Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
Oct 02, 2024THE THREATA recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
As a firm, eSentire is dedicated to delivering 24x7 managed detection and response services to mid-sized enterprises. There isn’t much the team at eSentire doesn’t see in any given week. For the vast majority of our clients, the main threats they face are opportunistic, and driven by threat actors with criminal motivations. In other words, threat actors’ motivations look like this: if I can break into the network, how can I monetize this position?
eSentire has developed a comprehensive apparatus of technology, people and process that is optimized for detection of threats, at both the network and endpoint level, as well as a set of countermeasures necessary to contain those threats from completing their objectives. When we notify our clients, it is to tell them what didn’t happen. Ransomware, now with its own evolutionary tree, with names like Teslacrypt, Zepto and Locky, is consuming more and more of our resources as it continues to morph and adapt.
We recently acquired a client in the legal sector after they were victimized by a ransomware infection. Fortunately, they chose not to pay ransom (we fully endorse this position) as they were able to fully recover their data. In the attack, the firm’s entire shared network drive was encrypted and as a result, dozens of attorneys were affected.
In a business driven by document creation, this kind of attack (a business critical denial of service) is akin to cutting off the oxygen to their attorneys. In this firm’s case they had a mature DR process and were able to resume business in about a day and a half. That might not seem like a lot of downtime, but when you consider that attorney rates might start at $2500, with 90%+ charge-out rates, the potential losses resulting from an attack like this add up quickly. This story is a best case scenario; unfortunately, many others experience a vastly different outcome.
The consequences of a successfully deployed encryption threat are disruptive and escalate. The initial, minimal disruption prevents users from working on their PCs. Next, unavailable folders shared amongst departments impacts a greater number of users. The worst case, (one demonstrated by the well documented Hollywood Presbyterian Hospital) is one in which the organization loses access to a wide range of files, essentially shutting down the business. In these circumstances, organizations need to lean on their IT team’s recovery capabilities and DR procedures. Even so, it can take more than a few days to put “humpty dumpty back together”. That’s a big cost.
Over the years, eSentire has adapted to an ever-evolving threat landscape, enhancing detection capabilities to deal with all of the nuanced threats that emerge regularly. Generally, each new threat category is detected by a subset of these capabilities.
The set of eSentire’s Managed Detection and Response™ capabilities was developed largely before ransomware became the scourge that it is. It provides a defense in depth approach to detecting and containing and is engineered where possible, to not have dependency on any one capability. If, for whatever reason, it's missed (not detected) at one stage, there are several subsequent services or stages of weaponization that offer another kick at the can. Every day of every week, our large development organization is enhancing these capabilities and developing new ones. An example of these capabilities, and a detailed account of an intricate ransomware attack, was recently documented by one of our solutions engineers.
Ransomware, as we know it today, really exploded approximately 18 months ago. In essence, ransomware is a denial of service attack; in this case, denying workstation and server access and usability. The victim organization is denied service until the threat actor’s demands are met, which for the most part include a fee payment (usually bitcoin) to recover systems use. It is a simple concept with wide-reaching implications.
As security professionals we see ransomware as one of the most challenging threats to mitigate because of its evolutionary speed, and the fact that it exercises nearly every muscle in our detection and response capabilities. For this discussion, we can consider the ransomware variants that encrypt file systems on workstations or servers and demand a ransom to get the key to unlock them.
Let’s first look at how the ransomware gets in. In order to encrypt a file system, the actors need to get executable code on the target system. Today’s list of usual suspects includes:
When a threat is inbound, there are nine techniques (of which we could use several) to detect the exploit. We can begin with a scenario where the employee is attempting to click on a link sent to them in an email or served up by a Google search. We test the reputation of the URL, the owner of the URL or the IP address, and whether it’s on a no-fly or black list. If so, we disrupt the connection. In order to support these automated decisions, we use a crawler service that searches the dark web and third-party feeds of known “bads”. Next, our managed detection and response research team curates this threat intelligence. The threat intelligence itself changes so rapidly that we use a combination of a global cloud services and up-to-the-minute on-site updates to keep it current. This is one of the important ways that eSentire keeps clients safe from themselves.
