc.