What We Do
How we do it
Oct 18, 2021
Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe
Grief Operators Earned an Estimated 8.5 Million British Pounds in Four Months Key Findings: The Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected 41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.Over half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The Grief Ransomware Gang appears to…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Jul 21, 2020

Gray War: Deterrence by Cyber Denial
Part Two

In part one of “Gray War” I looked at the threats posed by gray zones looking to destabilize our economy by attacking non-military targets such as small and medium businesses. I also introduced the Cold War notion of deterrence by denial. In part two, I will explore how our security operations teams identify these attacks and stop them before they become business disrupting.

In multiple instances, our security operations stood between our clients and the malicious intent of these gray zone actors. In one case, a law firm was targeted in retaliation for their representation of a client, deemed a dissident by their home nation. In another, a manufacturer in the 5G supply chain was infiltrated using remote access tools. It doesn’t take much of an imagination to link 5G to security concerns around vendors from suspicious “friendemy” countries.

In one case, a state court was targeted. This case is worth exploring to first highlight the risk, but then demonstrate how quick detection and response means the difference between minor infection and terminal metastasization.

In the first, eSentire Security Operations Center (SOC) received an alert from esENDPOINT that a computer on a client’s network was conducting suspicious activity. The computer belonged to a legal assistant at the state court system. They had received an email from an attacker posing as a student from a local university asking if they would be interested in participating in an interview for an assignment the student (attacker) was working on about the legal profession. The legal assistant agreed and the fake student (attacker) sent her a link to a document with the interview questions.

Embedded in that document was a malicious macro that installed malware on the victim’s laptop. Cyberattackers often leverage Microsoft Office macros as a means of installing malware undetected (often a few windows open and close before the user becomes concerned).

The victim downloaded the malicious document from Amazon storage via an encrypted HTTPS connection, providing no opportunity to sandbox it before the assistant triggered the macro on their machine.

What’s worse, and all too common, their anti-virus software failed to identify the malware as

malicious. The sophisticated attacker knew how to bypass all the usual prevention and detection mechanisms. Again, all too common.

In this case, the attacker knew that spawning the malware via a Command line in Microsoft Word would have triggered an alert by most endpoint defense products, so the malware was designed to inject itself into a legitimate Windows process to avoid detection. Total time from the victim’s click on the malicious hyperlink to the end of the initial infection activity was twelve minutes.

Approximately three hours after the initial infection, a flurry of follow-up activity was recorded by esENDPOINT. The attacker connected through the backdoor opened by the malware and was attempting to escalate network privileges through the compromised machine. Despite the attacker’s best attempt to cover their tracks, as soon as they used a PowerShell command in their attempt to gain admin privileges, eSentire’s proprietary and patented BlueSteel machine learning tool picked up on the suspicious activity and the SOC generated an alert via esENDPOINT.

While the eSentire SOC was investigating the initial attack, the attacker began lateral movement and compromised a second host on the network. Over the next two hours, the attacker continued lateral movement - infecting a third, fourth and fifth host. At that point, continued investigation by eSentire uncovered evidence of the lateral movement.

Using esENDPOINT, the SOC began isolating the compromised hosts. At the same time, the attacker continued spreading through the network and the chase was on. The SOC analysts caught up to the attacker at the seventh compromised host, isolating the host and terminating the attacker’s access to the network.

The attacker’s total dwell time on the network was approximately 7.5 hours, with lateral movement beyond the first infected device occurring five hours after initial compromise. Utilizing machine learning from BlueSteel that detected the malicious PowerShell command via esENDPOINT, eSentire was able to isolate the compromised hosts and stop the attacker in their tracks, before they achieved their objective. Read the full report.

Like my comparison of gray zone adversaries to the Cold War, Jacob Helberg made a similar comparison. He talked about employing the strategy of “deterrence by denial.” It’s a Cold War theory that stresses the criticality of using tactics to deter the enemy without escalating the threat, in order to avoid an all out war. He further stressed the need to understand how global events can affect your business, identify those that target you, understand their objectives, and build a strategy to prevent them from succeeding at your expense. They can be stopped. But it takes hands on keyboards to defend against their gray zone, sophisticated attacks.

In this gray war, you must be prepared to deter gray actors by denying them access to your assets and critical operations. Like NATO, you must be prepared to quickly respond to enemy state intrusions, and intercept and disrupt them before they cripple your business. We do this everyday to keep our customers safe from gray threats. We stand on guard for thee. So, ask yourself, David, are you prepared to deter a gray zone Goliath?

Mark Sangster
Mark Sangster Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.