What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Oct 09, 2018

Highlights of the Q2 2018 threat intelligence report

3 min read

The Second Quarter Threat Intelligence report offers an expansive overview of the threat landscape for Q2 2018. The content and analysis for this report is built off of intelligence gathered from 2,000+ proprietary network and host-based detection sensors. This blog post is presented to highlight some of the most interesting and important findings; to learn more, you can read the full report.

Key Findings List

Industry Trends

During Q2, the eSentire SOC alerted clients on approximately 57,000 malicious events. By checking industries against a normalized count of sensors it is possible to see which industries are affected most frequently. In the second quarter of 2018, biotechnology and accounting services were by far the two most alerted on industries out of the 22 client industries monitored by eSentire.

Exploit Campaigns

A variety of exploit campaigns were discovered and monitored over the Q2 period. By grouping the attacking IP addresses according to the unique set of exploits over a time period, it is possible to correlate campaigns. The most notable campaigns targeted WebLogic and IIS, IIS and GPON Routers. An interesting aspect of these campaigns is that in many of the cases the attacking infrastructure appears to be compromised servers. The compromised infrastructure was likely affected by the same attacks that it is now being used to conduct attacks. It is unlikely that these campaigns were targeted. Rather, threat actors are using the exploits that they believe will have the highest success rate and launching a high number of opportunistic attacks.

Phishing and Malware Trends

Phishing continues to be a popular and widely employed attack method due to its simplicity and success rate. The most successful lures employed in phishing are Office 365 and DocuSign, although the total attempts using these lures decreased. UPS, eFax and FedEx lures all increased over the period, but saw little success. As the holiday season approaches users should anticipate an increase of shipping themed phishing emails, as threat actors attempt to capitalize on the increase in online shopping.

There were over 30 unique identified malware types reported on through Q2. The most common identified malware for this time period was Emotet. Emotet’s malware authors appear to have adapted the malware’s capability as a banking trojan to a generalized dropper, used to download additional payloads after infection. The high amount of Emotet related cases is not unexpected due to the continued modification and improvement of the malware.

Endpoint Data

By analyzing endpoint data, an analyst is able to learn significantly more about an attack than would otherwise be possible. Endpoint data from Q2 shows that PowerShell is the most used technique detected on endpoints, making up over 30% of total attack techniques. Endpoint solutions facilitate observation of execution, evasion, and persistence tactics. Of the detected malicious PowerShell use, 83% of attacks employed obfuscation methods meant to hide the activity.

Concluding Comments

Tracking trends allows for a comprehensive view of the current threat landscape. This enables both an understanding of evolving threats and more focused threat protection. The findings reported in this post are highlights from the Second Quarter Threat Intelligence report. For more findings, visuals and deeper analysis see the full report.

eSentire Threat Intel
eSentire Threat Intel Threat Intelligence Research Group