Skip to main content


Blackwire Labs is pioneering the future of cybersecurity through our innovative SaaS platform. is more than a solution; it’s a proactive, intelligent ally in the relentless battle against cyber threats.

Powering Cybersecurity Excellence

At the heart of Blackwire Labs’ innovative solutions is the cybersecurity GAI application,, the cybersecurity GAI by Blackwire Labs, delivers expert-inspected responses and risk-based decision support. Continuously trained by security practitioners, it uses curated data to offer tailored, trusted recommendations. As a force multiplier, it automates tasks, reducing costs and enhancing operational efficiency for cybersecurity teams.

Why Choose

  • Proactive Defense: Stay ahead of evolving threats with AI models that continuously adapt and learn from the latest cybersecurity trends.
  • Tailored Precision: Benefit from specialized AI models that are crafted to address the unique challenges of your industry and organizational environment.
  • Comprehensive Protection: Our platform covers a spectrum of threats, offering a holistic solution for your cybersecurity needs.
  • Scalable and Efficient: is designed to scale with your organization, providing efficient and effective cybersecurity capabilities as your business grows.
Be An Early Contributor

Find out how we help companies in various industries.

User Request

Hi Blackwire, I am a security engineer working at midsize managed security services firm, we support multiple small businesses and store their log data in a single SPLUNK cloud instance. One specific client has experienced a compromise of a server with the IP, I need to create a query in SPL to return any communications to or from that IP which were not on port 80 or port 443. Please have this return in a table with CUSTOMERNAME as a title. Please provide the query I need to run in SPLUNK. Solution
Executive Summary

To identify the communications for the compromised server with the IP excluding ports 80 and 443, you can run the following SPL query in Splunk:

spl index=your_index_name "" NOT (dest_port=80 OR dest_port=443 OR src_port=80 OR src_port=443) | table _time, src_ip, dest_ip, src_port, dest_port, protocol | rename src_ip as "Source IP", dest_ip as "Destination IP", src_port as "Source Port", dest_port as "Destination Port", protocol as "Protocol" | eval CUSTOMERNAME="NameOfTheCustomer" | fields CUSTOMERNAME, _time, "Source IP", "Destination IP", "Source Port", "Destination Port", "Protocol"

Replace `your_index_name` with the name of the index where your logs are stored. This query searches for all events with the IP address “” as either the source or destination, excluding those where the source or destination ports are 80 or 443. The results are displayed in a table format with the CUSTOMERNAME field added for clarity.

Ensure that your Splunk environment has the necessary fields extracted for `src_ip`, `dest_ip`, `src_port`, `dest_port`, and `protocol`. If these fields are named differently in your data, adjust the query accordingly.

In your role as a security engineer, what are the specific challenges you anticipate in creating the query to return communications to or from the compromised server’s IP on ports other than 80 or 443, and how do you plan to address them? Understanding these challenges will help tailor the query to your specific needs and operational environment.

User Request

I’m an incident responder working at a community bank. We just experienced a
ransomware attack attributed to the threat group Scattered Spider.

Please provide me with any intelligence on this threat group, signatures I can deploy to
investigate this threat and any remediation recommendations.

Please deliver in a format which can be easily displayed on a website or report. Solution
Executive Summary
  • Scattered Spider is a sophisticated threat group engaging in ransomware attacks and data
    extortion, known for targeting the commercial facilities sectors and subsectors 9.
  • The group uses a variety of social engineering techniques to infiltrate networks, including
    impersonation of IT staff and exploitation of vulnerabilities in systems like ForgeRock
    OpenAM 1 10.
Threat Actor Profile: Scattered Spider
  • Initial Access & Credential Theft : Utilizes phishing, smishing, and voice phishing to gain
    network access 3 6 10.
  • Persistence & Privilege Escalation : Establishes persistence by registering their own
    MFA tokens and adding federated identity providers for SSO environments 1 4.
  • Discovery & Lateral Movement : Conducts extensive reconnaissance to identify valuable
    assets and uses cloud instances for lateral movement 5 7.
  • Data Exfiltration & Encryption : Exfiltrates sensitive data to multiple locations,
    including cloud storage, and has recently started encrypting victim files post-exfiltration 8 10
Indicators of Compromise (IOCs)
  • Tools Used : Lists of legitimate tools repurposed for malicious activities, such as, Mimikatz, and Ngrok 2 5.
  • TTPs : Detailed tactics, techniques, and procedures employed by Scattered Spider, aligned
    with MITRE ATT&CK framework 3 4 5.
Mitigation Strategies
  • Application Controls : Implement application controls to manage software execution and prevent unauthorized software installation 1 .
  • Secure by Design : Adopt secure-by-design principles in software development to mitigate ransomware techniques 1.
  • For reporting suspicious activity or seeking assistance, contact local FBI field offices or CISA’s 24/7 Operations Center 9.
  • Vigilance and proactive measures are paramount. Organizations must stay informed of the evolving TTPs of Scattered Spider and update their defenses accordingly.

