What We Do
How we do it
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Blog — Jun 25, 2020

Back to the Office #B2TO

4 min read

Practically every organization (that’s not wholly shut down) has been forced by COVID-19 into a rapid “digital transformation mode” by working from home, and to one degree or another they’re managing to keep operating.

Many of these organizations didn’t have formal business continuity plans to deal with this sudden change. Even those who had formal, well thought-out and executed plans had not been prepared for the logistics of suddenly having their entire workforce working remotely, simultaneously, and for an extended period of time. This means there’s a significant portion of their workforce suddenly trying to work from home, making do with substandard facilities (e.g. computers, internet capability, remote access software, information security measures, separate office space, information disposal facilities, etc.)

Many organizations either had no sufficient licenses for their remote access and/or endpoint security software or are quickly trying to spin up something inexpensive and/or easy to use. These organizations are likely less prepared to defend against attacks, and indeed this makes it easier for attackers.

The COVID-19 “forcing function” that necessitated work-from-home has widened the aperture for attackers who suddenly have a richer field of attack to millions of poorly secured, widely dispersed endpoints. Attackers continued to deploy their arsenal to gain access to systems for their own purposes (generally, financial gain), whether it be through business email compromise, ransomware, banking information or other fraud. Data from our Security Operation Centers (SOCs) showed there was no decrease in attacks through phishing, malicious document attachments, watering holes and social engineering.

Despite this, organizations continue to operate (some more effectively than others) in this new mode. On the near horizon, there are questions of when can offices re-open, and it’s important given our current footing to think about what that will look like. What security issues are your end-users bringing back to the office (B2TO), and how can you prepare?

I’d suggest several bullet points, which require a blend of process, procedure and technical measures:

1) Perform a manual anti-virus check. Ensure that process is running properly and the signature file is up-to-date. It should be a red flag if either of these is not the case; often attackers disable either the application or the update signature capability once they gain access.

2) Ensure that all patching is up-to-date. Patching has historically been a painful process, and within a work-from-home context it is not made any easier. Microsoft generally releases a large patch bundle on “Patch Tuesday.” It’s important that all patches released are well-tested and implemented as part of a B2TO process.

3) Audit local applications. What new applications were installed on corporate hardware while working from home? Ensure that only corporate-authorized software is installed.

4) Audit user additions. Have unauthorized users (family, friends, attackers) created accounts on the hardware?

5) Schedule and perform a vulnerability scan. A broad vulnerability scan can help to highlight gaps in security posture exacerbated by long-term remote connectivity.

6) Ensure that your endpoint software is up-to-date. While working remotely, capable corporate-grade endpoint security software is your final bulwark against attackers. Confirm that it’s operating effectively.

7) Watch for unmanaged devices. Have new (unauthorized) devices been added, which might give attackers access or leak personal data? This could include fitness trackers or other plug-and-play devices.

8) Watch for “Shadow IT.” While people have been working remotely, it’s possible that they’ve taken advantage of personal-grade third party service offerings instead of corporate-grade services. This could include VPN capabilities, remote backup and other cloud offerings that might contravene your contracts, or compliance measures.

9) Finally, keep an eye out for unusual behavior. Behavior such as unusual spikes in network or CPU usage and unauthorized remote access detected may be an indicator that there are unwanted entities in your environment.

In short, what has changed since working from home (generally, a more permissive environment)?

As we prepare to move back to a more disconnected office environment, it is important that we seriously think about resilient processes and infrastructure. Consider every part of the business that previously was tooled requiring physical proximity will need to be reviewed and updated (including authentication, authorization, on/off-boarding, and incident response planning) and what this should look like as people return. An unplanned and haphazard move back to the office may cause considerable pain, but there’s still time to prepare.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.