What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jun 17, 2021

Every Side of Cyber - Building a Nation-scale Quick Reaction Force

4 minutes read
Speak With A Security Expert Now
This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.

CyFIR Founder, Ben Cotton, recently joined a panel discussion moderated by Jason Miller, Executive Editor, Federal News Network, including other industry experts such as Dr. Shue-Jane Thompson, Vice President and Partner, Cyber & Biometrics Practice, IBM.

It’s been almost three years since the White House issued Presidential Policy Directive 41 (PPD-21) and the corresponding cyber incident response plan. PPD-41 outlined some key concepts around defining what a cyber incident and a major cyber incident meant, while also providing guiding principles for incident response. From that PPD, the Homeland Security Department developed a national cyber incident response plan (NCIR), providing even more details about the activities and the lead agencies for each activity.

But PPD-41 and the NCIR are reactive documents and plans that come after being victimized by a cyber attack. What is missing is how agencies can get ahead of the attack through proactive threat hunting and a more strategic response.

The evolution of cyber tools and capabilities over the last few years, most notably the sharing of threat intelligence, has enabled agencies to do more to get ahead of the cyber threats.

In the 2018 national cybersecurity strategy, the White House specifically called out the use of cyber threat hunting capabilities, saying the government “will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, censoring and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”

There are several benefits from this proactive stance agencies are starting to take, including reducing damage to the organization and improving the speed to response.

Agencies need to consider several factors as they move more toward this proactive model. Watch the 3 segment videos on Threat Hunting and Incident Response, The Use of Data, and The Cloud Impact to hear Ben's contribution to the discussion.

Threat Hunting and Incident Response

Think Forensics First™

(Minute 6:05) "To see more is to know more. If you take the threat intelligence data and then you apply it to a forensics process that has visibility on every single aspect of what’s going on an endpoint then you are able to ascertain if those threats do exist inside of your environment. The trick to that is to do that in a timely fashion so that you are looking simultaneously across all of your end points and you are not focused on a narrow lane where you miss those threats that exist on other endpoints or other parts of your network."

The Use of Data

Data Collection Use Cases

(Minute 5:07) "There's the automatic collection of data by necessity requires an automated correlation of the data. From an example standpoint, we had a client that had a very good IDS system in place and they were receiving IDS indicators that they had a compromise but it was taking them 24 hours to correlate that IDS, back to a person, back to a process, back to the endpoint at which it actually occurred. So it's about the right type of data, the correlation of that data in an automated fashion, and it's also about search. As we talk about hunting, at the very root of hunting is your ability to search across your network and to be able to do that very quickly.

It's not just about processes, and it's not just about network connections, but it's also about what is existing on those hard drives, even down into the unallocated space of those hard drives. The more sophisticated actors can actually customize the addressing of their malware into the unpartitioned space on a hard drive.

A good hunting team not only has the automated collection piece, but also has the ability to pivot and simultaneously ask very complex questions across their entire environment, and get that data back extremely quickly."

Automation in Forensics

(Minute 10:15) "Remember we think forensics first on all of this data collection. The analysis of that data, I like to think of it as weeding the wheat from the chaff, so that you can get 100% of your human capital gray matter focused on the problem very quickly. I think there's a consensus here with the panel that that human gray matter, as good as AI (artificial intelligence), as good as ML (machine learning) will get, human gray matter is never going to be eliminated from the equation. From a forensics standpoint, the automation, the AI, the ML, is leveraged to sort that wheat from the chaff and get down to what's important very quickly and focus on that."

The Cloud Impact

Skillset for Threat Hunting Today

(Minute 5:35) "Most of those skillsets have remained consistent. You need to have a firm foundation in technology. You need to understand networks. You need to understand how computers work. How those types of things function. But one of the unique things we look for when we're hiring people is actually called Investigative Mindset. The ability to pick out an anomaly and then have that urge to dive down into it to figure out why it's there, what it's doing, how it got there and what the result is as it influences the investigation."

"It's about is this going to be the person who's going to have the independence, and the curiosity and the knowledge base to answer those tough complex questions that are asymmetric in nature."

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.