This format provides a comprehensive overview, focusing on actionable intelligence and strategic mitigation. It’s designed to inform and guide stakeholders in enhancing their cybersecurity posture against this specific threat actor.

Would this structure meet the needs of your stakeholders for clarity and actionability? Additionally, are there any specific formatting or content guidelines you require for this documentation?”

CCOE Certified Sources

Scattered Spider threat actors has been observed encrypting VMware ESXi servers. Scattered Spider threat actors exfiltrate data to Exfiltration Over Web Service: T1567.002 multiple sites including U.S.-based data centers Exfiltration to Cloud Storage and…

Scattered Spider IOCs – OccamSec html Share Scattered Spider – IOC’s Feb 06,2023 • 2 min read IOC’s to detect this threat actor. SCATTERED SPIDER is a threat actor group known for financially motivated attacks targeting mobile carrier networks/telecommunications industry, BPO…

Man-in-the-Middle [T1557] network traffic monitoring Firewall, Web Proxy, DNS, Application Layer Protocol [T1071], C2 Network Traffic, Cloud C2 domains, IP addresses Protocol Tunneling [T1572] activity logs, IDS/IPS Exfiltration Over C2 Channel Firewall, Web Proxy, DNS, Domains,

User Request

Hi Blackwire, I am the CIO of a small defense contractor who is required to comply with the CMMC (Cybersecurity Maturity Model Certification) 2.0 standards and I need to understand which levels I will be required to meet, and what the compliance timeline looks like for my company? We sell a SAAS application to non-defense government agencies which does not store PII.

Please format the response with references and in an action item format so my teams can start to prioritize efforts. Solution
Executive Summary

Understanding the requirements of the Cybersecurity Maturity Model Certification (CMMC) 2.0 and aligning your company’s cybersecurity practices accordingly is a critical step towards ensuring the protection of sensitive information and maintaining eligibility for Department of Defense (DoD) contracts.

As a small defense contractor selling a SAAS application to non-defense government agencies without storing PII, you will likely fall under CMMC Level 1, which requires basic safeguarding of Federal Contract Information (FCI) 1 7.

Here’s an action item format to guide your compliance efforts:
  1. Assess Current Cybersecurity Posture: Review your existing cybersecurity measures against the CMMC Level 1 requirements, which are based on the National Institute of Standards and Technology (NIST) SP 800-171 Rev 2 1 5.
  2. Identify Gaps and Prioritize Remediation: Determine where your cybersecurity practices may fall short of CMMC Level 1 standards. Prioritize actions to remediate these gaps, potentially using a Plan of Action and Milestones (POA&M)6.
  3. Implement Required Controls: Ensure that basic cybersecurity controls are in place as per NIST guidelines, which include but are not limited to access control, identification and authentication, and information protection 1.

  4. Prepare for Self-Assessment: As CMMC 2.0 allows for self-assessment at Level 1, prepare your internal team or hire a consultant to conduct a thorough self-assessment 1 6.

  5. Document Compliance: Maintain comprehensive documentation of your cybersecurity practices and self-assessment results to demonstrate compliance with CMMC Level 1 1 6 .

  6. Monitor Compliance Timeline: Stay informed on the phased implementation timeline of CMMC 2.0, which will introduce requirements over a three-year period, and monitor for any updates that may affect your company 1 2 .

  7. Engage with C MMC Resources: Utilize resources provided by the DoD, such as training and guidance on achieving CMMC compliance, to support your efforts 10.

  8. Submit Affirmations: When required, submit affirmations of compliance in the Supplier Performance Risk System (SPRS) as part of the contract award process 10 .

  9. Stay Informed on Evolving Requirements: Keep abreast of changes to NIST SP 800–171 Rev 2 and NIST SP 800–172, as CMMC requirements will evolve alongside these standards 3 8 .

  10. Plan for Future Assessments: Although Level 1 currently allows for self-assessment, be prepared for the possibility of third-party assessments in the future, as the CMMC framework may adapt and introduce new requirements or assessment procedures 3 8 .

It’s imperative to integrate these action items into your company’s strategic planning to ensure a smooth transition to CMMC compliance. Your proactive approach will not only safeguard your eligibility for DoD contracts but also enhance your overall cybersecurity posture.

Reflecting on the specific nature of your SAAS application and its clientele, what are the specific challenges you anticipate in aligning your company’s cybersecurity practices with the CMMC 2.0 standards? Addressing these challenges early will be key to a successful compliance journey.

CCOE Certified Sources

DoD: 2023 – Cybersecurity Maturity Model

In accordance with the the loss of intellectual property and solicitations and contracts when the implementation plan described in 32 assets, and thwart access to sensitive contractor or a subcontractor at any tier CFR 170.3(e), CMMC compliance or unclassified information by the nation’s may have FCI residing in or transiting certification requirements will apply to adversaries. through its information system(s)…..