Should a threat pass these initial gate checks, we next test the ingressing traffic through a combination of our own custom IPS and anomaly detection services. Sure, clients may have a NGFW that should have caught the threat, but maybe it requires a newer signature (these can change hourly) that hasn’t been applied to the perimeter device, or maybe the sensitivity has been deprecated to reduce false positives. In any case, if it is a known bad we augment the perimeter controls automatically and will use this opportunity if available.
At this stage, we are getting into the last lines of defense. Remember: in order to encrypt a file system executable code must be loaded onto the target.
Our next service is testing for the presence of Win32, Win64, DLLs, OBJs, JavaScript etc., that could execute on the target system. If we detect this pattern, we then correlate to the trusted list of known safe domains. As a firm delivering detection and response capabilities, we are trying to manage in the "grey". So you block what is known as bad, and when considering what can modify your system, you only allow what is known to be good. Most mid-market clients have fewer than 100 URLs on the “white” list. It is quite manageable.
So, you might ask, what if the actors are using SSL? Good question. In this case we have to have visibility to the unencrypted traffic and rely integration with our partners (Palo Alto Networks, Blue Coat) that specialize in man in the middle proxy servers to give us this vantage point.
Between the URL, IP, IPS and executable detection and response capabilities, we have reduced the risk of the ransomware threat quite substantially. But nothing in security is perfect, so there are other detections and mitigations we can use. Beyond the executable detection, there is the anomaly or atypical behavior detection.
For ransomware, this can manifest itself as a callback to a command and control server, or to a URL or IP that is in a country on the no fly list, PLUS all of the other egressing connection tests described above. It could also be using a protocol that is new in the context of that network/user. Why does the ransomware need to call back? There are numerous reasons: one is to establish the communications with the victim and payment settlement mechanism. After all, once a victim pays, they need a method to receive the decryption keys.
Another trend is telemetry recon, allowing the actors greater visibility to gauge and adjust the size of the ransom demand based on how much pain it looks like they have inflicted.
But it can get worse.
We have observed autonomous ransomware that works like the Stuxnet attack on the Iranian centrifuges purported to have been crafted by nation states. These threats get the executable installed, the encryption run and the ransom demanded all without connecting to a command and control server. It’s the equivalent of a drone on autopilot. There are a couple of detection and containment techniques we use for this (including the executable detection), but there is also endpoint detection and response.
In all circumstances, if the payload manages to evade the network detection capabilities, you still have a chance to contain the threat with endpoint tools. These tools can detect new processes or hooked processes - often as a result of unpatched systems – and generate a signal that will get a human threat analyst to investigate and intervene. Bear in mind, the endpoint tools are dealing with already detonated ransomware which could be encrypting drives before any human can respond. But minimizing dwell time is the name of the game so catching it at victim zero is an inconvenience. Letting it fester for hours or days can become business altering.
The above set of ransomware detection and intervention scenarios are by no means comprehensive and even today, it’s likely already out of date. Doing nothing about this threat is irresponsible and large enterprises are taking it very seriously and have reasonable mitigations. Mid-sized firms are the new hunting ground and every time the actors have success, it’s that much more funding available to their criminal enterprise.
According to the FBI, ransomware threat made $209M in the first quarter of 2016 and they predict that it will exceed $1B for the year. This kind of publicity will only draw more actors into the technique with tools and teams being brokered at the speed of the internet. With this kind of success rate, we can only anticipate ever more sophisticated ransomware scenarios.
The single drive encryption scenario, demanding hundreds of dollars in ransom is giving way to ransoms in the tens of thousands, calculated by other “value based” measures such as the number of files on a server encrypted, criticality of the data or even the market cap of the victim firm. This problem will get far worse in the coming quarters. This is DoS 2.0 and the world needs to prepare for it. Failing to do so could cost organizations their business.
We believe having continuous detection and response solutions, with the capabilities I’ve described, is table stakes for any executive of a corporation that is managing risks. One piece of critical advice (aside from continuous cybersecurity monitoring): maintain frequent backups and test them regularly. Just like viruses would check for and disable anti-virus software, we anticipate that ransomware will check for and disable backup agents, wait a couple weeks AND THEN encrypt.
The actors will quickly figure out how to optimize this timing. We’ve seen this movie before.