Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Join eSentire as they explore how to build a comprehensive training and…
The Texas Cyber Summit is a multi-track multi-day deeply technical…
Join eSentire at the Channel Partners Conference & Expo at Booth…
Even in the all-too-plentiful world of vulnerabilities and exploits, CVE-2020-1472 (aka Zerologon) is special, receiving a base criticality score of 10/10 under the Common Vulnerability Scoring System (CVSS).
eSentire was by no means the only security vendor pushing out alerts and advisories about Zerologon. Nor were we the only ones to claim to be able to detect an attack. However, to our knowledge, the behavioral Zerologon detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools. This is a subtle—but important—difference.
But before we dive into detections, let’s first quickly review why Zerologon is causing such a ruckus in cybersecurity circles.
Without going too deep into the technical details, Zerologon allows an attacker who has already gained Initial Access to achieve Privilege Escalation, acquiring the ability to execute remote code, disable security features and change computer passwords in Active Directory (AD).
Zerologon was discovered by researchers at Secura and was announced on August 11 as part of the Microsoft August 2020 Security Updates patch. On September 11—after allowing a month for IT administrators to apply patches—Secura released technical details and a test tool. The technical details publication set the clock ticking, as it serves as a how-to guide for security researchers and would-be attackers.
True to expectations, just a few days later, proof of concept (PoC) exploit code was available, prompting eSentire to send, on September 14, a Threat Intelligence Advisory about CVE-2020-1472 in anticipation of seeing attacks in the wild in the very near future. By this point, customers of eSentire’s Managed Vulnerability Service (MVS) already had a local plug-in to quickly and easily determine if they were at risk. Owing to the significant risk associated with this vulnerability, on September 18 the Cybersecurity and Infrastructure Security Agency released a rare emergency directive requiring all US federal agencies to update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.
Needless to say, such directives are reserved for only the most serious of situations.
Finally (so far at least), on September 23 eSentire pushed out an updated advisory, spurred by three new developments:
As noted in the introduction, eSentire’s Zerologon detection capability recognizes the exploit/attack itself, rather than just some associated behavior. To understand why the difference matters, it’s important to recognize that threat actors are constantly evolving their tools, techniques and procedures (TTPs)—and that this constant evolution is adept at finding weak points in cyber defenses.
Let’s say today’s generation of Zerologon attackers use a particular tool (say, mimikatz) to do something like this:
ATTACK à ACTION #1 or ACTION #2 or ACTION #3
The other detectors we have seen identify the use of a particular tool (i.e., mimikatz) and spot the follow-on actions, and use the correlation to imply use of Zerologon. That’s fine for stopping this combination of tool and actions, but what happens when attackers realize they’re being stopped? They’ll simply respond by changing tools and tactics to introduce ACTION #4, ACTION #5 and so on. The correlations will fail, the attacks will go undetected, and there’s a window of opportunity for attackers.
Instead of only identifying the actions (which, to be clear, we also do), eSentire’s detector identifies the actual exploit/attack itself. With our esLOG detector in place, it doesn’t matter if an attacker changes tools or quickly churns out new variations of the follow-on actions, because we still spot the original attack. There’s no game of catch-up—so our customers benefit from much more robust protection.
Analyzing logs isn’t unique to eSentire, so what enabled us to introduce a more powerful detection capability than other security providers?
The moment the technical details dropped, eSentire’s elite Threat Response Unit (TRU) went to work performing their own direct, applied research on CVS-2020-1472, to augment and extend beyond what was available in security forums and other OSINT resources. This deep hands-on exploration and experimentation helps us better understand the threats our customers face and can reveal unique insights and nuances that unlock more effective protection.
In this case, we discovered some aspects of Zerologon exploitation that we haven’t seen published elsewhere, and this insight is what allowed us to develop a uniquely powerful detection capability.
We’ve written elsewhere how important our people are to what we do at eSentire—and that’s because it’s true. Few security companies in the world can bring to bear the same number and caliber of security researchers as we can, and this collection of SOC analysts, threat hunters and security researchers are what allow us to consistently discover and contain even the most sophisticated threats.
It’s a differentiator we’re proud of and—more importantly—it’s one that makes a meaningful difference for our customers.