User Request

Hi Blackwire, I am a CIO at a small company developing an application that will help support doctors in working with their patients health data. I’m unfamilar with the specific requirements for HIPPA surrounding access to and storage of client data. I need to create a formal policy which will pass an audit and for which my company can align our processes and technology. Please create a policy formatted for this purpose with references to relevant HIPPA controls that the policy meets to ensure our firm and client data is secure. Solution

MYCOMPANYNAME Client ePHI Data Handling Policy

1. Purpose

This policy is dedicated to ensuring the secure handling of electronic protected health information (ePHI) entrusted to MYCOMPANYNAME by our clients. In adherence to the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, this policy is designed to safeguard ePHI against unauthorized access, disclosure, alteration, and destruction 1 .

2. Scope

This policy pertains to all MYCOMPANYNAME employees, contractors, and any other workforce members who may come into contact with or manage ePHI on behalf of our clients.

3. ePHI Data Access

Access to ePHI shall be strictly controlled. Only authorized personnel, whose job roles require it, will be granted access to ePHI. Such access will be granted on the least privilege basis and will be monitored and audited to prevent and detect any unauthorized use 2 6 .

4. Data Protection Measures

MYCOMPANYNAME will implement and maintain appropriate technical safeguards to protect ePHI. This includes the use of encryption for ePHI at rest and in transit, ensuring the integrity of ePHI, and implementing robust access control measures to prevent unauthorized access 8 .

5. Incident and Reporting

In the event of a suspected or actual breach of ePHI, MYCOMPANYNAME will activate its incident protocol to contain, assess, and manage the incident. All breaches will be documented and reported as required by HIPAA and applicable state laws 8 .

6. Training and Awareness

All workforce members will be provided with training on the proper handling of ePHI and the requirements of this policy. Regular awareness campaigns will be conducted to ensure continued vigilance in the protection of client data 2 .

7. Policy Enforcement

Violations of this policy will be met with appropriate disciplinary action, up to and including termination of employment. MYCOMPANYNAME is committed to enforcing this policy to maintain the highest level of confidentiality and integrity of our clients’ ePHI 2 .

8. Review and Update

This policy will be reviewed annually or as required by changes in law or operational practices. Any amendments will be communicated promptly to all workforce members.

9. Documentation and Record Keeping

All actions taken in relation to the access, handling, and protection of ePHI will be documented. Records will be maintained in accordance with HIPAA requirements, ensuring that they are available for audit purposes 6 .

MYCOMPANYNAME is dedicated to the rigorous protection of ePHI and to upholding our clients’ trust. We understand the gravity of our responsibility and are committed to continuously improving our security posture to meet and exceed industry standards 9 .

10. Risk Management

We will conduct regular risk assessments to identify potential vulnerabilities to the confidentiality, integrity, and availability of ePHI and implement measures to mitigate identified risks in line with HIPAA Security Rule requirements 10 .

11. Business Associate Agreements

When engaging with third parties that may have access to ePHI, MYCOMPANYNAME will execute Business Associate Agreements to ensure that these partners also adhere to HIPAA-compliant practices for the handling of ePHI 4 .

12. Audit Controls

Audit controls will be implemented to regularly review access and activity in systems containing ePHI.

CCOE Certified Sources

NIST: 2022 – NIST SP 800-66r2 ipd 2 3 Implementing the Health Insurance 4 Portability and Accountability Act 5 (HIPAA) Security Rule: 6 A Cybersecurity Resource Guide

been granted permission to view, alter, retrieve, and store • Have staff members been provided copies of their job ePHI and at what times, under what circumstances, and for descriptions and informed of the access granted to them, …

What Are HIPAA Security Rules? – Palo Alto Networks

While not all cyberthreats can be identified in advance, covered entities are responsible to protect patients’ information against threats already in play. 3. Protect against impermissible uses or disclosures. This is important for providers because it covers …

Summary of the HIPAA Security Rule |

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released

See More is Not Just AI, it’s a Collaboration democratizes knowledge, fosters collaboration, and builds a thriving security culture.

We learn from the best minds in security, then empower your team with that collective wisdom and expertise. It’s human and machine, united in one mission to combat the threat.

For a decade, we’ve watched cyber threats explode while the talent pool stagnates. Unfilled positions stack up like unpatched vulnerabilities, creating a perfect storm for attackers. Blackwire Labs bridges the gap, not with bodies, but with AI trained by the best minds in security, multiplying that expertise for all and securing your future.

Be An Early Contributor
More Services

Security Analytics Transformation

Learn More
Don't Wait Until A Real Threat Strikes

Take the Next Step in Cyber Resilience

Contact Us